diff --git a/authorization.js b/authorization.js
new file mode 100644
index 0000000000000000000000000000000000000000..7ac282ebe9c67e79d08ef7f54e8fc57b966e793b
--- /dev/null
+++ b/authorization.js
@@ -0,0 +1,21 @@
+const {
+ rule,
+ inputRule,
+ allow,
+ deny,
+ and,
+ chain,
+ or,
+ not,
+} = require('graphql-shield')
+
+module.exports = {
+ rule,
+ inputRule,
+ allow,
+ deny,
+ and,
+ chain,
+ or,
+ not,
+}
diff --git a/package.json b/package.json
index ebee39a24a88074eb359175c77e133b0ae079fae..8716bd6c22631b1c4ab2899f8ce15eeb61e4c4f8 100644
--- a/package.json
+++ b/package.json
@@ -32,6 +32,8 @@
"cookie-parser": "^1.4.5",
"cors": "^2.8.5",
"express": "^4.17.1",
+ "graphql-middleware": "^4.0.2",
+ "graphql-shield": "^7.2.6",
"helmet": "^3.22.0",
"http-status-codes": "^1.4.0",
"lodash": "^4.17.15",
diff --git a/src/graphqlApi.js b/src/graphqlApi.js
index f932dae3b6e69b507059b2f3948865dfea897b3a..5635157df7cb696f92ad09c412433a6afae77060 100644
--- a/src/graphqlApi.js
+++ b/src/graphqlApi.js
@@ -5,10 +5,10 @@ const errors = require('@pubsweet/errors')
const config = require('config')
-const schema = require('pubsweet-server/src/graphql/schema')
const connectors = require('pubsweet-server/src/connectors')
const loaders = require('pubsweet-server/src/graphql/loaders')
const helpers = require('pubsweet-server/src/helpers/authorization')
+const schema = require('./graphqlSchema')
const hostname = config.has('pubsweet-server.hostname')
? config.get('pubsweet-server.hostname')
diff --git a/src/graphqlSchema.js b/src/graphqlSchema.js
new file mode 100644
index 0000000000000000000000000000000000000000..8219ea200422ebd3ecdfd32c242d407d3c9613d1
--- /dev/null
+++ b/src/graphqlSchema.js
@@ -0,0 +1,11 @@
+const config = require('config')
+
+const { applyMiddleware } = require('graphql-middleware')
+const { shield } = require('graphql-shield')
+let schema = require('pubsweet-server/src/graphql/schema')
+
+if (config.has('permissions')) {
+ schema = applyMiddleware(schema, shield(config.get('permissions')))
+}
+
+module.exports = schema
diff --git a/yarn.lock b/yarn.lock
index 2f216ef3476313f348d54378439e8da3ab1b0c8d..3c1933ee9d28f938b48faabfe39cbd506c5b8bd1 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -115,6 +115,13 @@
dependencies:
regenerator-runtime "^0.13.4"
+"@babel/runtime@^7.9.6":
+ version "7.9.6"
+ resolved "https://registry.yarnpkg.com/@babel/runtime/-/runtime-7.9.6.tgz#a9102eb5cadedf3f31d08a9ecf294af7827ea29f"
+ integrity sha512-64AF1xY3OAkFHqOb9s4jpgk1Mm5vDZ4L3acHvAml+53nO1XbXLuDodsVpO4OIUsmemlUHMxNdYMNJmsvOwLrvQ==
+ dependencies:
+ regenerator-runtime "^0.13.4"
+
"@babel/template@^7.8.3":
