On Wednesday, October 19, 2016 at 9:58:07 AM UTC-6, Rupert Smith wrote:
>
> On Wednesday, October 19, 2016 at 4:39:00 PM UTC+1, OvermindDL1 wrote:
>>
>> I've been using absinthe on the server side and I am able to control
>> access permissions quite well for GraphQL hosting, though I am using a
>> custom permission library that ties to our local LDAP server so that code
>> would not be generically useful to release.
>>
>
> Sounds interesting. Is hooking custom permissions into graphql part of the
> graphql spec? Or is it some mechanism specific to absinthe that lets you do
> this?
>
The Elixir language (which Absinthe is built for and of which I use on the
back-end) has a very powerful hygienic macro system. With absinthe you
define (taking these examples from the manual examples) a 'schema', which
is an endpoint that can be queried, a specific graphql command in other
words. An example would be this:
```elixir
@desc "An item"object :item do
field :id, :id
field :name, :stringend
```
This as it is does nothing as no action ('query') bound to it yet, this is
just the data structure and the types (of which you can define your own
types, use other objects, etc...), but we can bind such a query like:
```elixir
query do
field :item, :item do
arg :id, non_null(:id)
resolve fn %{id: item_id}, _ ->
{:ok, @items[item_id]}
end
end
end
```
This defines a query that lets a client query by 'id' and only an 'id',
which must not be null. The resolve function in this case is what will do
the actual database look up (in this example it is just returning a static
data element or 'nil' if it does not exist). This resolve function is
where I put my access control. My access control works by adding this kind
of thing into where-ever I want to enforce a permission (which I can make
as fine or coarse-grained as I want, the permission system is very finely
grained):
```elixir
@perm true = user |> can?(select(%Perms.WhateverPerm{id: id}))
```
Where user would be passed in the 'context' of the map passed in to the
resolve function (detailed at http://absinthe-graphql.org/guides/context/
for note).
Absinthe handles all the nasty parts of GraphQL though, the combining of
queries, the real-time type documentation generation, etc... etc...
On Wednesday, October 19, 2016 at 9:58:07 AM UTC-6, Rupert Smith wrote:
> Also, is graphql just for fetching data? Or it also allows you to create
> new data on the server, or make updates to existing data?
>
Nope, you can query for (and only get back what you request, like if an
'object' has 3 fields but the client only asks for 1 of them, you get that
information in the resolver so you can optimize the DB queries
accordingly), you can insert new things (if they fulfill your
requirements/authorization/etc...), update things, delete things, etc...
Or anything else. Technically a GraphQL 'command' is just like a function
call where the arguments are well typed and defined and the return value is
configurable based on the input, it is basically just RPC but a bit more
optimized and self-documenting, and as such the 'functions'/queries can do
whatever you want.
On Wednesday, October 19, 2016 at 9:58:07 AM UTC-6, Rupert Smith wrote:
> But yes, I am a fan of GraphQL. I just expose 'functionality', not raw
>> tables. Many of my GraphQL calls do not map to a database table but rather
>> potentially multiple (or even none in some cases).
>>
>
> Yes, I also do not expose raw tables in the API, each entity is typically
> a small document tree which maps to >1 table. Also depending on what you
> fetch and what condition you use to filter the query results I would expect
> hitting >1 table to be quite common.
>
Indeed, I have a caching system that caches immutable DB queries across
servers (of which I try to design the DB to use as many immutable rows as
possible, lots of SELECT and INSERT, few if any UPDATE's).
--
You received this message because you are subscribed to the Google Groups "Elm
Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
