It’s common to want only some kinds of users to be able to access the Admin UI. By default any logged in user will be able to log into the Admin UI, then from there their standard ACLs will be applied. If they don’t have access to view an entity, they will get an error when selecting that entity in the sidebar.
In many cases though, you just want to deny types of users the ability to log into the Admin UI at all because there’s no reason to give extra access to people.
To achieve this, we secure the result returned from the _graphweaver query that powers the Admin UI’s ability to discover the schema. The root entity in this query is called AdminUiMetadata.
Create a file alongside the rest of your GraphQL schema where we’ll apply our ACL for this entity:
import { AdminUiMetadata } from '@exogee/graphweaver';
import { ApplyAccessControlList } from '@exogee/graphweaver-auth';
// Ensure only admins can access the Admin UI
ApplyAccessControlList(
{ ADMIN: { all: true } },
{ overrideIfExists: true }
)(AdminUiMetadata);Because Graphweaver’s ACL system is default deny, the only user role that will be able to access the Admin UI now is ADMIN.
NOTE: Make sure this file is imported the way your other files are so the ACL is applied (e.g. add it to index.ts).
From here, any user which doesn’t have an ADMIN role will receive a Forbidden error when trying to log into the Admin UI.