Hi there,
I’ve spent quite a bit of time trying to figuring out why I couldn’t connect to a table without having update rights on it. My use case is the following one:
I’ve got a Countries and Addresses tables.
-
Countries entries aren’t supposed to be updated by anyone (almost). It’s a basic table to which many tables are linked to.
-
Anyone can create an Address entry and set a reference to a country by updating the entry and connecting the country.
Problem is, I need to put an “Update” access to everyone but with custom field settings that put every field to “Read”. So no update possible. (I understand that in the background the update access is there to allow the relationship fields to be updated I guess).
I don’t know, it didn’t feel natural.
Am I doing things the wrong way?
2 Likes
Hey @gahabeen - yes this is something that we need to make clearer.
You need an Update permission on a table to build connections. Though if you don’t want someone to be able to update any fields on the table, you then need to go into fields and make them all read only.
In our next iteration of roles and permissions, we’ll be adding in relationship specific roles (i.e. permissions to Connect/Create/Reconnect/Disconnect/Update)
3 Likes
Hello @sebastian.scholl!
I have the pretty same issue. In my case, I have to store “win” and connect it to “game” and “prize” which are read-only. “games” and “prizes” tables have other relations which should not be updatable.
Example of my mutation:
mutation($gameId: ID!, $prizeId: ID!, $userId: ID!) {
winCreate(
data: {
game: { connect: { id: $gameId }},
prize: { connect: { id: $prizeId }},
user: {connect: { id: $userId }}
…
I found your recommendation and hacked it this way:
Though if you don’t want someone to be able to update any fields on the table, you then need to go into fields and make them all read-only.
But it’s really not very secure in my case, because as I already mentioned I need only one relation to be updatable.
Is there any progress with this issue or maybe you could give me a hint on how I could solve this?
Thank you
Hi there! We’ve been working on this yet do not have a release yet.
For what you’re describing, where does the perceived security threat come into play? I want to make sure I fully understand the issue before I suggest the solution!
@sebastian.scholl thank you for your reply! Look:
- I have a “games” table with the next relations: “lottery”, “prizes”, “wins”;
- I allowed to be updatable “games” table and disable to be updatable all fields in this table;
- While I can’t control relation fields than “lottery”, “prizes”, “wins” are editable;
- But I need only “wins” to be updateable and only connect so the user can only attach new wins to the game;
- So “lottery”, “prizes” relation fields can be updated and it looks not really secure.
@sebastian.scholl please, notify me when it will be released , thank you!