Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hide parts of schema #365

Open
Sam-Kruglov opened this issue Apr 25, 2022 · 5 comments
Open

Hide parts of schema #365

Sam-Kruglov opened this issue Apr 25, 2022 · 5 comments
Labels
in: security Issues related to security type: enhancement A general enhancement
Milestone
1.x Backlog

Comments

@Sam-Kruglov
Copy link

Hi, just highlighting for consideration, I think it would be useful to hide certain parts (fields, types) of the schema based on authorization. There are some uses of it if you google "graphql hide fields". I personally haven't used this feature.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 25, 2022
@MiguelAngelLV
Copy link

You can create a SchemaMapping for the fields and return null / empty if the user don't have permission.

@rstoyanchev
Copy link
Contributor

rstoyanchev commented May 5, 2022
edited
Loading

Thanks for raising this. It seems quite related to #116 although it's not entirely clear whether the same directives would be used for this as well or whether hiding would have to be expressed differently. More generally if defining authorization should result in field errors or those errors simply being hidden. /cc @rwinch

It's also not clear to me what should be hidden? We have the schema printing endpoint that returns the full schema. There is GraphQL introspection that could be used. There are GraphQL responses as well. Anything else? I imagine any hiding mechanism should cover all of those or otherwise it's not really hiding it.

Any further details around the actual use case and needs would be helpful to hear and keep in mind. Some examples from real world APIs could also be worth checking (GitHub's comes to mind as having such a feature).

@rstoyanchev rstoyanchev added this to the 1.0 Backlog milestone May 5, 2022
@rstoyanchev rstoyanchev added type: enhancement A general enhancement in: security Issues related to security and removed status: waiting-for-triage An issue we've not yet triaged labels May 5, 2022
@Sam-Kruglov
Copy link
Author

Sam-Kruglov commented May 5, 2022
edited
Loading

I imagine the usecase is to have certain fields/types appear as if they don’t exist in the schema for the user who doesn’t have permission to see them. Must not disclose the permission requirements to the user.

@bclozel
Copy link
Member

bclozel commented May 5, 2022

It sounds like this should be enforced at the schema printing level and introspection level at least. When it comes to responses themselves, nulling out a field that's not marked as nullable in the schema will cause issues.

Back to the use case itself, it seems that this can be useful for:

GraphQL Java seems to support that through field visbility and other frameworks do too.

@bclozel bclozel modified the milestones: 1.2 Backlog, 1.x Backlog Jan 12, 2023
@Jamel-jun
Copy link

Are there any relevant conclusions available? It seems that this feature would be helpful to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: security Issues related to security type: enhancement A general enhancement
Projects
None yet
Milestone
1.x Backlog
Development

No branches or pull requests
6 participants
@bclozel @rstoyanchev @MiguelAngelLV @spring-projects-issues @Sam-Kruglov @Jamel-jun