GraphQLquery~30 mins

Role-based access control in GraphQL - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Role-based Access Control with GraphQL

📖 Scenario: You are building a simple user management system where users have roles like admin, editor, and viewer. Each role has different permissions to access user data.

🎯 Goal: Create a GraphQL schema that defines users with roles and implements role-based access control to restrict data access based on the user's role.

📋 What You'll Learn

Define a User type with fields id, name, and role.

Create a query users that returns a list of users.

Add a variable currentUserRole to simulate the role of the user making the request.

Implement role-based access control so that only admin users can see all users, editor users can see users with role viewer, and viewer users can only see their own data.

💡 Why This Matters

🌍 Real World

Role-based access control is essential in real-world applications to protect sensitive data and ensure users only see what they are allowed to.

💼 Career

Understanding how to implement role-based access control in GraphQL is valuable for backend developers working on secure APIs.

Progress0 / 4 steps

Define the User type and initial data

Create a GraphQL type called User with fields id (ID!), name (String!), and role (String!). Then create a list called users with these exact entries: { id: "1", name: "Alice", role: "admin" }, { id: "2", name: "Bob", role: "editor" }, { id: "3", name: "Charlie", role: "viewer" }.

GraphQL

# Define User type and users list
# Your code here

Hint

Start by defining the User type with the required fields. Then create the users list with the exact user objects.

Add currentUserRole variable

Add a variable called currentUserRole and set it to the string "editor" to simulate the role of the user making the request.

GraphQL

type User {
  id: ID!
  name: String!
  role: String!
}

const users = [
  { id: "1", name: "Alice", role: "admin" },
  { id: "2", name: "Bob", role: "editor" },
  { id: "3", name: "Charlie", role: "viewer" }
];

# Add currentUserRole variable here
# Your code here

Hint

Just add a constant variable named currentUserRole and assign it the string "editor".

Create users query with role-based filtering

Create a query called users that returns a list of User. Implement role-based access control inside the resolver function so that: if currentUserRole is "admin", return all users; if currentUserRole is "editor", return only users with role "viewer"; if currentUserRole is "viewer", return only the user with id "3".

GraphQL

type User {
  id: ID!
  name: String!
  role: String!
}

const users = [
  { id: "1", name: "Alice", role: "admin" },
  { id: "2", name: "Bob", role: "editor" },
  { id: "3", name: "Charlie", role: "viewer" }
];

const currentUserRole = "editor";

const resolvers = {
  Query: {
    users: () => {
      # Your code here
    }
  }
};

Hint

Use if statements to check currentUserRole and return filtered user lists accordingly.

Add GraphQL schema with Query type

Add a Query type to the GraphQL schema with a field users that returns a list of User. Combine all previous code into a complete schema and resolver setup.

GraphQL

type User {
  id: ID!
  name: String!
  role: String!
}

type Query {
  # Add users field here
}

const users = [
  { id: "1", name: "Alice", role: "admin" },
  { id: "2", name: "Bob", role: "editor" },
  { id: "3", name: "Charlie", role: "viewer" }
];

const currentUserRole = "editor";

const resolvers = {
  Query: {
    users: () => {
      if (currentUserRole === "admin") {
        return users;
      } else if (currentUserRole === "editor") {
        return users.filter(user => user.role === "viewer");
      } else if (currentUserRole === "viewer") {
        return users.filter(user => user.id === "3");
      } else {
        return [];
      }
    }
  }
};

Hint

Define the Query type with a users field that returns a list of User objects.