首頁 探索 說明
登入
cturan
/
vendure
镜像来自 https://github.com/vendure-ecommerce/vendure
1
0
複刻 0
Files 問題管理 0 Wiki
目錄樹: a09eaa0a45
分支列表 標籤列表
vendure
/
packages
/
core
/
src
/
api
/
config
/
generate-permissions.ts

generate-permissions.ts 2.5 KB
文件歷史 原始文件

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768 
  1. import { stitchSchemas, ValidationLevel } from '@graphql-tools/stitch';
    2. 

  2. import { GraphQLEnumType, GraphQLSchema } from 'graphql';
    3. 

  3. import { GraphQLEnumValueConfigMap } from 'graphql/type/definition';
    4. 

  4. 

  5. import { getAllPermissionsMetadata } from '../../common/constants';
    6. 

  6. import { PermissionDefinition } from '../../common/permission-definition';
    7. 

  7. 

  8. const PERMISSION_DESCRIPTION = `@description
    9. 

  9. Permissions for administrators and customers. Used to control access to
    10. 

  10. GraphQL resolvers via the {@link Allow} decorator.
    11. 

  11. 

  12. ## Understanding Permission.Owner
    13. 

  13. 

  14. \`Permission.Owner\` is a special permission which is used in some Vendure resolvers to indicate that that resolver should only
    15. 

  15. be accessible to the "owner" of that resource.
    16. 

  16. 

  17. For example, the Shop API \`activeCustomer\` query resolver should only return the Customer object for the "owner" of that Customer, i.e.
    18. 

  18. based on the activeUserId of the current session. As a result, the resolver code looks like this:
    19. 

  19. 

  20. @example
    21. 

  21. \`\`\`TypeScript
    22. 

  22. \\@Query()
    23. 

  23. \\@Allow(Permission.Owner)
    24. 

  24. async activeCustomer(\\@Ctx() ctx: RequestContext): Promise<Customer | undefined> {
    25. 

  25.   const userId = ctx.activeUserId;
    26. 

  26.   if (userId) {
    27. 

  27.     return this.customerService.findOneByUserId(ctx, userId);
    28. 

  28.   }
    29. 

  29. }
    30. 

  30. \`\`\`
    31. 

  31. 

  32. Here we can see that the "ownership" must be enforced by custom logic inside the resolver. Since "ownership" cannot be defined generally
    33. 

  33. nor statically encoded at build-time, any resolvers using \`Permission.Owner\` **must** include logic to enforce that only the owner
    34. 

  34. of the resource has access. If not, then it is the equivalent of using \`Permission.Public\`.
    35. 

  35. 

  36. 

  37. @docsCategory common`;
    38. 

  38. 

  39. /**
    40. 

  40.  * Generates the `Permission` GraphQL enum based on the default & custom permission definitions.
    41. 

  41.  */
    42. 

  42. export function generatePermissionEnum(
    43. 

  43.     schema: GraphQLSchema,
    44. 

  44.     customPermissions: PermissionDefinition[],
    45. 

  45. ): GraphQLSchema {
    46. 

  46.     const allPermissionsMetadata = getAllPermissionsMetadata(customPermissions);
    47. 

  47.     const values: GraphQLEnumValueConfigMap = {};
    48. 

  48.     let i = 0;
    49. 

  49.     for (const entry of allPermissionsMetadata) {
    50. 

  50.         values[entry.name] = {
    51. 

  51.             value: i,
    52. 

  52.             description: entry.description,
    53. 

  53.         };
    54. 

  54.         i++;
    55. 

  55.     }
    56. 

  56. 

  57.     const permissionsEnum = new GraphQLEnumType({
    58. 

  58.         name: 'Permission',
    59. 

  59.         description: PERMISSION_DESCRIPTION,
    60. 

  60.         values,
    61. 

  61.     });
    62. 

  62. 

  63.     return stitchSchemas({
    64. 

  64.         subschemas: [schema],
    65. 

  65.         types: [permissionsEnum],
    66. 

  66.         typeMergingOptions: { validationSettings: { validationLevel: ValidationLevel.Off } },
    67. 

  67.     });
    68. 

  68. }
    69.