Is the use of visibility? sufficient for authorization?

[maltesa]

Hi there,

I want to use visibility? to hide parts of my Schema based on a user's role. My main question is:
Is that sufficient for authorization? Meaning: Is it safe to assume that a user can NOT run a query if it's invisible for her/him?

Background

There are two reason why I prefer visible? over authorized?:

1. I wish to hide parts of the schema the user is not allowed to use anyway.
2. Using authorized? requires nullabilty of the returned type. This is annoying for queries returning an array.

Example for 2.:
If the PostType implements the authorized?-classmethod, a query returning PostType needs to be nullable, otherwise I get an Cannot return null for non-nullable field Query.posts error. Hence, I have to do null checks in my frontend everywhere.

module Queries
  class PostsQuery < BaseQuery
    type [Types::PostType, { null: true }], null: false
    #                       ~~~~~~~~~~~~~~~

    def resolve
      Post.all
    end
  end
end

[rmosolgo]

Is it safe to assume that a user can NOT run a query if it's invisible for her/him?

Yes, that's a safe assumption. Under the hood, GraphQL-Ruby always filters the total set of types and fields into a limited set of visible types and fields. (When no visible? methods are implemented, the total set equals the limited set.) That limited set is then used for all of query execution.