Cms: Unpublished drafts are publicly available over GraphQL
Description
Creating a page and saving it as draft makes the page publicly available over GraphQL, even if it's not published. Is there any way to disable this? It would be great if we have to include the ?x-craft-live-preview token to make this available. Otherwise, people could search for drafts on publicly available GraphQL endpoints. Maybe this is related to #5580?
Steps to reproduce
- Create a new page
- Save as draft (but do not publish)
- Run this query:
query {
entry(uri:"a-new-draft-page", drafts: true) {
title
}
}
Additional info
- Craft version: Craft Pro 3.6.6
- PHP version: 8.0.2
- Database driver & version: PostgreSQL 10.15
- Plugins & versions:
- Amazon S3 1.2.11
- Navigation 1.4.13
- Neo 2.8.19
- Redactor 2.8.5
gopeter
All 6 comments
Probably the most straightforward way to solve this is to make the schema explicitly allow querying drafts.
andris-sevcenko
on 18 Feb 2021
It’s expected that this is possible, hence the existence of the drafts param.
If we add a way to tighten it, we should consider “published” entries that aren’t currently live as well (either because their status is disabled, on their Post Date is in the future, or their Expiry Date is set and in the past).
brandonkelly
on 18 Feb 2021
Wow, that was fast! 😄
gopeter
on 24 Feb 2021
@gopeter just pushed a few commits to address this in the next Craft 3.6 release.
You'll be able to uncheck a few options when defining a GraphQL schema - querying for drafts, querying for revisions as well as querying for inactive elements.
These options are going to be enabled automatically for all existing schemas, but will have to be explicitly allowed for new ones.
andris-sevcenko
on 24 Feb 2021
Really nice, thanks a lot 👍
gopeter
on 24 Feb 2021
Craft 3.6.8 is out now with these new schema settings ✨
brandonkelly
on 3 Mar 2021
Related issues
Mosnar
·
3Comments
davist11
·
3Comments
angrybrad
·
3Comments
mattstein
·
3Comments
rynpsc
·
3Comments
Most helpful comment
Wow, that was fast! 😄