Model Layer

Controlling access control to data objects


In version 0.3.0 we introduced a new "Model Layer" to handle access control for all of the data that can be accessed through WP-GraphQL.

Concept

The idea for this new feature came about from the many issues we had open to address security concerns from exposing some pieces of data publicly that shouldn't have been exposed. The model layer provides a central place to make decisions on whether or not a piece of data should be public, private, or restricted.

Visibility States

The model layer introduces three different states of visibility for a piece of data.

  • Public: All fields on the object are accessible without authentication.
  • Restricted: The consumer does not have the proper capabilities to view all of the fields on the object, the object will be considered restricted, and will only return the "Allowed restricted fields" for the object.
  • Private: The consumer does not have the proper capabilities to know this object even exists. The object itself will return a null value.

You can also query the isRestricted field on modeled objects which will return a bool value to let the consumer know if the fields are being restricted or not.

Avatar

All fields are public by default.


Comment

Restricted

If the consumer does not have the moderate_comments capability, the object is considered restricted. The following fields are still public in a restricted state:

  • ID
  • commentId
  • contentRendered
  • date
  • dateGmt
  • karma
  • type
  • commentedOnId
  • approved
  • isRestricted

Private

If the comment is not approved, and the consumer does not have the moder_comments capability, the object will be considered private.


CommentAuthor

All fields are public by default.


All fields are public by default.


All fields are public by default.


Plugin

Private

Plugin objects are considered private unless the consumer has the update_plugins capability.


Post

Public

Posts are only considered fully public if:

  • They are in the "publish" status
  • They are in the "attachment" post-type
  • The consumer has the proper permissions to view the object

Restricted

Post objects are considered restricted under the following conditions:

  • The post has a password on it, and the consumer doesn't have the edit_others_posts capability for the post-type The following fields are still public in a restricted state:
  • id
  • titleRendered
  • slug
  • post_type
  • status
  • isRestricted

Private

Post object are considered private under the following conditions:

  • The post has a status of "private" and the consumer does not have the read_private_posts capability for the post-type
  • The post has a status of "draft" and the consumer does not have the edit_posts capability for the post-type
  • The post has a status of revision or auto-draft and either isn't the owner of the parent post object, or doesn't have the edit_others_posts capability
  • The post has a status of anything other than publish, and the consumer doesn't have the edit_posts capability for the post-type

PostType

Restricted

A PostType object is considered restricted by default, unless the consumer has the edit_posts capability for the post-type. The following fields are still public when the object is in a restricted state:

  • id
  • name
  • description
  • hierarchical
  • slug
  • taxonomies
  • graphqlSingleName
  • graphqlPluralName
  • showInGraphql

Private

A PostType object is considered private when the public argument is set to false, and the consumer does not have the edit_posts capability for the post-type.


Taxonomy

Restricted

A Taxonomy object is considered restricted by default, unless the consumer has the edit_terms capability for the taxonomy. The following fields are still public when the object is in a restricted state:

  • id
  • name
  • description
  • hierarchical
  • restBase
  • graphqlSingleName
  • graphqlPluralName
  • showInGraphql
  • connectedPostTypeNames

Private

A Taxonomy object is considered private when the public argument is set to false, and the consumer does not have the edit_terms capability for the taxonomy.


Term

All fields are public by default.


Theme

Private

All theme objects are considered private unless it's the current active theme, or the consumer has the edit_themes capability.


User

Restricted

All user objects are considered restricted unless the consumer has the list_users capability. The following fields are still public when the object is in a restricted state:

  • isRestricted
  • id
  • userId
  • name
  • firstName
  • lastName
  • description
  • slug

Private

A user object is considered private when the user has no published posts, and the consumer doesn't have the list_users capability.


UserRole

Private

The userRole object is considered private when a consumer doesn't have the listt_users capability, and is trying to query roles other than the ones connected to the current user.

Edit on GitHub