Access Control
Access ControlAccess Control

Access Control

Included in the “Power Extensions” bundle

Grant granular access to the schema, based on the user being logged-in (or not), having a certain role or capability, and more.

Description

This extension allows us to create Access Control Lists, to manage who can access the different elements (operations, fields and directives) from the GraphQL schema.

A new "Access Control List" Custom Post Type is added to the site. We can browse its entries on the "Access Control Lists" page in the menu, and click on "Add New Access Control List" to add a new entry in the editor.

Access Control Lists
Access Control Lists
Access Control List editor
Access Control List editor

In the editor, we indicate what rules must be satisfied to access what schema elements, from among operations (query or mutation), fields, global fields, and directives.

Creating an Access Control List

We assign the Access Control List to the desired endpoint (private endpoint, single endpoint, custom endpoints or persisted queries) via the Schema Configuration.

Selecting an Access Control List in the Schema Configuration
Selecting an Access Control List in the Schema Configuration

When executing a GraphQL query, if it contains any of the selected schema elements in the Access Control List, the chosen rules are evaluated.

If any rule is not satisfied, access to that operation, field or directive is denied, and we can configure how the API must provide the response:

  • Public mode: Provide an error message to the user, indicating why access is denied
  • Private mode: The error message indicates that the operation, field or directive does not exist

For instance, in the public mode, we may get this response:

{
  "errors": [
    {
      "message": "You must have role 'author' to access field 'title' for type 'Post'",
      "locations": [
        {
          "line": 86,
          "column": 3
        }
      ]
    }
  ]
}

While in the private mode we may get this response:

{
  "errors": [
    {
      "message": "There is no field 'title' on type 'Post'",
      "locations": [
        {
          "line": 86,
          "column": 3
        }
      ]
    }
  ]
}

List of Access Control rules

The extension provides the following Access Control rules:

  • Disable access
  • Grant access only if the user is logged-in or out
  • Grant access only if the user has some role
  • Grant access only if the user has some capability