I created a question-answer platform (similar to stackoverflow) based on the GRANDstack using authorization using the repo graphql-auth-directives. This allows us to check on authentication, authorization on role level or scope level.
In this platform a user can answer a question and might save the answer as draft. As long as the answer is not posted it should be seen by the user itself but by no one else. Other users however should see all the other finalised answers.
How can I create this type of user level authorization? It should result provide the following:
Suppose a question Q with id someid
. Which currently has finalised answers A1 and A2. If some random user U1 performs the query:
query: {
Question(id:someid){
answers {
Answer{
id,
text,
is_draft
}
}
}
}
he/she should see A1 and A2 as answers. However, if another user, U2, has currently one answer in draft for this question, say A3. Then he/she should retrieve A1, A2 and A3.
Is there some generic solution available? And if not what would be the suggested approach of programming this functionality?
In order to tackle the above issue I have adapted the
graphql-auth-directives
package and created my own, see here. This allows you to create such 'conditional permissions' as I have called them. To get a better understanding of the implementation I'd suggest you to look at the Medium article I wrote about it.