I am new to Graphql and some things still confuse me.
I am working on a project, similar to Todo List.
User may have multiple todo items, some of item's properties must be visible to owner only, some should be public.
So far I came up with two ideas:
1) First is to create two separate types, something like:
ToDoType {
id
name
complete
}
ToDoPrivateType {
id
name
complete
colorGroup
createdAt
...other private properties
}
And access
- ToDoType from root query user {...} and everywhere else, except
- viewer {...} where I will use ToDoPrivateType
It will work but looks a little like double-work,
plus if I retrieve todo lists from standard user root query I will not be able to pull private properties for user's own user.
2) I can also provide access to all properties and set to null properties to which a random user should not have access (like createdAt of other's users) but it also does not look right.
Hope what I am asking is not too confusing.
Do these approaches make sense?
Is there a better way to control access to some properties?
Thanks!
Related
In a to-do list where users have both system-created items and their own items, how would you store the items?
A to-do list can have a mix of items. The system-created items can be modified and deleted just like user-created items. There difference is the titles and description text for the system-created items are initially pulled from a configuration. Many users can have the same system-created items. E.g. if two users want to paint rooms in their houses, they'd both get "buy paint" items.
Option 1
Save the full system-created items (including the title & text) with the user-created items.
Pros: Flexibility for user modifications since the items belong to the user and are not dependent on a central item configuration.
Cons: Lots of redundancy because there will be many users all with the same items.
Option 2
Save references to a configuration for system-created items with the user-created items.
Pros: Flexibility for system modifications since if we want to say "buy X-brand paint" instead of "buy paint", the change is easily reflected for all users with this item.
Cons: System-created items have to persist forever in the configuration even if the item is no longer relevant for new to-do lists because otherwise the user's reference will be broken.
Other options?
Thank you!
My initial thought is - what is your requirement? Your user-flows and project road-map might contain information to inform your design.
From your question "system-created items can be modified and deleted just like user-created items":
This indicates that you are going to have to have a way to track modifications to your 'system-created' templates per user or convert them to 'user-created' messages when they are edited.
This is more complexity than you seem to need
It seems much simpler to create messages from system templates, then have them be regular messages.
A bit of extra storage is not going to break the bank
You have not mentioned any case where you would need to operate over only system-created to-do's. But in this case, you could include created-by metadata.
I think the key here is whether you need to be able to modify a "system todo", and that change to be reflected in all the "user todos"...
If that's a requirement (it sounds sensible to me), your only option is Option 2 - the real con of Option 1 is once you copied the "system todo" as a "user todo", you cannot tell anymore whether they're related...
I'd go for a model similar to this, with 2 entities/tables:
ToDoTemplate
Integer id
String name
String description
ToDoItem
Integer id
ToDoTemplate template
Boolean completed = false
?String name = null
?String description = null
When you create a ToDoItem, you create it based on a ToDoTemplate (it may be a blank template), and you set the name and description as null, reusing the template name/description... Only if the user modifies their own ToDoItem is when you store that value... i.e.
String getName() {
return this.name != null ? this.name : this.template.name;
}
This is the most flexible of the approaches, and the only valid in many situations... Note the con you mention:
Cons: System-created items have to persist forever in the configuration even if the item is no longer relevant for new to-do lists because otherwise the user's reference will be broken.
This is not a con really - as long as there's one ToDoItem that uses a given ToDoTemplate, the template is still relevant, and of course there's no reason to remove it...
Apologies in advance, I'm new to relay and not sure I've got all the terminology here right...
I have a (simplified) graph that looks like:
customer {
summary(id: "ABC123") {
records { // This is an array of Record
tag
}
}
}
Customer, Summary and Record are all objects with global IDs - they show up as records in the Relay DevTools inspector.
I have a mutation that removes a tag by name (from elsewhere in the graph - not shown), from which I need to update the customer summary object to remove the record with associated tag. I have tried two approaches and not gotten very far with either:
Re-request customer.summary as part of the mutation. The problem is I don't know what the ID is at that point. (Maybe I can thread it through some how, but that would be messy.) Also doesn't really solve the problem, since I'd like to do this optimistically.
In an optimistic updater, remove any tag record that matches. This seems like it should work, but the RecordProxy doesn't appear to have a rich enough API to enable me to do this.
First approach, I can't seem to get access to the summary record via the root:
const customer = store.getRoot().getLinkedRecord('customer') // works!
customer.getLinkedRecord("summary") // undefined
customer.getLinkedRecord("summary", {id: "ABC123"}) // undefined
Second approach, if I could ask the store for "all records of type" or even "all records" I could iterate through and find the one I need to edit, but this doesn't seem to be a method that's exposed (even though Relay DevTools must be doing it somehow).
Good afternoon,
Please let me know if this question is not clear enough, I'll try my best to make as straight-forward as possible.
How can I add access control to objects that are generated by an end-user using my data object?
