Version 4 supported
This version of Silverstripe CMS is still supported though will not receive any additional features. Go to documentation for the most recent stable version.

Working with DataObject models

Adding DataObject models to the schema
An overview of how the DataObject model can influence the creation of types, queries, and mutations
DataObject query plugins
Learn about some of the useful goodies that come pre-packaged with DataObject queries
DataObject operation permissions
A look at how permissions work for DataObject queries and mutations
Property mapping and dot syntax
Learn how to customise field names, use dot syntax, and use aggregate functions
Versioned content
A guide on how DataObject models with the Versioned extension behave in GraphQL schemas
DataObject inheritance
Learn how inheritance is handled in DataObject model types
Nested type definitions
Define dependent types inline with a parent type

You are viewing docs for silverstripe/graphql 4.x. If you are using 3.x, documentation can be found in the GitHub repository

DataObject operation permissions

Any of the operations that come pre-configured for DataObjects are secured by the appropriate permissions by default. Please see Model-Level Permissions for more information.

Mutation permssions

When mutations fail due to permission checks, they throw a PermissionsException.

For create, if a singleton instance of the record being created doesn't pass a canCreate($member) check, the mutation will throw.

For update, if the record matching the given ID doesn't pass a canEdit($member) check, the mutation will throw.

For delete, if any of the given IDs don't pass a canDelete($member) check, the mutation will throw.

Query permissions

Query permissions are a bit more complicated, because they can either be in list form, (paginated or not), or a single item. Rather than throw, these permission checks work as filters.

It is critical that you have a canView() method defined on your DataObjects. Without this, only admins are assumed to have permission to view a record.

For read and readOne a plugin called canView will filter the result set by the canView($member) check.

When paginated items fail a canView() check, the pageInfo field is not affected. Limits and pages are determined through database queries. It would be too inefficient to perform in-memory checks on large data sets. This can result in pages showing a smaller number of items than what the page should contain, but keeps the pagination calls consistent for limit and offset parameters.

Disabling query permissions

Though not recommended, you can disable query permissions by setting their plugins to false.

# app/_graphql/models.yml
Page:
  operations:
    read:
      plugins:
        canView: false
    readOne:
      plugins:
        canView: false

Further reading

Adding DataObject models to the schema
An overview of how the DataObject model can influence the creation of types, queries, and mutations
DataObject query plugins
Learn about some of the useful goodies that come pre-packaged with DataObject queries
DataObject operation permissions
A look at how permissions work for DataObject queries and mutations
Property mapping and dot syntax
Learn how to customise field names, use dot syntax, and use aggregate functions
Versioned content
A guide on how DataObject models with the Versioned extension behave in GraphQL schemas
DataObject inheritance
Learn how inheritance is handled in DataObject model types
Nested type definitions
Define dependent types inline with a parent type
Edit on Github