Is it possible to ignore permissions check on a @relation and have id accessible to the permissions-profile? #285
Description
I would like to be able to assign a permission profile to a single entity without having to define seperate profile to check entity relation.
For example I have something similar to following:
type Ctx @valueObject {
id: ID
pfl: ID
gal: ID
}
type Portfolio @rootEntity(permissionProfile: "portfolio") {
gallery: Gallery! @relation
tags: [Tag] @relation
ctx: Ctx @accessField
}
type Tag @rootEntity {
name: String
ctx: Ctx @accessField
}
type Gallery @rootEntity(permissionsProfile: "gallery") {
potfolios: [Portfolio]
ctx: Ctx @accessField
}permissions-profile.yaml
permissionProfile:
portfolio:
- access: read
roles:
- /^viewer-gal-(.*)$/
restrictions:
- field: ctx.gal
valueTemplate: $1
- access: read
roles:
- /^viewer-pfl-(.*)$/
restrictions:
- field: ctx.pfl
valueTemplate: $1In this example if I where to try and access tags I would get message Not authorized to read Tag objects (in Portfolio.tags)", To allow user access to the referenced entity I would need to add another policy for tag.
Is it possible to avoid having to add additional policy for each reference. If a permission profile is not defined for the referenced entity can the check be skipped?
I was also curious about the id field. Should it be accessible to permissions-profile. At the moment I am unable to reference id even when I define it in the schema with id: ID @key @accessField. I have getting around many of these things by adding a context field and giving it a uuid field.
Any help would be appreciated. Look forward to hearing back.
Thank you,
John