Working with DataObject
models
- Adding DataObject models to the schema
- An overview of how the DataObject model can influence the creation of types, queries, and mutations
- DataObject query plugins
- Learn about some of the useful goodies that come pre-packaged with DataObject queries
- DataObject inheritance
- Learn how inheritance is handled in DataObject model types
- Versioned content
- A guide on how DataObject models with the Versioned extension behave in GraphQL schemas
- Property mapping and dot syntax
- Learn how to customise field names, use dot syntax, and use aggregate functions
- Nested type definitions
- Define dependent types inline with a parent type
- DataObject operation permissions
- A look at how permissions work for DataObject queries and mutations
You are viewing docs for silverstripe/graphql 4.x. If you are using 3.x, documentation can be found in the GitHub repository
DataObject
operation permissions
Any of the operations that come pre-configured for DataObjects are secured by the appropriate permissions by default. Please see Model-Level Permissions for more information.
Mutation permssions
When mutations fail due to permission checks, they throw a PermissionsException
.
For create
, if a singleton instance of the record being created doesn't pass a canCreate($member)
check,
the mutation will throw.
For update
, if the record matching the given ID doesn't pass a canEdit($member)
check, the mutation will
throw.
For delete
, if any of the given IDs don't pass a canDelete($member)
check, the mutation will throw.
Query permissions
Query permissions are a bit more complicated, because they can either be in list form, (paginated or not), or a single item. Rather than throw, these permission checks work as filters.
It is critical that you have a canView()
method defined on your DataObjects. Without this, only admins are
assumed to have permission to view a record.
For read
and readOne
a plugin called canView
will filter the result set by the canView($member)
check.
When paginated items fail a canView()
check, the pageInfo
field is not affected.
Limits and pages are determined through database queries. It would be too inefficient to perform in-memory checks on large data sets.
This can result in pages showing a smaller number of items than what the page should contain, but keeps the pagination calls consistent
for limit
and offset
parameters.
Disabling query permissions
Though not recommended, you can disable query permissions by setting their plugins to false
.
# app/_graphql/models.yml
Page:
operations:
read:
plugins:
canView: false
readOne:
plugins:
canView: false