How to completely disable specific root fields for a table in Hasura

[valterartur]

Hello everyone,

I'm trying to disable specific root fields for a table in Hasura. In my case, I want to completely remove the _aggregate root field from the generated GraphQL schema, as I don't need it in my application.

I've tried the following approaches based on the Table Config and Custom Root Fields documentation:

Setting the select_aggregate field to an empty string (""):

"custom_root_fields": {"select_aggregate": ""}

Setting the select_aggregate field to null:

"custom_root_fields": {"select_aggregate": null}

However, none of these approaches seem to completely remove the _aggregate root field from the GraphQL schema. It's still visible and accessible through the Hasura console.

Is there a way to completely disable specific root fields, like _aggregate, for a table in Hasura? Any help or guidance would be appreciated.

[meetzaveri]

Hello @valterartur

I assume you are familiar with "roles" and "permissions". For the best practices, secure your GraphQL API with authorization using roles and permissions -https://hasura.io/docs/latest/auth/authorization/index/

Once you've set roles and permissions for it, let's say any user accessing your API has a specific role attached to them. Say a user with role "moderator" accesses your GraphQL API and you don't want to show them _aggregate root field. By default, in Permissions any custom role you created (not "admin" role), users with those roles won't be able to see _aggregate root field unless you had manually "checked" it by clicking checkbox option. There is whole docs page explaining how to disable root field visibility for roles - https://hasura.io/docs/latest/auth/authorization/permissions/disabling-root-fields/

Check the image I've attached here so you'll get the idea.

Please do try this and let me know if you are still facing issues

[valterartur]

Hi @meetzaveri .
Thanks for response. Yes I'm aware of this and using it but we don't need {}_aggreate queries at all, so I was thinking about how to remove them completely and not only hide from certain roles.
As I understand there is no way to do it for now, right?

[meetzaveri]

Right, there's no way. If you are exposing them via admin role, its not considered a good practice. Your end users should always be accessing your graphql endpoint with some seperate role(where certain data needs to be restricted for them).

[valterartur]

Sure, we are not exposing access with admin role only with custom roles. And each role have it disabled. Thanks for answer.