Introducing a dedicated permission per each search API index so query… #33
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ing certain indexes can be limited on per-role basis.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We have been using this module pretty successfully. In fact, it helps us expose 3 search API indexes over GraphQL api for our front end JS code.
However, only 2 of those 3 indexes are supposed to be public and the third may not be freely given access to. So we need some kind of per-index/per-role granularity there. This PR seeks to achieve this goal.
First of all, it introduces a dedicated permission per each Search API index that implies granting access to query it over graphql api. And then it adjusts the logic in the SearchApiSearch PHP class so it actively queries index for access before proceeding further. I made the access check to go via
$index->access()so other modules, in case they have any opinion may provide their own access logic (in case just a plain permission per index is not enough).:) I've tested it and works like a charm for us :) The only thing is that apparently breaks the backwards compatibility since now users need an explicit extra permission and before the access was simply implied there. But maybe introducing a global 'execute graphql requests on search api indexes' + an update hook that will grant this permission to all roles is enough to catch up on the backwards compatibility? :)