Graphqlbundle: Why does field access control on field makes its parent return `null`?

Created on 11 Jan 2018  路  9Comments  路  Source: overblog/GraphQLBundle

| Q | A
| ---------------- | -----
| Bug report? | yes
| Feature request? | no
| BC Break report? | no
| RFC? | no
| Version/Branch | xxx

Hey, I encountered a problem on field access control.

So I got this schema:

Query:
  type: object
  config:
    fields:
      site:
        type: Site
        resolve: "@=resolver('site', [args])"
        access: "@=hasPermission(object, 'view')"
        args:
          id:
            type: "Int"

Site:
  type: object
  config:
    fields:
      alpGroups:
        type: "[AlpGroup]!"
        resolve: "@=resolver('alp_groups_for_site', [value])"

AlpGroup:
  type: object
  config:
    fields:
      id:
        type: Int!
      platform:
        type: Site!
        access: "@=hasPermission(object, 'view')"

The user has access to site and site.alpGroups, but he does not have access to site.alpGroups.X.platform.

Here is a small example of what the query can returns:
image

However, when I try to access site.alpGroups.X.platform, every values of data.site.alpGroups are null.
selection_539

Why does it not return something like below?
Did I misunderstand how field access works, or it's a bug?

{
  "data": {
    "site": {
      "alpGroups": [
        {
          "id": 1,
          "platform": null
        },
        {
          "id": 2,
          "platform": null
        },
        {
          "id": 3,
          "platform": null
        },
        {
          "id": 4,
          "platform": null
        }
      ]
    }
  }
}

Thanks!

question

All 9 comments

Hi @Kocal,

Does the user has access to every site in site.alpGroups.X.platform?
If this is the case can you try to verify the type of site (array or object) in site.alpGroups.X.platform and root.site?
This can be done easily by accessing to the generated type resolvers.

Nope, site.alpGroups.X.platform is a different site than site :confused:

In our project, a platform is a _special site_ which has children sites.

So, the owner of site should not have access to its site's parent (the platform)

Ok. "@=resolver('alp_groups_for_site', [value])" returns an array of array or an array of object?

It returns an array of object

Can you verify manually that both objects returns true for$container->get('security.authorization_checker')->isGranted('view', $siteFromSite) and
$container->get('security.authorization_checker')->isGranted('view', $siteFromAlpGroupsSite) ?

image
image

As expected, the user can view its site, but not the parent (platform) of its site.

Ok I understand your bug

when using access if the return callback is false the protected field will be set to null but if your field is not nullable all the parent will be set to null. The true bug here is the non return of the error in response errors section.

So to fix this

AlpGroup:
  type: object
  config:
    fields:
      id:
        type: Int!
      platform:
        type: Site # <- nullable
        access: "@=hasPermission(object, 'view')"

Aaaaah!! You're right!
It seems logical that it can not returns null if my field is non-nullable, I totally forgot this behaviour :disappointed:

It's working as needed now, thanks :smile:

image

I'm closing this issue, I think you can remove bug label and put the question one.

Thanks again :smiley:

Was this page helpful?
0 / 5 - 0 ratings

Related issues

tjuenger picture tjuenger  路  3Comments

rpander93 picture rpander93  路  3Comments

JuanWilde picture JuanWilde  路  4Comments

ooflorent picture ooflorent  路  6Comments

akomm picture akomm  路  4Comments