Add GTFS GraphQL user permissions check to ensure user has access to feeds

[landonreed]

Issue by landonreed
Tuesday Jun 12, 2018 at 18:57 GMT
Originally opened as catalogueglobal#94

---

While #93 deals with adding authentication in front of the GTFS API, there is currently no check on the user's feed source permissions to determine whether they are authorized to make the GraphQL request. This is a bit tricky because the namespace value, which could be present in either the GraphQL query or variables must be used to determine a user's access to feed sources. Furthermore, this namespace value might exist in one of a couple MongoDB collections: FeedVersions or Snapshots (or perhaps the FeedSource#editorNamespace value).

[landonreed]

After some further thought, perhaps we should just enforce that namespace always be passed as a variable in a GraphQL query. This way we could easily extract the variable to check the user's permissions.