🚨 Announcing Vendure v2 Beta

Product

Features

A tour of the core Vendure features

Case studies

How Vendure is being used in real-world projects

Plugins

Official & community plugins

Integrations

Storefronts, payments, infrastructure. Compose your commerce stack

Demo
Live

Try our live Vendure demo now!

Roadmap

Partners

Partner Program

Become a Vendure Partner

Developers

Documentation

Get started in 5 minutes!

Blog

News and technical articles

Defining custom permissions

Your plugin may be defining new queries & mutations which require new permissions specific to those operations. This can be done by creating PermissionDefinitions.

For example, let’s imagine you are creating a plugin which exposes a new mutation that can be used by remote services to sync your inventory. First of all we will define the new permission:

// sync-permission.ts
import { PermissionDefinition } from '@vendure/core';

export const sync = new PermissionDefinition({
  name: 'SyncInventory',
  description: 'Allows syncing stock levels via Admin API'
});

This permission can then be used in conjuction with the @Allow() decorator to limit access to the mutation:

// inventory-sync.resolver.ts
import { Allow } from '@vendure/core';
import { Mutation, Resolver } from '@nestjs/graphql';
import { sync } from './sync-permission';

@Resolver()
export class InventorySyncResolver {

  @Allow(sync.Permission)
  @Mutation()
  syncInventory() {
    // ...
  }
}

Finally, the sync PermissionDefinition must be passed into the VendureConfig so that Vendure knows about this new custom permission:

// inventory-sync.plugin.ts
import gql from 'graphql-tag';
import { VendurePlugin } from '@vendure/core';
import { InventorySyncResolver } from './inventory-sync.resolver'
import { sync } from './sync-permission';

@VendurePlugin({
  adminApiExtensions: {
    schema: gql`
      input InventoryDataInput {
        # omitted for brevity
      }

      extend type Mutation {
        syncInventory(input: InventoryDataInput!): Boolean!
      }
    `,
    resolvers: [InventorySyncResolver]
  },
  configuration: config => {
    config.authOptions.customPermissions.push(sync);
    return config;
  },
})
export class InventorySyncPlugin {}

On starting the Vendure server, this custom permission will now be visible in the Role detail view of the Admin UI, and can be assigned to Roles.

Custom CRUD permissions

Quite often your plugin will define a new entity on which you must perform create, read, update and delete (CRUD) operations. In this case, you can use the CrudPermissionDefinition which simplifies the creation of the set of 4 CRUD permissions. See the docs for an example of usage.

Generated on Apr 12 2021 at 14:19