version "7.8.6"
resolved "https://registry.yarnpkg.com/@babel/template/-/template-7.8.6.tgz#86b22af15f828dfb086474f964dcc3e39c43ce2b"
@@ -639,6 +646,11 @@
dependencies:
"@types/node" "*"
+"@types/yup@0.26.37":
+ version "0.26.37"
+ resolved "https://registry.yarnpkg.com/@types/yup/-/yup-0.26.37.tgz#7a52854ac602ba0dc969bebc960559f7464a1686"
+ integrity sha512-cDqR/ez4+iAVQYOwadXjKX4Dq1frtnDGV2GNVKj3aUVKVCKRvsr8esFk66j+LgeeJGmrMcBkkfCf3zk13MjV7A==
+
"@typescript-eslint/experimental-utils@^2.5.0":
version "2.25.0"
resolved "https://registry.yarnpkg.com/@typescript-eslint/experimental-utils/-/experimental-utils-2.25.0.tgz#13691c4fe368bd377b1e5b1e4ad660b220bf7714"
@@ -1008,6 +1020,16 @@ apollo-graphql@^0.4.0:
apollo-env "^0.6.2"
lodash.sortby "^4.7.0"
+apollo-link@^1.2.14:
+ version "1.2.14"
+ resolved "https://registry.yarnpkg.com/apollo-link/-/apollo-link-1.2.14.tgz#3feda4b47f9ebba7f4160bef8b977ba725b684d9"
+ integrity sha512-p67CMEFP7kOG1JZ0ZkYZwRDa369w5PIjtMjvrQd/HnIV8FRsHRqLqK+oAZQnFa1DDdZtOtHTi+aMIW6EatC2jg==
+ dependencies:
+ apollo-utilities "^1.3.0"
+ ts-invariant "^0.4.0"
+ tslib "^1.9.3"
+ zen-observable-ts "^0.8.21"
+
apollo-link@^1.2.3:
version "1.2.13"
resolved "https://registry.yarnpkg.com/apollo-link/-/apollo-link-1.2.13.tgz#dff00fbf19dfcd90fddbc14b6a3f9a771acac6c4"
@@ -3673,6 +3695,11 @@ flush-write-stream@^1.0.0:
inherits "^2.0.3"
readable-stream "^2.3.6"
+fn-name@~3.0.0:
+ version "3.0.0"
+ resolved "https://registry.yarnpkg.com/fn-name/-/fn-name-3.0.0.tgz#0596707f635929634d791f452309ab41558e3c5c"
+ integrity sha512-eNMNr5exLoavuAMhIUVsOKF79SWd/zG104ef6sxBTSw+cZc6BXdQXDvYcGvp0VbxVVSp1XDUNoz7mg1xMtSznA==
+
follow-redirects@^1.0.0:
version "1.10.0"
resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.10.0.tgz#01f5263aee921c6a54fb91667f08f4155ce169eb"
@@ -4019,6 +4046,13 @@ graphql-extensions@^0.11.0:
apollo-server-env "^2.4.3"
apollo-server-types "^0.3.0"
+graphql-middleware@^4.0.2:
+ version "4.0.2"
+ resolved "https://registry.yarnpkg.com/graphql-middleware/-/graphql-middleware-4.0.2.tgz#eb589bf428e1795e48cd6a3cfeeba0807b996ebd"
+ integrity sha512-ESVDvMXeN00S1BNsjNS18uExcR16J8zbT31CuKcpyeBa7IMbidG0Pnqnu5P1wKkJLmPmKOfCljWlhXpD/Fawqg==
+ dependencies:
+ graphql-tools "^4.0.5"
+
graphql-postgres-subscriptions@^1.0.4:
version "1.0.5"
resolved "https://registry.yarnpkg.com/graphql-postgres-subscriptions/-/graphql-postgres-subscriptions-1.0.5.tgz#1bf33bc34fb031025da86715524db23ea871f216"
@@ -4029,6 +4063,15 @@ graphql-postgres-subscriptions@^1.0.4:
pg "^7.4.1"
pg-ipc "^1.0.4"
+graphql-shield@^7.2.6:
+ version "7.2.6"
