IT4Change/Ocelot-Social
3
0
Fork 0
mirror of https://github.com/IT4Change/Ocelot-Social.git synced 2025-12-13 07:45:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Put isAuthor in permissions middleware

Browse Source 
I find it dirty to access the database in a middleware, ie. I would like
to put all access on the database as close to the resolver as possible.
However, in this case that would mean to put the authorization check in
the resolver, where nobody expects it to be.

CC @appinteractive
This commit is contained in:
Robert Schäfer 2019-03-04 19:40:49 +01:00
parent b64ea75011
commit 180491c08c
2 changed files with 18 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/middleware/permissionsMiddleware.js
View File

@ -25,6 +25,22 @@ const onlyEnabledContent = rule({ cache: 'strict' })(async (parent, args, ctx, i
return !(disabled || deleted) return !(disabled || deleted)
}) })
const isAuthor = rule({ cache: 'no_cache' })(async (parent, args, { user, driver }) => {
if (!user) return false
const session = driver.session()
const { id: postId } = args
const result = await session.run(`
MATCH (post:Post {id: $postId})<-[:WROTE]-(author)
RETURN author
`, { postId })
const [author] = result.records.map((record) => {
return record.get('author')
})
const { properties: { id: authorId } } = author
session.close()
return authorId === user.id
})
// Permissions // Permissions
const permissions = shield({ const permissions = shield({
Query: { Query: {
@ -34,6 +50,8 @@ const permissions = shield({
}, },
Mutation: { Mutation: {
CreatePost: isAuthenticated, CreatePost: isAuthenticated,
UpdatePost: isAuthor,
DeletePost: isAuthor,
report: isAuthenticated, report: isAuthenticated,
CreateBadge: isAdmin, CreateBadge: isAdmin,
UpdateBadge: isAdmin, UpdateBadge: isAdmin,

24
src/resolvers/posts.js
View File

@ -1,21 +1,5 @@
import { neo4jgraphql } from 'neo4j-graphql-js' import { neo4jgraphql } from 'neo4j-graphql-js'
const isAuthor = async (params, { user, driver }) => {
if (!user) return false
const session = driver.session()
const { id: postId } = params
const result = await session.run(`
MATCH (post:Post {id: $postId})<-[:WROTE]-(author)
RETURN author
`, { postId })
const [author] = result.records.map((record) => {
return record.get('author')
})
const { properties: { id: authorId } } = author
session.close()
return authorId === user.id
}
export default { export default {
Mutation: { Mutation: {
CreatePost: async (object, params, context, resolveInfo) => { CreatePost: async (object, params, context, resolveInfo) => {
@ -32,14 +16,6 @@ export default {
session.close() session.close()
return result return result
},
UpdatePost: async (object, params, context, resolveInfo) => {
if (!await isAuthor(params, context)) return Error('Not Authorised!')
return neo4jgraphql(object, params, context, resolveInfo, false)
},
DeletePost: async (object, params, context, resolveInfo) => {
if (!await isAuthor(params, context)) return Error('Not Authorised!')
return neo4jgraphql(object, params, context, resolveInfo, false)
} }
} }
} }