Permission
Permission
Permissions for administrators and customers. Used to control access to GraphQL resolvers via the Allow decorator.
Understanding Permission.Owner
Permission.Owner is a special permission which is used in some Vendure resolvers to indicate that that resolver should only
be accessible to the “owner” of that resource.
For example, the Shop API activeCustomer query resolver should only return the Customer object for the “owner” of that Customer, i.e.
based on the activeUserId of the current session. As a result, the resolver code looks like this:
Example
@Query()
@Allow(Permission.Owner)
async activeCustomer(@Ctx() ctx: RequestContext): Promise<Customer | undefined> {
const userId = ctx.activeUserId;
if (userId) {
return this.customerService.findOneByUserId(ctx, userId);
}
}
Here we can see that the “ownership” must be enforced by custom logic inside the resolver. Since “ownership” cannot be defined generally
nor statically encoded at build-time, any resolvers using Permission.Owner must include logic to enforce that only the owner
of the resource has access. If not, then it is the equivalent of using Permission.Public.
Signature
enum Permission {
Authenticated = 'Authenticated'
SuperAdmin = 'SuperAdmin'
Owner = 'Owner'
Public = 'Public'
UpdateGlobalSettings = 'UpdateGlobalSettings'
CreateCatalog = 'CreateCatalog'
ReadCatalog = 'ReadCatalog'
UpdateCatalog = 'UpdateCatalog'
DeleteCatalog = 'DeleteCatalog'
CreateSettings = 'CreateSettings'
ReadSettings = 'ReadSettings'
UpdateSettings = 'UpdateSettings'
DeleteSettings = 'DeleteSettings'
CreateAdministrator = 'CreateAdministrator'
ReadAdministrator = 'ReadAdministrator'
UpdateAdministrator = 'UpdateAdministrator'
DeleteAdministrator = 'DeleteAdministrator'
CreateAsset = 'CreateAsset'
ReadAsset = 'ReadAsset'
UpdateAsset = 'UpdateAsset'
DeleteAsset = 'DeleteAsset'
CreateChannel = 'CreateChannel'
ReadChannel = 'ReadChannel'
UpdateChannel = 'UpdateChannel'
DeleteChannel = 'DeleteChannel'
CreateCollection = 'CreateCollection'
ReadCollection = 'ReadCollection'
UpdateCollection = 'UpdateCollection'
DeleteCollection = 'DeleteCollection'
CreateCountry = 'CreateCountry'
ReadCountry = 'ReadCountry'
UpdateCountry = 'UpdateCountry'
DeleteCountry = 'DeleteCountry'
CreateCustomer = 'CreateCustomer'
ReadCustomer = 'ReadCustomer'
UpdateCustomer = 'UpdateCustomer'
DeleteCustomer = 'DeleteCustomer'
CreateCustomerGroup = 'CreateCustomerGroup'
ReadCustomerGroup = 'ReadCustomerGroup'
UpdateCustomerGroup = 'UpdateCustomerGroup'
DeleteCustomerGroup = 'DeleteCustomerGroup'
CreateFacet = 'CreateFacet'
ReadFacet = 'ReadFacet'
UpdateFacet = 'UpdateFacet'
DeleteFacet = 'DeleteFacet'
CreateOrder = 'CreateOrder'
ReadOrder = 'ReadOrder'
UpdateOrder = 'UpdateOrder'
DeleteOrder = 'DeleteOrder'
CreatePaymentMethod = 'CreatePaymentMethod'
ReadPaymentMethod = 'ReadPaymentMethod'
UpdatePaymentMethod = 'UpdatePaymentMethod'
DeletePaymentMethod = 'DeletePaymentMethod'
CreateProduct = 'CreateProduct'
ReadProduct = 'ReadProduct'
UpdateProduct = 'UpdateProduct'
DeleteProduct = 'DeleteProduct'
CreatePromotion = 'CreatePromotion'
ReadPromotion = 'ReadPromotion'
UpdatePromotion = 'UpdatePromotion'
DeletePromotion = 'DeletePromotion'
CreateShippingMethod = 'CreateShippingMethod'
ReadShippingMethod = 'ReadShippingMethod'
UpdateShippingMethod = 'UpdateShippingMethod'
DeleteShippingMethod = 'DeleteShippingMethod'
CreateTag = 'CreateTag'
ReadTag = 'ReadTag'
UpdateTag = 'UpdateTag'
DeleteTag = 'DeleteTag'
CreateTaxCategory = 'CreateTaxCategory'
ReadTaxCategory = 'ReadTaxCategory'
UpdateTaxCategory = 'UpdateTaxCategory'
DeleteTaxCategory = 'DeleteTaxCategory'
CreateTaxRate = 'CreateTaxRate'
ReadTaxRate = 'ReadTaxRate'
UpdateTaxRate = 'UpdateTaxRate'
DeleteTaxRate = 'DeleteTaxRate'
CreateSystem = 'CreateSystem'
ReadSystem = 'ReadSystem'
UpdateSystem = 'UpdateSystem'
DeleteSystem = 'DeleteSystem'
CreateZone = 'CreateZone'
ReadZone = 'ReadZone'
UpdateZone = 'UpdateZone'
DeleteZone = 'DeleteZone'
}