Can I set Custom filters on Field level access in roles and permissions?


Is there anyway to filter a users read permissions based on some kind of criteria?
For example, we want people to be able to create comments and be able to ‘delete’ them, however in reality just hide the ‘content’ field, which would contain the text, from the API and keep the actual record. Ideally, this would work along the lines of read access being based on some kind of ‘deleted’ field being set too false.

Or any work around would be appreciated.


Hey! 100% can this be achieved using roles and permissions. I think though that I need some extra clarity around the exact use case or problem domain. Can you break it down a little further?

So the idea would be to have a Comment table, which represents for example a forum topic reply. This text for this reply is stored in a field called Content. We would like to be able to allow uses to ‘delete’ their Comments. This delete action however does not delete the record from our database, but instead set the Content field to be inaccessible. In that sense, if someone sets say a field called ‘deactivated’ to True, the Content field should no longer be accessible from other users.

This could look something like:

  deactivated: {
    equals: false

However this filter would apply to the Content field only, not the entire Record.

Another example of this is a Reaction table. We want to be able to allow users to create ‘reactions’ ie a Facebook Love reaction on posts, and we would do this as a nested create on the Post table. However, users are not able to update the Post table of another user - is there a way they can have access to the reactions field only?

Let me know if u need a bit more clarity, thanks for the support

Very cool. So I agree with you that the limitation here is in that the Custom Filters wouldn’t work for dynamically enabling/disabling the field level permission, but only the record level permission. Because of that, I think the approach would actually require a Custom Resolver (if you’re not comfortable simply having your frontend hide/show or use 2 different queries for the Content field based on the deactivated value.

With a Custom Resolver, you could then protect your API with two Roles (this is a hypothetical):

  1. “Author” Role: Can see their own Comments and the Content.
  2. “Reader” Role: Can only see Comments that are not Deactivated.

This would then make sure that a user cannot hit the API (with an API client) and get your deactivated records.

Then, you create a custom Resolver called, let’s say getCommentsWithDeactivated(...args) that does something like the following:

export default function (event, ctx) {
  // Get all comments bypassing the roles and permissions.
  const allComments = await ctx.gqlRequest(MY_COMMENTS_QUERY, { ...anyVars }, { checkPermissions: false})

  // Map your comments and remove the text on deactivated ones
  const scrubbedComments = => {
    if (item.deactivated) item.content = "Content Hidden";
    return item;

  // Return scrubbed comments
  return scrubbedComments;

Does this make sense? Definitely takes a little more work, but I think it could be the right approach to satisfying the requirement. LMK if it helps!

Dropping in Custom Resolver Docs aqui Resolvers - 8base Documentation