Go back to 8base Academy
October 1, 2019

Advanced Authorization using Custom GraphQL Filters

Sebastian Scholl

* This is an automated transcript. Please excuse inaccuracies.

Good morning, so in video four we went over how you can permission your API or setup authorization using the default controls that 8base offers you. Now what we're going to do is jump in look how you can create custom access or custom filters on any record for a specific action to really have a more fine-grained control over what types of users are allowed to perform updates or reads on different types of records and resources. Let's take a look at that.  


Okay so I'm in my Quick Start app workspace right now and one thing I just wanted to show you is I added an extra field to the Brokers table called “credits”; which is a number of type field right. So, we're just going to use this to make our filter or make our custom access depend on a certain variable for the broker right. So, I'm going to jump over the API Explorer now what I've already populated with just some let's call it a template right. First off, we have a query and that query is taking a filter as an argument. Then inside it we pass that argument to as the filter on the Brokers list query and then all we care about right now is returning an ID right.  


So, right down here we're able to look at this query a variable which is going to be the filter that we are defining. This will make sense why we're doing it as a query at the end of the video, so just bear with you for now. But what's cool is just like we could filter any query right here; we can start creating that inside the query variable view down at the bottom. So, for example, let's say that this filter and one thing that we wanted to do was we wanted to say, “Okay well we went to filter our Brokers by ones that have credits greater than five. So, ones with more credit more than five credits. So, we can run that filter and we have one broker that has more than five credits right.” Well let's say, that we wanted a conditional type filter we would say, “Or and or and both accept objects we're to which you know if it's an and, every single object has to have it returned truthy for the specified thing with the or, one of them has to be specified truthy.” So, let's just throw- one second- let's just throw this in here. So, this is the broker can either have five credits or let's give it the next value. We can say, “Let's see that they have listing or the let's say that their email right ends with user, email ends with.” And we're going to go 8base.Co for this. So, we run that cool and we got a lot more now right. So, what's this doing? This filter is going through and saying okay well we want to filter by people that have more than five credits or their name ends with a base right.  


So, one thing that's important or two things that are important about this is, one we're looking at a field property here, the next one we're going into a relation and new filtering by the relation right. Now why is this relevant to roles and permissions or specifically creating custom access for a role to a different or specific table? Well if we wanted to, we could take this right here and the same way it performed on this list of Brokers, we could go into our settings, we could specify on our roles that well this is the broker role and when the broker role is interacting with or reading the Brokers resource, we could say that has a custom filter on that and we drop that in there and this would work. Meaning that it would scope the records that this broker has access to reading per the filter that we just defined and as it behaved within the API Explorer.  


One thing that's important to note here as well is that we go back to the API Explorer let's say, that we wanted to do it to where okay well we're going to do this for listings. So, let’s change a few things here. First thing was that we're going to change this to listing list that's going to be the type, which means that then we have to change the type of the filter to a listing filter with all arguments have to be typed. We will still leave it as my filter right. So, what we're going to specify here is that, okay we're going to do it to where if the listings broker has more than five credits- just do it like that. So, if the listings broker has more than five credits then they'll be able to update the listing.  


The second condition that we can do is or if the listing- let's just use the autocomplete here. So, if I just press option space, it's going to open a list of autocomplete. So, we're leave that. Or if the status of the listing equals nothing draft would be one, right. So, if a listing is not published or the broker has more than five credits, they'll be able to update the listing that's what we're going to use it for. And one other thing that we can do here is we can say, okay what we can do is kind of an aggregated one to where we'd say, okay well if the broker- let's go back to the broker- well one second. If the Brokers listings and so since this is a collection, we can specify whether some of these values are truthy, if every value has to be truthy or if none of the values have to be truthy. So, let's say that if any of the listings price or let's say if any of the Brokers listing price is greater than or equal to 1 million dollars or 1 million, then this filter will trigger alright.  


So, once again we're just kind of playing around here, but you get the idea of the level of detail that you can go into. So, a good example of this would be imagine if you're a building a service like Reddit or something you know or some like Hacker News too, where based on the number of karma points or the number of yeah karmic type points the logged in user has, maybe they can perform a certain action right. All those types of custom permissions can be built in the filters to show what type of actions they can do on what types of resources. Once again though if I just take this- let's actually run this- it works. Can is a strong filter and no one has a listing of more than million dollars, so no items returned. But we could take this query or this list filter, we could copy it, go right back into our “settings”, open up “roles” click on the “Brokers role” and then let's say that on the listings to update the listing we want to put on a custom filter drop that in there and it's good to go.  


I hope this gave you a really good idea of how flexible the roles and permissions or authorization system is in a phase, where by using these types of custom filters you can really give a fine-grained control permission over what records different roles are allowed to come back perform actions on, based on the attributes of any related record. So, hope this was helpful, have a great rest of your day and looking forward to seeing you again in future videos.  

Share this post on social media!

Ready to try 8base?

We're excited about helping you achieve amazing results.