Let's say I have a User type that contains the following fields:
type User {
name: String
username: String
someOtherField1: String
someOtherField2: String
someOtherField3: String
someOtherField4: String
creditCardNumber: String
}
If I am querying for myself, it's okay to return all fields, because the information is mine. So returning creditCardNumber to the client is no biggie. But if I am querying for someone else, I should only be able to access the public info on the returned user. Returning creditCardNumber would be terrible. And even if I don't code the query on the client to do so, what would prevent a malicious user from digging into the code, updating the client-side query to include creditCardNumber, and executing it?
What is the best way to achieve this level of field restriction across queries in GraphQL? My only thought on this so far is to create a separate UserSearch type, i.e.
type UserSearch {
name: String
username: String
someOtherField1: String
someOtherField2: String
someOtherField3: String
someOtherField4: String
}
which excludes the private fields, however this does not feel DRY as you'd be creating many types that are 90% similar in structure form each other.
Is there a cleaner way to implement this, that doesn't create unnecessary types or duplicate fields?
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 爷的心禁止访问 的文章《GraphQL: How to restrict fields server-side across》','https://www.manongdao.com/article-676557.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}