itelofilho
itelofilho10mo ago

Is it possible to perform attribute-based authorization after the .query?

I have a TRPC method, getStudentGradeById, that accepts the gradeId. I want to return the grade only if the student owns it. the current code is:
protectecProcedure
.input(z.object({
gradeId: z.string()
}))
.query(({ input: {gradeId}, ctx}) => {
const grade = prisma.grade.findById(gradeId)
if (result.studentId !== ctx.studentId) {
throw new Error()
}
})
protectecProcedure
.input(z.object({
gradeId: z.string()
}))
.query(({ input: {gradeId}, ctx}) => {
const grade = prisma.grade.findById(gradeId)
if (result.studentId !== ctx.studentId) {
throw new Error()
}
})
I want something like:
protectecProcedure
.input(z.object({
gradeId: z.string()
}))
.query(() => prisma.grade.findById(gradeId))
.use((ctx, result) => {
if (result.studentId !== ctx.studentId) {
throw new Error()
}
})
protectecProcedure
.input(z.object({
gradeId: z.string()
}))
.query(() => prisma.grade.findById(gradeId))
.use((ctx, result) => {
if (result.studentId !== ctx.studentId) {
throw new Error()
}
})
I don't want to use the output because it would require me to write the output schema for each method. Additionally, I don't want to include any permission management within the .query. Is it possible to achieve this? Should I attempt to make the necessary changes and submit a pull request?
4 Replies
itelofilho
itelofilhoOP10mo ago
I don't see how it's related with my question...
BeBoRE
BeBoRE10mo ago
Why not just return a TRPCError forbidden?
itelofilho
itelofilhoOP10mo ago
GitHub
feat: middleware after the .query · Issue #5575 · trpc/trpc
Describe the feature you'd like to request let's suppose that I have a TRPC method, getStudentGradeById, that accepts the gradeId. I want to return the grade only if the student owns it. I ...

Did you find this page helpful?