I am trying to take the awesome Redwood tutorial to another level. My goal is to have it so only the user associated with a post has the ability to delete a post.
Now sorting that on the front end is straightforward. I check to see if the user is associated with a post and then show the delete button based on that condition. But how could I go about securing the backend so only the correct user can delete a post (i.e making sure I prevent someone from coming in the backend and deleting another user’s post)
Is this something a custom directive may be able to help with?
I would appreciate it if someone can point me in the right direction for solving this the Redwood Way
PS. if you can suggest a better title for SEO purposes please go ahead
Interesting idea! Would you open to creating a how-to guide for this? With a link from the related section of the tutorial explaining that you can follow that guide for a more thorough usage of RBAC?
We don’t like making major changes to the tutorial as we have supporting assets (like videos) and making these kinds of changes would require re-recording them to get them to match up with the flow. That’s not really something we want to commit to at the moment.
What you’ve shown here is pretty much exactly what I would do! The only change might be to move that ownership check into its own function so that you can re-use it for the updatePost function as well.
We’ve also got Service Validations that are usually used to check that your data is formatted correctly before getting into the database, but we’ve also got a validateWith() function that lets you use whatever logic you want. And you are validating something, so it fits right in!
I haven’t done much with GraphQL Directives, but my understanding is that they’re more suited to transforming data in/out of the endpoint… like if you wanted everything to be UPPERCASE even though it’s stored in the database in lowercase.