WPGraphQL

Tag: Authorization

  • Allow login mutation to be public when the endpoint is fully restricted

    If you’ve configured your WPGraphQL settings to “Limit the execution of GraphQL operations to authenticated requests”, this will block all root operations unless the user making the request is already authenticated.

    If you’re using a GraphQL mutation to authenticate, such as the one provided by WPGraphQL JWT Authentication, you might want to allow the login mutation to still be executable by public users, even if the rest of the API is restricted.

    This snippet allows you to “allow” the login mutation when all other root operations are restricted. 

    add_filter( 
  'graphql_require_authentication_allowed_fields', 
  function( $allowed ) {
	$allowed[] = 'login';
	return $allowed;
}, 10, 1 );

  • Make all Users Public

    The following snippets allow for Users with no published content to be shown in public (non-authenticated) WPGraphQL query results.

    For a more detailed write-up, read the blog post: Allowing WPGraphQL to show unpublished authors in User Queries

    add_filter( 'graphql_connection_query_args', function( $query_args, $connection_resolver ) {

  if ( $connection_resolver instanceof \WPGraphQL\Data\Connection\UserConnectionResolver ) {
    unset( $query_args['has_published_posts'] );
  }

  return $query_args;

}, 10, 2 );
    add_filter( 'graphql_object_visibility', function( $visibility, $model_name, $data, $owner, $current_user ) {

  // only apply our adjustments to the UserObject Model
  if ( 'UserObject' === $model_name ) {
    $visibility = 'public';
  }

  return $visibility;

}, 10, 5 );

  • Showing Post Type labels in public queries

    WPGraphQL respects WordPress core access control rights. This means that data that is only available to authenticated users in the WordPress admin is only available to authenticated users making GraphQL requests.

    Sometimes, you want to expose fields that are restricted by default.

    Take the Post Type Label field, for example.

    Querying for the label of a Post Type as a public user returns a null value by default:

    Screenshot of a query for ContentTypes and their label, showing null value for the label.

    With the following snippet, you can expose the label field to public users:

    add_filter( 'graphql_allowed_fields_on_restricted_type', function( $allowed_restricted_fields, $model_name, $data, $visibility, $owner, $current_user ) {

	if ( 'PostTypeObject' === $model_name ) {
		$allowed_restricted_fields[] = 'label';
	}

	return $allowed_restricted_fields;

}, 10, 6 );

    And below we can see the same query, showing the value of the labels to public users.

    Screenshot of a query for ContentTypes and their label, showing the label's value for the label.

  • Making Menus and Menu Items public

    By default, Menus and Menu Items that are not assigned to a Menu Location are considered private, meaning they are not exposed in non-authenticated WPGraphQL Queries.

    If you want to expose Menus and Menu Items that are not assigned to menu locations to public GraphQL Queries, you can use the following snippet: 

    add_filter( 'graphql_data_is_private', function( $is_private, $model_name, $data, $visibility, $owner, $current_user ) {

	if ( 'MenuObject' === $model_name || 'MenuItemObject' === $model_name ) {
		return false;
	}
	
	return $is_private;

}, 10, 6 );