+ resolved "https://registry.yarnpkg.com/graphql-shield/-/graphql-shield-7.2.6.tgz#f11107ed122c1882cb8062d55ed3c3acffcdbc17"
+ integrity sha512-XTGd+l0Ah3JzJp/jBFpluGZTmlcM8y09WxVR0w74DuQoFdr7W58j9cNvFudJIET5uBSaCVd7pUPYtep26SltsQ==
+ dependencies:
+ "@types/yup" "0.26.37"
+ object-hash "^2.0.3"
+ yup "^0.28.4"
+
graphql-subscriptions@^0.5.8:
version "0.5.8"
resolved "https://registry.yarnpkg.com/graphql-subscriptions/-/graphql-subscriptions-0.5.8.tgz#13a6143c546bce390404657dc73ca501def30aa7"
@@ -4059,6 +4102,17 @@ graphql-tools@^4.0.0:
iterall "^1.1.3"
uuid "^3.1.0"
+graphql-tools@^4.0.5:
+ version "4.0.8"
+ resolved "https://registry.yarnpkg.com/graphql-tools/-/graphql-tools-4.0.8.tgz#e7fb9f0d43408fb0878ba66b522ce871bafe9d30"
+ integrity sha512-MW+ioleBrwhRjalKjYaLQbr+920pHBgy9vM/n47sswtns8+96sRn5M/G+J1eu7IMeKWiN/9p6tmwCHU7552VJg==
+ dependencies:
+ apollo-link "^1.2.14"
+ apollo-utilities "^1.0.1"
+ deprecated-decorator "^0.1.6"
+ iterall "^1.1.3"
+ uuid "^3.1.0"
+
graphql-upload@^8.0.2:
version "8.1.0"
resolved "https://registry.yarnpkg.com/graphql-upload/-/graphql-upload-8.1.0.tgz#6d0ab662db5677a68bfb1f2c870ab2544c14939a"
@@ -5208,6 +5262,11 @@ locate-path@^5.0.0:
dependencies:
p-locate "^4.1.0"
+lodash-es@^4.17.11:
+ version "4.17.15"
+ resolved "https://registry.yarnpkg.com/lodash-es/-/lodash-es-4.17.15.tgz#21bd96839354412f23d7a10340e5eac6ee455d78"
+ integrity sha512-rlrc3yU3+JNOpZ9zj5pQtxnx2THmvRykwL4Xlxoa8I9lHBlVbbyPhgyPMioxVZ4NqyxaVVtaJnzsyOidQIhyyQ==
+
lodash._reinterpolate@^3.0.0:
version "3.0.0"
resolved "https://registry.yarnpkg.com/lodash._reinterpolate/-/lodash._reinterpolate-3.0.0.tgz#0ccf2d89166af03b3663c796538b75ac6e114d9d"
@@ -5887,6 +5946,11 @@ object-copy@^0.1.0:
define-property "^0.2.5"
kind-of "^3.0.3"
+object-hash@^2.0.3:
+ version "2.0.3"
+ resolved "https://registry.yarnpkg.com/object-hash/-/object-hash-2.0.3.tgz#d12db044e03cd2ca3d77c0570d87225b02e1e6ea"
+ integrity sha512-JPKn0GMu+Fa3zt3Bmr66JhokJU5BaNBIh4ZeTlaCBzrBsOeXzwcKKAK1tbLiPKgvwmPXsDvvLHoWh5Bm7ofIYg==
+
object-inspect@^1.7.0:
version "1.7.0"
resolved "https://registry.yarnpkg.com/object-inspect/-/object-inspect-1.7.0.tgz#f4f6bd181ad77f006b5ece60bd0b6f398ff74a67"
@@ -6664,6 +6728,11 @@ prop-types@^15.7.2:
object-assign "^4.1.1"
react-is "^16.8.1"
+property-expr@^2.0.2:
+ version "2.0.2"
+ resolved "https://registry.yarnpkg.com/property-expr/-/property-expr-2.0.2.tgz#fff2a43919135553a3bc2fdd94bdb841965b2330"
+ integrity sha512-bc/5ggaYZxNkFKj374aLbEDqVADdYaLcFo8XBkishUWbaAdjlphaBFns9TvRA2pUseVL/wMFmui9X3IdNDU37g==
+
proxy-addr@~2.0.5:
version "2.0.6"
resolved "https://registry.yarnpkg.com/proxy-addr/-/proxy-addr-2.0.6.tgz#fdc2336505447d3f2f2c638ed272caf614bbb2bf"
