Access Control for schema elements

2.3.0 2024-05-08 17:45 UTC


Access Control for schema elements


Via Composer

composer require getpop/access-control


The source code is hosted on the GatoGraphQL monorepo, under Engine/packages/access-control.


Initialize the component:


How does it work?

Access control deals in 2 modes: Public/Private schema modes.

The difference between Public and Private schema modes concerns the feedback given to the user when a validation fails. In Public mode, a detailed error message is given to the user (eg: "only users with role 'administrator' can access this field). In Private mode, there is no helpful information, instead the user is told that the field or directive does not exist.

We need to implement 4 cases of access control:

  1. Fields in Public schema mode
  2. Directives in Public schema mode
  3. Fields in Private schema mode
  4. Directives in Private schema mode

In Public schema mode, we can simply add a special directive that will validate the restriction (such as: is the user logged in? does the logged-in user have a specific role or capability?).

In Private mode, we add a hook that filters out the field or directive before it is registered.

In addition, whenever a validation must be performed to know if the user can access a field or directive, the response from the GraphQL server cannot be cached (when using component Cache Control). For the Public mode this situation is automatically handled, since the directive validating if the user is logged in or not already indicates that the response cannot be cached. For the Private mode, however, we need to add a special directive "NoCache". Hence, we need to deal with the following 2 cases:

  1. NoCache for Fields in Private schema mode
  2. NoCache for Directives in Private schema mode

PHP versions


  • PHP 8.1+ for development
  • PHP 7.2+ for production

Supported PHP features

Check the list of Supported PHP features in GatoGraphQL/GatoGraphQL

Preview downgrade to PHP 7.2

Via Rector (dry-run mode):

composer preview-code-downgrade


PSR-1, PSR-4 and PSR-12.

To check the coding standards via PHP CodeSniffer, run:

composer check-style

To automatically fix issues, run:

composer fix-style

Change log

Please see CHANGELOG for more information on what has changed recently.


To execute PHPUnit, run:

composer test

Static Analysis

To execute PHPStan, run:

composer analyse

Report issues

To report a bug or request a new feature please do it on the GatoGraphQL monorepo issue tracker.


We welcome contributions for this package on the GatoGraphQL monorepo (where the source code for this package is hosted).

Please see CONTRIBUTING and CODE_OF_CONDUCT for details.


If you discover any security related issues, please email instead of using the issue tracker.



GNU General Public License v2 (or later). Please see License File for more information.