@vendure/core
Version:
A modern, headless ecommerce framework
62 lines (55 loc) • 2.46 kB
JavaScript
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.generatePermissionEnum = generatePermissionEnum;
const stitch_1 = require("@graphql-tools/stitch");
const graphql_1 = require("graphql");
const constants_1 = require("../../common/constants");
const PERMISSION_DESCRIPTION = `
Permissions for administrators and customers. Used to control access to
GraphQL resolvers via the { Allow} decorator.
## Understanding Permission.Owner
\`Permission.Owner\` is a special permission which is used in some Vendure resolvers to indicate that that resolver should only
be accessible to the "owner" of that resource.
For example, the Shop API \`activeCustomer\` query resolver should only return the Customer object for the "owner" of that Customer, i.e.
based on the activeUserId of the current session. As a result, the resolver code looks like this:
\`\`\`TypeScript
\\
\\
async activeCustomer(\\ ctx: RequestContext): Promise<Customer | undefined> {
const userId = ctx.activeUserId;
if (userId) {
return this.customerService.findOneByUserId(ctx, userId);
}
}
\`\`\`
Here we can see that the "ownership" must be enforced by custom logic inside the resolver. Since "ownership" cannot be defined generally
nor statically encoded at build-time, any resolvers using \`Permission.Owner\` **must** include logic to enforce that only the owner
of the resource has access. If not, then it is the equivalent of using \`Permission.Public\`.
common`;
/**
* Generates the `Permission` GraphQL enum based on the default & custom permission definitions.
*/
function generatePermissionEnum(schema, customPermissions) {
const allPermissionsMetadata = (0, constants_1.getAllPermissionsMetadata)(customPermissions);
const values = {};
let i = 0;
for (const entry of allPermissionsMetadata) {
values[entry.name] = {
value: i,
description: entry.description,
};
i++;
}
const permissionsEnum = new graphql_1.GraphQLEnumType({
name: 'Permission',
description: PERMISSION_DESCRIPTION,
values,
});
return (0, stitch_1.stitchSchemas)({
subschemas: [schema],
types: [permissionsEnum],
typeMergingOptions: { validationSettings: { validationLevel: stitch_1.ValidationLevel.Off } },
});
}
//# sourceMappingURL=generate-permissions.js.map