itelofilho
itelofilho5mo ago

Is it possible to perform attribute-based authorization after the .query?

I have a TRPC method, getStudentGradeById, that accepts the gradeId. I want to return the grade only if the student owns it. the current code is: 
protectecProcedure
  .input(z.object({
    gradeId: z.string()
  }))
  .query(({ input: {gradeId}, ctx}) => {
    const grade = prisma.grade.findById(gradeId)
    if (result.studentId !== ctx.studentId) {
      throw new Error()
    }
  })
protectecProcedure
  .input(z.object({
    gradeId: z.string()
  }))
  .query(({ input: {gradeId}, ctx}) => {
    const grade = prisma.grade.findById(gradeId)
    if (result.studentId !== ctx.studentId) {
      throw new Error()
    }
  })
I want something like: 
protectecProcedure
  .input(z.object({
    gradeId: z.string()
  }))
  .query(() => prisma.grade.findById(gradeId))
  .use((ctx, result) => {
    if (result.studentId !== ctx.studentId) {
      throw new Error()
    }
  })
protectecProcedure
  .input(z.object({
    gradeId: z.string()
  }))
  .query(() => prisma.grade.findById(gradeId))
  .use((ctx, result) => {
    if (result.studentId !== ctx.studentId) {
      throw new Error()
    }
  })
I don't want to use the output because it would require me to write the output schema for each method. Additionally, I don't want to include any permission management within the .query. Is it possible to achieve this? Should I attempt to make the necessary changes and submit a pull request?
4 Replies
rocawear
rocawear5mo ago
itelofilho
itelofilho5mo ago
I don't see how it's related with my question...
BeBoRE
BeBoRE5mo ago
Why not just return a TRPCError forbidden?
itelofilho
itelofilho5mo ago
https://github.com/trpc/trpc/issues/5575
GitHub
feat: middleware after the .query · Issue #5575 · trpc/trpc
Describe the feature you'd like to request let's suppose that I have a TRPC method, getStudentGradeById, that accepts the gradeId. I want to return the grade only if the student owns it. I ...
More Posts
How is inner context persistent if we call 'createContext' for every batch?As per title. According to the docs, inner context doesn't depend on the request, and is useful for does anyone know how put vs post calls map to the trpc procedures provided? (query vs mutation)I did check out the documentation but i only mentions GET and POST, not PUT . https://trpc.io/docs/Next.js. Migrating to turbopack casues context errorError: ``` react-dom.development.js:20662 Uncaught Error: Unable to retrieve application context. crypto not define while using generateId in trpchow to proxy a routerhey im building a chrome extension that has two adapters .. one is for communicating with the api seIs there a way to pass parameters to procedure on call?I would like to pass the required permission to the procedure like in this example: ``` create: authComplex type inference on router outputs?What are the best practices on complex outputs from routers and typing on the FE? We are doing quiteWhere to put clean up code?I have a DB connection setup in my `createContext` that I must explicitly close per-request. But I cTrigger lambda configured with trpc using other eventsCan I trigger a lambda configured with trpc api gateway adapter using events other than httpApi likeuseInfiniteQuery does not exist on appRouter t3-Stack PrismaI'm using appRouter and trying to do pagination with useInfiniteQuery() but i've got the next typesc