Operations

This reference runs through a number of worked GraphQL queries and how each location in each query triggers the evaluation of different authentication/authorization rules.

Each relevant location has a comment such as CREATE ON OBJECT Movie, which means an authentication directive such as the following would be evaluated:

type Movie @authentication(operations: [CREATE]) {
    title: String!
    actors: [Actor!]! @relationship(type: "ACTED_IN", direction: IN)
}

This also applies if the directive had no arguments, because operations defaults to all operations.

The following examples apply to the @authentication directive, and also any rules within an @authorization directive.

Examples

Query

For a simple query, rules with READ in the operations will be evaluated for any type being read:

query {
    movies {     # READ ON OBJECT Movie
        title    # READ ON FIELD_DEFINITION Movie.title
        actors { # READ ON OBJECT Actor
            name # READ ON FIELD_DEFINITION Actor.name
        }
    }
}

Mutation

For create Mutations, CREATE rules on the object will be evaluated for each node created, as well as field definition rules:

mutation {
    createMovies(input: [
        {                       # CREATE ON OBJECT Movie
            title: "The Matrix" # CREATE ON FIELD_DEFINITION Movie.title
        }
    ]) {
        movies {                # READ ON OBJECT Movie
            title               # READ ON FIELD_DEFINITION Movie.title
        }
    }
}

For single delete Mutations, rules with DELETE on the object will be evaluated:

mutation {
    deleteMovies(where: { title: "The Matrix" }) { # DELETE ON OBJECT Movie
        nodesDeleted
    }
}

For delete Mutations with nested delete operations, rules with operation DELETE will be evaluated:

mutation {
    deleteMovies(                                                  # DELETE ON OBJECT Movie
        where: { title: "The Matrix" }
        delete: { actors: { where: { node: { name: "Keanu" } } } } # DELETE ON OBJECT Actor
    ) {
        nodesDeleted
    }
}

For a complex update Mutation with many effects, a variety of rules will be evaluated, as well as READ rules for the selection set:

mutation {
    updateMovies(
        where: { title: "The Matrix" }
        connect: { actors: { where: { node: { name: "Keanu" } } } } # CONNECT ON OBJECT Actor and Movie
        update: {                                                   # UPDATE ON OBJECT Movie
            title: "Speed"                                          # UPDATE ON FIELD_DEFINITION Movie.title
        }
    ) {
        movies {                                                    # READ ON OBJECT Movie
            title                                                   # READ ON FIELD_DEFINITION Movie.title
            actors {                                                # READ ON OBJECT Actor
                name                                                # READ ON FIELD_DEFINITION Actor.name
            }
        }
    }
}

Subscription

For a simple Subscription to creation events, both SUBSCRIBE and READ operations trigger rules:

subscription {
    movieCreated {     # SUBSCRIBE ON OBJECT Movie
        createdMovie { # READ ON OBJECT Movie
            title      # READ ON FIELD_DEFINITION Movie.title
        }
    }
}

For a more complex Subscription to relationship events, both SUBSCRIBE is an operation, as well as READ to all relevant types:

subscription {
    movieRelationshipCreated { # SUBSCRIBE ON OBJECT Movie
        movie {                # READ ON OBJECT Movie
            title              # READ ON FIELD_DEFINITION Movie.title
        }
        createdRelationship {
            actors {
                node {         # READ ON OBJECT Actor
                    name       # READ ON FIELD_DEFINITION Actor.name
                }
            }
        }
    }
}