@@ -7864,6 +7933,11 @@ symbol-observable@^1.0.4:
resolved "https://registry.yarnpkg.com/symbol-observable/-/symbol-observable-1.2.0.tgz#c22688aed4eab3cdc2dfeacbb561660560a00804"
integrity sha512-e900nM8RRtGhlV36KGEU9k65K3mPb1WV70OdjfxlG2EAuM1noi/E/BaW/uMhL7bPEssK8QV57vN3esixjUvcXQ==
+synchronous-promise@^2.0.10:
+ version "2.0.11"
+ resolved "https://registry.yarnpkg.com/synchronous-promise/-/synchronous-promise-2.0.11.tgz#e92022b0754e916f556d3ace1626d24a24214b7e"
+ integrity sha512-8/L5FOCjnlK0FoAfj+NqdCaImMKvEyOEzGmdfcezKp5K9HIukm4akx72endvM87eS/gU8kOxiMQflpC/CdkQAg==
+
table@^5.2.3:
version "5.4.6"
resolved "https://registry.yarnpkg.com/table/-/table-5.4.6.tgz#1292d19500ce3f86053b05f0e8e7e4a3bb21079e"
@@ -8025,6 +8099,11 @@ toidentifier@1.0.0:
resolved "https://registry.yarnpkg.com/toidentifier/-/toidentifier-1.0.0.tgz#7e1be3470f1e77948bc43d94a3c8f4d7752ba553"
integrity sha512-yaOH/Pk/VEhBWWTlhI+qXxDFXlejDGcQipMlyxda9nthulaxLZUNcUqFxokp0vcYnvteJln5FNQDRrxj3YcbVw==
+toposort@^2.0.2:
+ version "2.0.2"
+ resolved "https://registry.yarnpkg.com/toposort/-/toposort-2.0.2.tgz#ae21768175d1559d48bef35420b2f4962f09c330"
+ integrity sha1-riF2gXXRVZ1IvvNUILL0li8JwzA=
+
trim-newlines@^1.0.0:
version "1.0.0"
resolved "https://registry.yarnpkg.com/trim-newlines/-/trim-newlines-1.0.0.tgz#5887966bb582a4503a41eb524f7d35011815a613"
@@ -8666,6 +8745,19 @@ yargs@15.0.2:
y18n "^4.0.0"
yargs-parser "^16.1.0"
+yup@^0.28.4:
+ version "0.28.5"
+ resolved "https://registry.yarnpkg.com/yup/-/yup-0.28.5.tgz#85cabb4000d3623ef69be81551190692e631a8a5"
+ integrity sha512-7JZcvpUGUxMKoaEtcoMEM8lCWRaueGNH/A3EhL/UWqfbFm3uloiI+x59Yq4nzhbbYWUTwAsCteaZOJ+VbqI1uw==
+ dependencies:
+ "@babel/runtime" "^7.9.6"
+ fn-name "~3.0.0"
+ lodash "^4.17.15"
+ lodash-es "^4.17.11"
+ property-expr "^2.0.2"
+ synchronous-promise "^2.0.10"
+ toposort "^2.0.2"
+
zen-observable-ts@^0.8.20:
version "0.8.20"
resolved "https://registry.yarnpkg.com/zen-observable-ts/-/zen-observable-ts-0.8.20.tgz#44091e335d3fcbc97f6497e63e7f57d5b516b163"
@@ -8674,6 +8766,14 @@ zen-observable-ts@^0.8.20:
tslib "^1.9.3"
zen-observable "^0.8.0"
+zen-observable-ts@^0.8.21:
+ version "0.8.21"
+ resolved "https://registry.yarnpkg.com/zen-observable-ts/-/zen-observable-ts-0.8.21.tgz#85d0031fbbde1eba3cd07d3ba90da241215f421d"
+ integrity sha512-Yj3yXweRc8LdRMrCC8nIc4kkjWecPAUVh0TI0OUrWXx6aX790vLcDlWca6I4vsyCGH3LpWxq0dJRcMOFoVqmeg==
+ dependencies:
+ tslib "^1.9.3"
+ zen-observable "^0.8.0"
+
zen-observable@^0.8.0:
version "0.8.15"
resolved "https://registry.yarnpkg.com/zen-observable/-/zen-observable-0.8.15.tgz#96415c512d8e3ffd920afd3889604e30b9eaac15"