Users
Learn about how to interact with Users using WPGraphQL
Users are core to WordPress and are a first class citizen in the WPGraphQL Schema. On this page we will look at various ways to interact with Users using WPGraphQL.
Queries
WPGraphQL comes with RootQuery fields built-in to query User data. You can query for lists of users or individual users. Below, we'll look at some common examples for querying Users.
List of Users
In this example, we query a list of User nodes. By default, WPGraphQL will return 10 items.
GraphiQL Loading...Connected Data
In WordPress, Users can be connected to Posts and Pages as the author. You can query a user's connected data in various ways.
Here's one example, where we query for a list of users, and for each user we ask for a list of their recent posts (default will be 10 most recent)
GraphiQL Loading...Single User
If we know the ID of a user, we can query for it like so:
GraphiQL Loading...Mutations
WPGraphQL also supports mutations for users.
Register User
For sites that have new user registrations enabled (under the WP-Admin Settings > General), a registerUser
mutation will allow new users
to register via a GraphQL Mutation.
Create User
The createUser
mutation is different than the registerUser
mutation, because it requires the
request to be authenticated and for the user to have proper capabilities to create users, much
like if a user were to create another user from the WP-Admin dashboard.
Update User
Below is an example of updating a user. The request must be authenticated and the user making the request must have proper capabilities to edit the user being updated.
GraphiQL Loading...Delete User
Below is an example of deleting a user. The request must be authenticated and the user making the request must have proper capabilities to delete the user.
GraphiQL Loading...Send Password Reset Email
When a user needs to reset their password, they'll need to have a Reset Password email sent.
This mutation allows for a user to request that email:
GraphiQL Loading...Reset User Password
The email that is sent to a user to reset their password contains a unique key that grants them access to reset the password.
If that key is entered along with the matching username and a new password, the password can be reset.
GraphiQL Loading...Sensitive Data
WordPress considers users with published content of a public post type public entities. Users that do not have published content in a public post type are considered private.
This means that a public GraphQL request can query for users and get a list of users in response. Much like a user could visit a published author's archive page or see the Username in the byline of a Blog Post. User that do not have any published content will not be returned in the results of a non-authenticated GraphQL query for users.
Some fields, such as the User.email
are restricted and will return null
if the request is a
non-authenticated request.
Restricting fields
In certain cases, you may want to restrict specific fields to authenticated requests or other criteria.
The below snippet shows one way (of many possible ways) to filter WPGraphQL field resolvers to restrict the values of specific fields from resolving if the user is not logged in. You can use this snippet as inspiration to filter specific fields of specific Types that you would like to restrict based on whatever custom criteria your application has.
add_action( 'graphql_register_types', function() {
/**
* Define the Types and their Fields that we want to filter
*/
$fields_to_require_auth = [
'User' => [
'email'
],
'Comment' => [
'authorIp',
],
];
/**
* Loop through the fields
*/
foreach ( $fields_to_require_auth as $type_name => $fields_to_filter ) {
if ( ! empty( $fields_to_filter ) && is_array( $fields_to_filter ) ) {
/**
* Apply a filter to said Type's fields
*/
add_filter( 'graphql_' . $type_name . '_fields', function( $fields ) use ( $type_name, $fields_to_filter ) {
/**
* Loop through each of the fields we want to filter for this Type
*/
foreach ( $fields_to_filter as $field_name ) {
/**
* The registry normalizes all keys to lowercase, so we make our $field_name lowercase here too
*/
$field_key = strtolower( $field_name );
/**
* Make sure the field exists in the registry (it could have been removed by another plugin)
*/
if ( isset( $fields[ $field_key ] ) ) {
/**
* If the request is not authenticated (no current user is set), override the resolver for the field to throw
* a UserError
*
* Change this to whatever condition you want
*/
if ( ! get_current_user_id() ) {
$fields[ $field_key ]['resolve'] = function ( $root, $args, $context, $info ) use ( $type_name, $field_name ) {
throw new \GraphQL\Error\UserError( __( sprintf( 'You do not have access to view the "%1$s" Field on the %2$s Type', $field_name, $type_name ), 'wp-graphql' ) );
};
}
}
}
/**
* Return the fields to the filter.
*/
return $fields;
} );
}
}
} );