Example: I have a class that extends a DataObject. Someone logs in the back-end; fills out the form that's generated by the CMS for the data object. A record is then created in the database by the CMS.
I would like to add an access control to that newly created record in the database.
For a code scenario you can take a look at one of my posts: Silverstripe 3 - Unable to implement controller access security from CMS
The only other way I can think of asking this question is: How to Dynamically (or programmatically) create permissions for records that are created by a DataObject extension via the CMS?
Thanks for your assistance.
Update - Sample Code
///>snippet, note it also has a Manager class that extends ModelAdmin which manages this!
class component extends DataObject implements PermissionProvider{
public static $db = array(
'Title' => 'Varchar',
'Description' => 'Text',
'Status' => "Enum('Hidden, Published', 'Hidden')",
'Weight' => 'Int'
);
///All the regular permission checks (overrides), for the interface goes here, etc...
///That is: canView, canDelete, canEdit, canCreate, providePermissions
}
Now, from the back-end an end-user can add components using the Manager Interface that's generated by extending ModelAdmin. How can I add individual permissions to those added components by the end-user?
Thanks.
Update 2
Example: Add Process Data Object that extends ModelAdmin will give you this in the back end
Then, when you click on the generated 'Add Process' button, you'll get this:
Finally, someone fills out the form and clicks on the 'Create' button, which saves the data in the database. That looks like this:
Now, on that record thats created in MySQL I'd like to add granular permissions to that record. Meaning, for every record created I want to be able to Deny/Allow access to it via a Group/Individual, etc.
Is that even possible with the SilverStripe framework? Thanks.
Implement the functions canView, canEdit, canDelete, and/or canCreate on your DataObject.
Each function will return true or false depending on the conditions you set - any conditions, not just what is defined in the CMS.
See the example code on the tutorial site.
I have extended a ListGrid to create a list of saved searches grouped by type of search, whether public or private. This list is populated through a standard SmartGWT datasource.
In addition, I would like to add to this list a grouping of historical searches, that would be available to a user as they create searches on a session-by-session basis (IE. a user creates a new search - until they close the browser, that search will display in the search list, under the grouping 'Historical Searches').
Long story short, I would like to be able to populate the ListGrid from two separate sources - from the already existing datasource and ideally from a RecordList saved in memory. I tried something similar to this:
#Override
public void fetchData() {
invalidateCache();
discardAllEdits();
super.fetchData();
setCanEdit(true);
for(Record r : histSearches.toArray()) {
startEditingNew(r);
endEditing();
}
setCanEdit(false);
markForRedraw();
};
While this code does get executed, it does not in any way perform the functionality that I'm hoping for it to do. Does anybody have any suggestions on how to perform this functionality? Any help would be greatly appreciated.
If you call DataSource.fetchData(), in the callback you can get the selected data as a RecordList. You can then add your per-session searches via recordList.add(), and provide the modified RecordList to a ListGrid via setData().
By the way, there is also an article on the public wiki showing a sample implementation of saved search (though different from what you want):
http://wiki.smartclient.com/display/Main/Saved+Search+%28Smart+GWT%29
How do I send two users coming from different company domains to different SQL databases to retrieve/store data? I use Application variables to store the connection strings and the Request.ServerVariables("LOGON_USER") variable is an effective way to get the domain name. Is the GLOBAL.AsA file to be modified? The table names are exactly the same in both databases, so I think changing the connection strings based on the user domain should do the trick.
User A with domain ABC --> Application("ConnecttoDB") send to database A
User B with domain XYZ --> Application("ConnecttoDB") send to database B
I have roughly 900+ classic ASP pages so I would really hate to add a bunch of IF-THEN's to choose the correct database in each page. All ideas are greatly appreciated!
UPDATE: To make things simple I'm envisioning one single Application variable (i.e.: ConnecttoDB) However, wouldn't its value be constantly changing every time a different user gets access and altering page results?
You can't use an Application variable since that's shared across all users. This would be a race condition. Instead you'll need to use the Session object to store the connection and then use that whenever you need to connect to the DB.
myDB=Server.CreateObject("ADODB.Connection")
StrConn = Session("ConnecttoDB")
myDB.Open StrConn
Here's one way of doing it:
I'm guessing that your classes for your web page codebehind files inheit the Page class. Create a new class file in your ASP.net project that inherits Page. Call it JorgePage. Then, make your codebehind file classes inherit JorgePage.
In JorgePage, write two functions:
private string getUsersDomain()
{
// returns the user's domain
}
protected string getUsersConnectionString()
{
switch (getUsersDomain().ToUpper())
{
case "ABC":
return Application("ConnecttoDB_ABC");
break;
case "xYZ":
return Application("ConnecttoDB_XYZ");
break;
}
}
Now, the function getUsersConnectionString() is available in the context of all your pages and returns the correct connection string. Furthermore, you have the code in only one place, so if you need to change the logic later, you can do so easily.
Given that you're using classic ASP, you can define a function to return the appropriate connection string in another .asp file and use the #include directive to add it to all your pages.