Skip to main content

hasScope

Requires the user to have a specific permission scope on a resource Uses Keycloak UMA 2.0 for fine-grained authorization

Two modes of operation:

  1. Argument mode (default): Extracts resource ID from GraphQL arguments (for mutations/queries)
  2. Field mode (fromParent=true): Extracts resource ID from parent object (for field-level permissions)
directive @hasScope(
resource: String!
scope: String!
resourceType: ResourceType!
fromParent: Boolean = false
) on FIELD_DEFINITION

Arguments

hasScope.resource ● String! non-null scalar

The resource ID source:

  • In argument mode: The argument path (e.g., "id", "input.strategyID")
  • In field mode: The field name on parent object (e.g., "strategyID")

hasScope.scope ● String! non-null scalar

The permission scope to check (e.g., "edit", "delete", "view", "backtest")

hasScope.resourceType ● ResourceType! non-null enum

Resource type for O(1) lookup. Required for proper permission checking.

hasScope.fromParent ● Boolean scalar

If true, extract resource ID from parent object's field instead of arguments. Use this for field-level permissions on types (e.g., Backtest.result checking Strategy permission)