Is it possible to perform attribute-based authorization after the .query?

I have a TRPC method, getStudentGradeById,getStudentGradeById, that accepts the gradeIdgradeId. I want to return the grade only if the student owns it.

the current code is:

protectecProcedure
  .input(z.object({
    gradeId: z.string()
  }))
  .query(({ input: {gradeId}, ctx}) => {
    const grade = prisma.grade.findById(gradeId)
    if (result.studentId !== ctx.studentId) {
      throw new Error()
    }
  })

protectecProcedure
  .input(z.object({
    gradeId: z.string()
  }))
  .query(({ input: {gradeId}, ctx}) => {
    const grade = prisma.grade.findById(gradeId)
    if (result.studentId !== ctx.studentId) {
      throw new Error()
    }
  })

I want something like:

protectecProcedure
  .input(z.object({
    gradeId: z.string()
  }))
  .query(() => prisma.grade.findById(gradeId))
  .use((ctx, result) => {
    if (result.studentId !== ctx.studentId) {
      throw new Error()
    }
  })

protectecProcedure
  .input(z.object({
    gradeId: z.string()
  }))
  .query(() => prisma.grade.findById(gradeId))
  .use((ctx, result) => {
    if (result.studentId !== ctx.studentId) {
      throw new Error()
    }
  })

I don't want to use the output because it would require me to write the output schema for each method. Additionally, I don't want to include any permission management within the .query. Is it possible to achieve this? Should I attempt to make the necessary changes and submit a pull request?

Is it possible to perform attribute-based authorization after the .query?

I have a TRPC method, getStudentGradeById,getStudentGradeById, that accepts the gradeIdgradeId. I want to return the grade only if the student owns it.

the current code is:

protectecProcedure
  .input(z.object({
    gradeId: z.string()
  }))
  .query(({ input: {gradeId}, ctx}) => {
    const grade = prisma.grade.findById(gradeId)
    if (result.studentId !== ctx.studentId) {
      throw new Error()
    }
  })

protectecProcedure
  .input(z.object({
    gradeId: z.string()
  }))
  .query(({ input: {gradeId}, ctx}) => {
    const grade = prisma.grade.findById(gradeId)
    if (result.studentId !== ctx.studentId) {
      throw new Error()
    }
  })

I want something like:

protectecProcedure
  .input(z.object({
    gradeId: z.string()
  }))
  .query(() => prisma.grade.findById(gradeId))
  .use((ctx, result) => {
    if (result.studentId !== ctx.studentId) {
      throw new Error()
    }
  })

protectecProcedure
  .input(z.object({
    gradeId: z.string()
  }))
  .query(() => prisma.grade.findById(gradeId))
  .use((ctx, result) => {
    if (result.studentId !== ctx.studentId) {
      throw new Error()
    }
  })

Is it possible to perform attribute-based authorization after the .query?

Is it possible to perform attribute-based authorization after the .query?

Continue the conversation

tRPC

Continue the conversation

tRPC

Similar Threads