-
|
It seems from the docs that blitz currently supports "top level" role-based authorisation. If I'm looking for more granular authorisation (for example, a post is viewable if the logged in user created it or it is marked as public) then I assume that this would be done at the query level? Are there currently any best practices for how these sorts of authorisation checks should be implemented? In the Session Management RFC it says:
So apologies if this questions is a bit premature. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
Correct. Currently, the best practice is to perform authorisation checks at the query / mutation level. For your example, you could use Prisma's Blitz calls this "secure data, not pages". |
Beta Was this translation helpful? Give feedback.
-
|
Good question! We don't have an RFC on this, but we do have this discussion for tracking discussion around this. So feel free to add any ideas there. And there's a library in the works by @ntgussoni that will be one solution for this: https://twitter.com/ntgussoni/status/1315402484278583300 If you have any ideas |
Beta Was this translation helpful? Give feedback.
-
|
Great - thanks for the pointer to the potential library. |
Beta Was this translation helpful? Give feedback.
Correct. Currently, the best practice is to perform authorisation checks at the query / mutation level.
For your example, you could use Prisma's
AND/ORoperators to perform query à la "find a post with this ID, which is marked public or has the session's user as its creator".If nothing's found, that means there either isn't a post with that ID or the user isn't allowed to access it - which makes no difference for your usecase :)
Blitz calls this "secure data, not pages".