Fine-grain GraphQL permissions that only allow getting single entry via ID or UID.

[stuible]

I have a public GraphQL Schema and I want it to be possible to request a single entry if you know it's UID. I do not, however, want to allow anyone to query the db and receive a list of every single entry. More fine grain permissions that allow for this use-case would be incredible.

[andris-sevcenko]

We'll be getting around to tuning the GQL permission things, but that's unlikely to happen in 4.0 and will have to be 4.1 at least.

Meanwhile, you can employ a dirty hack - use the EVENT_REGISTER_GQL_QUERIES event to take advantage of the fact that Craft registers its own queries first, go through the existing queries in the event handler, and just doctor the available arguments for the entries and entry queries.

[stuible]

Thank you for taking the time to answer! However, how would I apply this to only one section? It doesn't seem possible through the RegisterGqlQueriesEvent $event. I wouldn't want to disable listing entries for all entry types, but only for a single entry type. Any guidance would be appreciated.

[stuible]

@andris-sevcenko I have made a few attempts at this but still couldn't grawk how I might use that event to block listing of entries for one entry type in GraphQL.

[andris-sevcenko]

@stuible If you want to remove listing entries altogether, you would use the event mentioned above to remove the entries query.

I wouldn't want to disable listing entries for all entry types, but only for a single entry type. Any guidance would be appreciated.

This is trickier. You would want to overwrite the resolver for the entries query using that event. So, something like

use craft\elements\db\ElementQuery;
use craft\events\RegisterGqlQueriesEvent;
use craft\gql\resolvers\elements\Entry as EntryResolver;
use craft\helpers\Gql as GqlHelper;
use craft\services\Gql;
use GraphQL\Type\Definition\ResolveInfo;
use yii\base\Event;

Event::on(
    Gql::class,
    Gql::EVENT_REGISTER_GQL_QUERIES,
    function(RegisterGqlQueriesEvent $event) {
        $event->queries['entries']['resolve'] = function ($source, array $arguments, $context, ResolveInfo $resolveInfo) {
            $query = EntryResolver::prepareElementQuery($source, $arguments, $context, $resolveInfo);

            // Make sure the query can't select the type ID we really, really don't like.
            if ($query instanceof ElementQuery) {
                $query->andWhere(['not', ['entries.typeId' => $notThisType]]);
            }

            return GqlHelper::applyDirectives($source, $resolveInfo, $value);
        }
    }
);

FTR, that's a very specific case and I doubt Craft would ever accommodate that out of the box.