/

Users

Learn about how to interact with Users using WPGraphQL

Users are core to WordPress and are a first class citizen in the WPGraphQL Schema. On this page we will look at various ways to interact with Users using WPGraphQL.

If any of the terminology or semantics of the GraphQL queries/mutations on this page are confusing, check out the Intro to GraphQL Guide to get more familiar with the basics.

Queries

WPGraphQL comes with RootQuery fields built-in to query User data. You can query for lists of users or individual users. Below, we'll look at some common examples for querying Users.

List of Users

In this example, we query a list of User nodes. By default, WPGraphQL will return 10 items.

GraphiQL Loading...
What's up with edges and nodes?One of the first things you may ask when you see this is: "What in the world are 'edges' and 'nodes'?".

We've written up a guide on what they are and why WPGraphQL makes use of this shape of data throughout.

Connected Data

In WordPress, Users can be connected to Posts and Pages as the author. You can query a user's connected data in various ways.

Here's one example, where we query for a list of users, and for each user we ask for a list of their recent posts (default will be 10 most recent)

GraphiQL Loading...

Single User

If we know the ID of a user, we can query for it like so:

GraphiQL Loading...

Mutations

WPGraphQL also supports mutations for users.

Register User

For sites that have new user registrations enabled (under the WP-Admin Settings > General), a registerUser mutation will allow new users to register via a GraphQL Mutation.

GraphiQL Loading...

Create User

The createUser mutation is different than the registerUser mutation, because it requires the request to be authenticated and for the user to have proper capabilities to create users, much like if a user were to create another user from the WP-Admin dashboard.

GraphiQL Loading...

Update User

Below is an example of updating a user. The request must be authenticated and the user making the request must have proper capabilities to edit the user being updated.

GraphiQL Loading...

Delete User

Below is an example of deleting a user. The request must be authenticated and the user making the request must have proper capabilities to delete the user.

GraphiQL Loading...

Send Password Reset Email

When a user needs to reset their password, they'll need to have a Reset Password email sent.

This mutation allows for a user to request that email:

GraphiQL Loading...

Reset User Password

The email that is sent to a user to reset their password contains a unique key that grants them access to reset the password.

If that key is entered along with the matching username and a new password, the password can be reset.

GraphiQL Loading...

Sensitive Data

WordPress considers users with published content of a public post type public entities. Users that do not have published content in a public post type are considered private.

This means that a public GraphQL request can query for users and get a list of users in response. Much like a user could visit a published author's archive page or see the Username in the byline of a Blog Post. User that do not have any published content will not be returned in the results of a non-authenticated GraphQL query for users.

Some fields, such as the User.email are restricted and will return null if the request is a non-authenticated request.

Restricting fields

In certain cases, you may want to restrict specific fields to authenticated requests or other criteria.

The below snippet shows one way (of many possible ways) to filter WPGraphQL field resolvers to restrict the values of specific fields from resolving if the user is not logged in. You can use this snippet as inspiration to filter specific fields of specific Types that you would like to restrict based on whatever custom criteria your application has.

add_action( 'graphql_register_types', function() {

	/**
	 * Define the Types and their Fields that we want to filter
	 */
	$fields_to_require_auth = [
		'User' => [
			'email'
		],
		'Comment' => [
			'authorIp',
		],
	];

	/**
	 * Loop through the fields
	 */
	foreach ( $fields_to_require_auth as $type_name => $fields_to_filter ) {

		if ( ! empty( $fields_to_filter ) && is_array( $fields_to_filter ) ) {

			/**
			 * Apply a filter to said Type's fields
			 */
			add_filter( 'graphql_' . $type_name . '_fields', function( $fields ) use ( $type_name, $fields_to_filter ) {

				/**
				 * Loop through each of the fields we want to filter for this Type
				 */
				foreach ( $fields_to_filter as $field_name ) {

					/**
					 * The registry normalizes all keys to lowercase, so we make our $field_name lowercase here too
					 */
					$field_key = strtolower( $field_name );

					/**
					 * Make sure the field exists in the registry (it could have been removed by another plugin)
					 */
					if ( isset( $fields[ $field_key ] ) ) {

						/**
						 * If the request is not authenticated (no current user is set), override the resolver for the field to throw
						 * a UserError
						 *
						 * Change this to whatever condition you want
						 */
						if ( ! get_current_user_id() ) {
							$fields[ $field_key ]['resolve'] = function ( $root, $args, $context, $info ) use ( $type_name, $field_name ) {
								throw new \GraphQL\Error\UserError( __( sprintf( 'You do not have access to view the "%1$s" Field on the %2$s Type', $field_name, $type_name ), 'wp-graphql' ) );
							};
						}
					}
				}

				/**
				 * Return the fields to the filter.
				 */
				return $fields;
			} );
		}
	}

} );

Edit on GitHub

Users

  • Queries
  • List of Users
  • Connected Data
  • Single User
  • Mutations
  • Register User
  • Create User
  • Update User
  • Delete User
  • Send Password Reset Email
  • Reset User Password
  • Sensitive Data
  • Restricting fields

Edit on GitHub

Discuss on Spectrum