This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.

Owner role on edit

francesco_venic
Node

‎09-13-2019 12:29 PM

I've searched around different site but I have not found a solution yet, I have this kind of schema:

type Friendship @relation(name: "FOLLOW") {
  from: User
  to: User
  timestamp: Int
}

type User {
  uuid: ID!
  email: String
  username: String
  password: String
  friendship: [Friendship]
}

or

type Post {
  uuid: ID!
  text: String
  created: DateTime
  modified: DateTime
  owner: User @relation(name: "HAS_POSTS", direction: "IN")
  reviews: [Review] @relation(name: "HAS_REVIEWS", direction: "OUT")
}

and I want to allow the edit of these nodes only by the author of the node, is this possible somehow through neo4j or this is something achievable only through the app acl?

many thanks
Francesco

Labels:
0 Kudos
Reply
4 REPLIES 4

elaine_rosenber
Neo4j
Neo4j

‎09-13-2019 02:46 PM

Hello Francesco,

At this time, the application would need to manage what data an end-user can edit.

In our next release of Neo4j (4.0) which will be available early next year, we are adding role-based access control which will make it easier for applications to manage who accesses different part of the graph.

Elaine

0 Kudos
Reply

michael_hunger
Neo4j
Neo4j

‎09-14-2019 02:25 AM

Have you seen the auth directives blog post from @William_Lyon?

0 Kudos
Reply

francesco_venic
Node

‎09-14-2019 04:56 AM

Hi,

many thnaks both! yes I read it but is a bit different, my problem is not to create roles/scope but to define the ownership of the node and let only the owner edit this node...

0 Kudos
Reply

William_Lyon
Graph Fellow

‎09-16-2019 11:10 AM

One option would be to use @cypher schema directives to accomplish this. So for example, a mutation to delete all Posts authored by some User would look something like this:

type Mutation {
  deletePostsByUser(userId: ID!): User @cypher("""
    MATCH (u:User {id: $userId})-[:AUTHORED]->(p:Post)
    DETACH DELETE p
    RETURN u
  """)
}

If you are using some sort of auth middleware you can also inject the user specific info (in this case the user id) into the Cypher query. See https://grandstack.io/docs/neo4j-graphql-js-middleware-authorization.html#cypher-parameters-from-con...

Reply
Nodes 2022
Nodes
NODES 2022, Neo4j Online Education Summit

All the sessions of the conference are now available online

Watch replays