Permissions can be used to control data access on your data. A request trying to execute a certain operation is only allowed if a matching permission is defined.
Whenever someone is requesting to read or modify a field of a model, all available permissions will be checked against the request. The operation will only be executed if there is at least one permission for every field in question whose parameters match the request. Otherwise the request will result in a permission error that will be returned as the query response.
A model permission is associated with a list of fields of the given model. You can include as few as one and as much as all available fields in the permission.
Every model permission is associated with exactly one operation that can be one of the following.
A permission level describes the required minimum access level the session user needs to successfully perform a certain operation:
- A user that is not authenticated is granted
- An authenticated user is additionally granted
The permission level is determined based on the session user token in the request header.
Note: this feature will roll out in the future.
A query based permission is additionally associated with an arbitrary query that has access to certain predefined query parameters. The query associated with a query based permission will be executed when an according request comes in and the request will only be granted permission if the response to that query contains at least one leaf-node with a non-null field.
Permissions and user authentication
If you want to make use of the built-in user authentication system, you should make sure to setup your permissions so that
EVERYONE can call the
Otherwise, users can neither sign up or login to access your project data from within your application. To read more about user authentication, head over to the Simple API or the Relay API.