Not really an answer but because site does a look up for each level in the graphql tree it doesn’t need to do the filtering at the top level, it may retrieve more results than it needs but it can filter at each loop (I think at least)

Hi @U0K1KAJTB - the pull-allowed-resource fn in Site will only return results for when a permission exists that matches the rules given. So it will restrict the entities returned. However, it will not restrict the individual attributes. However, all access in Site is via operations, and the individual operation implementations can do whatever filtering they choose do, so an operation might do a select-keys on a return entity to partially elide the entity.

Interesting, thank you for the answers! @U7KPK060K could you point me to where it does the lookup for each level in the tree? That would be very helpful, thank you! 🙏

sorry I just realised we have two versions of site, I was talking about the old version but I think you and malcolm are talking about the newer 'actions' version. This is how old site worked (though will be difficult to follow since it was really just a spike/POC) https://github.com/juxt/site/blob/0665831d03b36331197778f1e1d5a4eb8f4e9c1a/src/juxt/site/alpha/graphql.clj#L440

Thanks, I will have a look!

So it is not using xt's pull api/syntax but a gql resolver, am I reading this correctly?

It does a pull (or any query) initially for the top level and then extracts items from the object or does further xt/e calls to resolve nested data/joins

Got it, thanks!