Can manage own? #149
-
|
Potentially dumb question: Is there a way to allow users to manage their own documents, but not others? So you could say can("read:own", "Note"), and then blitz-guard would check* that * It's not obvious how blitz-guard could do this, as it would have to be able to access the note object. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Hey you are right. It's not clear at all, The guard receives the same args as the query/mutation. So you can do: or something along these lines. If you want to improve the documentation (and earn a hacktoberfest contribution) I'll check it and merge it. :) |
Beta Was this translation helpful? Give feedback.
-
|
Is this the rough shape of your suggested approach? export default resolver.pipe(
resolver.zod(GetNote),
resolver.authorize(),
// Guard.authorizePipe("read:own", "Note"), // Can't go here, because won't have access to note
async ({ id }, context) => {
const note = await db.note.findFirst({
where: { id },
})
if (!note) {
throw new NotFoundError()
}
if (!Guard.can("read:own", "Note", context, { document: note })) {
throw new NotFoundError()
}
return note
}
)With an ability file that looks like: function ownsDocument(ctx: Ctx) {
return async ({ document }: { document: HasUserId }) => {
return document.userId === ctx.session.userId
}
}
const Guard = GuardBuilder<ExtendedResourceTypes, ExtendedAbilityTypes>(
async (ctx, { can, cannot }) => {
// [...]
can("read:own", "note", ownsDocument(ctx))
// [...]
}
) |
Beta Was this translation helpful? Give feedback.
-
|
Ah, I see. You can just put the guard after the query part of the pipe. For future readers: export default resolver.pipe(
resolver.zod(GetNote),
resolver.authorize(),
async ({ id }, context) => {
const note = await db.note.findFirst({
where: { id },
})
if (!note) {
throw new NotFoundError()
}
return note
}
Guard.authorizePipe("read:own", "Note")
) |
Beta Was this translation helpful? Give feedback.
Hey you are right. It's not clear at all,
The guard receives the same args as the query/mutation.
https://ntgussoni.github.io/blitz-guard/docs/ability-file#can--cannot
So you can do:
can("read:own", "note", (args: TypeFromQueryOrMutation) => args.note.userId == ctx.user.id )or something along these lines.
If you want to improve the documentation (and earn a hacktoberfest contribution) I'll check it and merge it. :)