-
-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The right way to protect and filter information #523
Comments
Sounds you want to hammer that out in the backend to ensure you cannot fetch non-related info from the frontend. In Onesila.com we wanted to ensure all information is attached to an owner, which in this case is company. To do this, we auto-filter on company and every mutation will auto-assign a new entry to company via the backend. This way all information is safe as the filtering doesn't happen in the frontend and therefore cannot be fiddled with. For queries, this was done with a custom node: For the mutations, this was done with custom Create, Update and Delete mutations by subclassing the original mutations. This approach does assume that the user-model is reachable through the patient-model as it's the logged-in user that will determine which data is shown. The example I linked here, has a slightly different structure as we have users and multi-tenant-owners since it's a Saas application. But it sounds like the code from OneSila can be easily adjusted to do what you want it do. |
Thank you for your reply, I will study and try it in practice |
I've found one solution that works for me, but unfortunately it only works if filtering is present in the query. If there is no filtering, then it does not work and the person sees all the recordings
|
You really want to go more upstream and filter it at the deepest level where you have access to both the data and logged in user. That's why in the linked project it's done on the actual query and mutation level. |
One option here is to use the permissions extension: https://strawberry-graphql.github.io/strawberry-django/guide/permissions/ You can create a subclass of DjangoPermissionExtension and define your own logic on You can see in the |
Hello, I can say that I am new to this issue and I would like to clarify how to implement such a design correctly:
There are 4 models available:
There are already entries in the BookingModel model:
query:
I do authorization of requests via strawberry-django-auth using the JWT token
The essence of the gap is that if I make a request
Then I get a list of all patients, including other doctors, when I need to get only "my patients" (If I logged in as doctor id: 2, then I have patients only id 4 and 5
Of course, I can add filters like:
Then I really only get ids 4 and 5.
But what prevents me from faking the request? Through the browser developer console, I will see where the request is being sent and which request.
I'll copy and paste, but instead of id 2, I'll specify id 1 and now I see all the records of the first doctor, which violates confidentiality.
Therefore, tell me, maybe I'm not doing it right or I'm confusing something.
PS: This is the first time I'm writing questions on github, so I might not have written/framed the question correctly, I'm sorry
Upvote & Fund
The text was updated successfully, but these errors were encountered: