Querying 'unrestricted' fields

The GraphQL schema must strike a balance between public and private fields, as to avoid exposing private information in a public API.

For instance, field posts exposes public data only, by fetching posts with status "publish" only. To fetch private data, we must instead use field unrestrictedPosts, which enables fetching posts with any status ("publish", "draft", "pending", "trash").

List of fields added to the GraphQL schema permalink

When enabling module "Schema for the Admin", the following fields will be added to the GraphQL schema (as long as the corresponding schema-type modules are enabled):

Root:

  • unrestrictedPost
  • unrestrictedPosts
  • unrestrictedPostCount
  • unrestrictedCustomPost
  • unrestrictedCustomPosts
  • unrestrictedCustomPostCount
  • unrestrictedPage
  • unrestrictedPages
  • unrestrictedPageCount
  • roles
  • capabilities

User:

  • unrestrictedPosts
  • unrestrictedPostCount
  • unrestrictedCustomPosts
  • unrestrictedCustomPostCount
  • roles
  • capabilities

PostCategory:

  • unrestrictedPosts
  • unrestrictedPostCount

PostTag:

  • unrestrictedPosts
  • unrestrictedPostCount

Please notice the naming convention:

  • If the field exposes public + private data, then the field name starts with "unrestricted", such as Root.posts and Root.unrestrictedPosts
  • If the field only exposes private data, then it doesn't need start with "unrestricted", such as User.roles

How to use permalink

Adding admin fields to the schema can be configured as follows, in order of priority:

βœ… Specific mode for the custom endpoint or persisted query, defined in the schema configuration

Adding admin fields to the schema, set in the Schema configuration
Adding admin fields to the schema, set in the Schema configuration

βœ… Default mode, defined in the Settings

If the schema configuration has value "Default", it will use the mode defined in the Settings:

Schema for the Admin, in the Settings
Schema for the Admin, in the Settings

When to use permalink

Use whenever exposing private information is allowed, such as when building a static website, fetching data from a local WordPress instance (i.e. not a public API).