@scope directive

[raderio]

Please add @scope directive to be possible to mark what permissions/roles should have user in order to be able to fetch data.
Example

type Post {
    id: ID
    comments: [Comment] @scope(authenticated)
}

[wincent]

Thanks for this @raderio. I believe this is very much outside the scope (😆 ) of the GraphQL spec itself and is unlikely to make it into the core. It's certainly possible to build something like this in userspace, however, by extending the schema with your own directives and then augmenting your tooling to take the "according" actions (which will most likely be very implementation- and domain-specific).

In any case, if you'd like to lobby further on behalf of this idea, I'd suggest taking a look at this PR that tries to flesh out in more detail the (currently underspecified) process of how major changes should make it into the GraphQL spec.

As mentioned there, we want to start from a default position of favoring no change by asking these questions:

1. Are we solving a real problem?
2. Does this enable new use cases?
3. How common is this use case?
4. Can we enable it without a change to GraphQL?
5. If so, just how awkward is it?

Clearly, access control is almost certainly a "real problem" (1) and a "common" one (3), but the bigger barriers to clear here are answering points (4) and (5).

[raderio]

Yeah, it can be enabled without a change to GraphQL, but is it a very common one, so will be better to be in core I think.
Thanks.

[sibelius]

this should be in user land

permissions are very specific for an application context