Defining custom permissions

Defining custom permissions

Your plugin may be defining new queries & mutations which require new permissions specific to those operations. This can be done by creating PermissionDefinitions.

For example, let’s imagine you are creating a plugin which exposes a new mutation that can be used by remote services to sync your inventory. First of all we will define the new permission:

// sync-permission.ts
import { PermissionDefinition } from '@vendure/core';

export const sync = new PermissionDefinition({
  name: 'SyncInventory',
  description: 'Allows syncing stock levels via Admin API'
});

This permission can then be used in conjuction with the @Allow() decorator to limit access to the mutation:

// inventory-sync.resolver.ts
import { Allow } from '@vendure/core';
import { Mutation, Resolver } from '@nestjs/graphql';
import { sync } from './sync-permission';

@Resolver()
export class InventorySyncResolver {

  @Allow(sync.Permission)
  @Mutation()
  syncInventory() {
    // ...
  }
}

Finally, the sync PermissionDefinition must be passed into the VendureConfig so that Vendure knows about this new custom permission:

// inventory-sync.plugin.ts
import gql from 'graphql-tag';
import { VendurePlugin } from '@vendure/core';
import { InventorySyncResolver } from './inventory-sync.resolver'
import { sync } from './sync-permission';

@VendurePlugin({
  adminApiExtensions: {
    schema: gql`
      input InventoryDataInput {
        # omitted for brevity
      }

      extend type Mutation {
        syncInventory(input: InventoryDataInput!): Boolean!
      }
    `,
    resolvers: [InventorySyncResolver]
  },
  configuration: config => {
    config.authOptions.customPermissions.push(sync);
    return config;
  },
})
export class InventorySyncPlugin {}

On starting the Vendure server, this custom permission will now be visible in the Role detail view of the Admin UI, and can be assigned to Roles.

Custom CRUD permissions

Quite often your plugin will define a new entity on which you must perform create, read, update and delete (CRUD) operations. In this case, you can use the CrudPermissionDefinition which simplifies the creation of the set of 4 CRUD permissions. See the docs for an example of usage.