Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

vincent15000's avatar

GraphQL instead of API resources ?

Hello,

I just discover GraphQL and it seems very interesting.

Effectively I notice that with GraphQL, I don't have to create several API resources any more given that the VueJS client asks for what it needs.

With API resources and collection, I'm used to add additional properties to models (can_update, can_delete) and additionnal property to the collection (can_create). This is very useful to communicate to the frontend if the connected use can update or delete a model, so that I can display or hide the buttons to update or delete.

For the moment I understand that API controllers seem to be not useful if using GraphQL. As I'm using the traditional routes and API controllers, I can retrieve only the allowed datas for the connected user, for example if the user isn't admin, I retrieve only some data, if he is admin, I retrieve all datas. But what if I decide to use GraphQL ?

As I said, I just discover GraphQL, I have started to read the documentation. For the moment I just have some questions about the approach with GraphQL vs API resources.

  • is it also possible to retrieve datas according to the role of the user ?
  • is it also possible to add can_update / can_delete properties to each model retrieved ?

Can somebody answer these questions ?

Perhaps help me to better understand how GraphQL works ?

Any suggestions ?

Thanks for your help.

V

0 likes
5 replies
LaryAI's avatar
LaryAI
AI
2 years ago
Level 58

Certainly! GraphQL can indeed be used as an alternative to traditional REST API resources, and it offers a lot of flexibility in terms of fetching exactly the data you need. To answer your questions:

  1. Retrieving data according to the role of the user: Yes, it is possible to retrieve data according to the user's role in GraphQL. This is typically handled in the resolver functions, where you can implement your authorization logic to determine what data a user is allowed to see based on their role.

  2. Adding can_update / can_delete properties to each model retrieved: You can also add properties like can_update and can_delete to your GraphQL types. These would be computed fields that you resolve based on the user's permissions.

Here's a simplified example of how you might implement this in a GraphQL schema using a JavaScript server with GraphQL.js:

type Query {
  posts: [Post]
}

type Post {
  id: ID!
  title: String!
  content: String!
  can_update: Boolean
  can_delete: Boolean
}

# ... other type definitions ...

And in your resolver functions:

const resolvers = {
  Query: {
    posts: (parent, args, context) => {
      // context.user would be your authenticated user
      const user = context.user;
      const posts = getPostsForUser(user); // Implement this to fetch posts based on user role
      return posts;
    },
  },
  Post: {
    can_update: (post, args, context) => {
      // Implement your logic to determine if the user can update the post
      return canUserUpdatePost(context.user, post);
    },
    can_delete: (post, args, context) => {
      // Implement your logic to determine if the user can delete the post
      return canUserDeletePost(context.user, post);
    },
  },
  // ... other resolvers ...
};

function getPostsForUser(user) {
  // Fetch posts from your database or service, filtering by user role if necessary
  // ...
}

function canUserUpdatePost(user, post) {
  // Your logic to determine if the user can update the post
  // For example, check if the user is the author of the post or an admin
  // ...
}

function canUserDeletePost(user, post) {
  // Your logic to determine if the user can delete the post
  // Similar to canUserUpdatePost, but for deletion
  // ...
}

In this example, getPostsForUser would be a function that retrieves the posts a user is allowed to see based on their role. The can_update and can_delete fields are computed for each Post object in the resolver functions, based on the current user's permissions.

Remember that GraphQL is just a query language and runtime for executing those queries, so you have to implement the logic for permissions and data retrieval yourself, just like you would with a REST API. The difference is that GraphQL allows you to query for exactly what you need in a single request, which can be more efficient and flexible than predefined API endpoints.

1 like
vincent15000's avatar

@LaryAI I specify that I usually add the can_update / can_delete properties from the model policies.

Does this mean that I have to move the policies to another place ? Or can I continue using the policies to add these properties to each retrieved model via GraphQL ?

MohamedTammam's avatar
  1. Yes it's possible.
  2. Yes it's possible.

Perhaps help me to better understand how GraphQL works ?

The idea of GraphQL is for the front-end to send the what it's needed and then the back-end is going to build the query according to that with limitation for number of records, user roles, etc.

Consider it as a global filtering where the front-end can send filtering the data and then the back-end act on that.

You can install GraphQL into Laravel using this package https://github.com/nuwave/lighthouse

And there's a package for creating playground page where you can test your GraphQL query against Laravel without the need for other tools: https://github.com/mll-lab/laravel-graphiql

1 like
vincent15000's avatar

@MohamedTammam I have started to test GraphQL, it seems pretty interesting.

Hmmm ... I have this query.

users: [User!]! @paginate(defaultCount: 10) @orderBy(column: "name") @canResolved(ability: "viewAny")

And I use it like this.

const res = await graphql({ query });

The graphql() function is a function using axios to send a post request to the backend.

Without @canResolved(), it works fine, I get the users list. With @canResolved(), I get this error.

This action is unauthorized.

Sure I don't use well the can directive, but what am I doing wrong ?

Can you help me ?

Please or to participate in this conversation.