What I learnt about Access Control

Authentication VS Authorisation

What does the structure look like ?

The Key Piece! => Session!

Schema access controls are set by Rules and Permissions

Like in a RPG game…

Putting everything together

  • Role is another Schema type especially used for assigning a set of permissions to users
  • In KeystoneJS, for Roles, we can create an admin UI with a checkbox list of permissions which we can enable for different Roles.
  • In Session, we can expose the permissions that a user has so that graphQL queries can receive the permission info of this user. See line 84
  • The Rules, are made of permissions and the session data so that we can add more flexibility in access controls. Not only can we allow specific users to have the access, we can also give more granularity in what they can access! For instance, in this example, the canReadProducts rule returns a Keystone query — for users without specific permissions granted, if they are the owner, they can see all products. Otherwise, they can only see available products
return {      
OR: [{ user: { id: session.itemId } }, { status: 'AVAILABLE' }],

More Info




A software engineer passionate about learning and growth

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How I extended my ReactJs Application to different URLs by domain forwarding with masking.

Accelerating new projects with VueJS + 8base

From React to Composi-Part 1

Angular Azure — Auth, CI/CD, IaC, and Serverless — Part 1

Get started with Angular

How to Use React with React Bootstrap?

Getting all arguments passed into a function

Testing React with Jest & Enzyme for beginner in 2020

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sherry Hsu

Sherry Hsu

A software engineer passionate about learning and growth

More from Medium

Something you should know — Web Framework

Front End vs Back End vs Full Stack Development

Person coding

Swagger — All you need to start

Make API Calls from a Chrome Extension