Queries without a
volumeId argument are automatically restricted to the current user's entries/assets. This acts as a security fallback, and also to keep pagination working correctly.
The inclusion of a section or volume argument means the query can be checked against permissions ahead of time.
Take the following query for example:
If private entries were removed after the query had been fired, you could end up with fewer results than requested.
When running the
authenticate mutation, the parameters are passed directly to the authenticate function from Craft's
User model. This function will fail validation if the user attempting to log in doesn't have access to the control panel.
Because of this, the
authenticate mutation temporarily grants control panel access, and removes it upon success or failure.
The logic should run very quickly, so users shouldn't ever actually be able to access the control panel, but it's something to be aware of in case you want to implement additional back-end logic, if users shouldn't have access.
The following snippet is how temporary access is granted:
Due to the fact that categories don't have an
author, it isn't currently possible to restrict them in the same way as entries and assets.
An alternative path would be to use entry channels as a replacement for categories, as this enables granular permission control.