7 years ago · 1e59fa84d2
--- a/schema.json
+++ b/schema.json
--- a/server/src/api/common/auth-guard.ts
+++ b/server/src/api/common/auth-guard.ts
@@ -50,12 +50,13 @@ export class AuthGuard implements CanActivate {
 
				         const res: Response = ctx.res;
			
 
				         const authDisabled = this.configService.authOptions.disableAuth;
			
 
				         const permissions = this.reflector.get<Permission[]>(PERMISSIONS_METADATA_KEY, context.getHandler());
			
 
				+        const isPublic = !!permissions && permissions.includes(Permission.Public);
			
 
				         const hasOwnerPermission = !!permissions && permissions.includes(Permission.Owner);
			
 
				         const session = await this.getSession(req, res, hasOwnerPermission);
			
 
				         const requestContext = await this.requestContextService.fromRequest(req, permissions, session);
			
 
				         req[REQUEST_CONTEXT_KEY] = requestContext;
			
 
				 
			
 
				-        if (authDisabled || !permissions) {
			
 
				+        if (authDisabled || !permissions || isPublic) {
			
 
				             return true;
			
 
				         } else {
			
 
				             return requestContext.isAuthorized || requestContext.authorizedAsOwnerOnly;
			
--- a/server/src/api/resolvers/product.resolver.ts
+++ b/server/src/api/resolvers/product.resolver.ts
@@ -36,7 +36,7 @@ export class ProductResolver {
 
				     ) {}
			
 
				 
			
 
				     @Query()
			
 
				-    @Allow(Permission.ReadCatalog)
			
 
				+    @Allow(Permission.ReadCatalog, Permission.Public)
			
 
				     async products(
			
 
				         @Ctx() ctx: RequestContext,
			
 
				         @Args() args: ProductsQueryArgs,
			
@@ -45,7 +45,7 @@ export class ProductResolver {
 
				     }
			
 
				 
			
 
				     @Query()
			
 
				-    @Allow(Permission.ReadCatalog)
			
 
				+    @Allow(Permission.ReadCatalog, Permission.Public)
			
 
				     async product(
			
 
				         @Ctx() ctx: RequestContext,
			
 
				         @Args() args: ProductQueryArgs,
			
--- a/server/src/common/types/permission.graphql
+++ b/server/src/common/types/permission.graphql
@@ -6,6 +6,8 @@ enum Permission {
 
				     SuperAdmin
			
 
				     " Owner means the user owns this entity, e.g. a Customer's own Order"
			
 
				     Owner
			
 
				+    " Public means any unauthenticated user may perform the operation "
			
 
				+    Public
			
 
				 
			
 
				     CreateCatalog
			
 
				     ReadCatalog
			
--- a/shared/generated-types.ts
+++ b/shared/generated-types.ts
@@ -1096,6 +1096,7 @@ export enum Permission {
 
				     Authenticated = 'Authenticated',
			
 
				     SuperAdmin = 'SuperAdmin',
			
 
				     Owner = 'Owner',
			
 
				+    Public = 'Public',
			
 
				     CreateCatalog = 'CreateCatalog',
			
 
				     ReadCatalog = 'ReadCatalog',
			
 
				     UpdateCatalog = 'UpdateCatalog',