| Q | A
| ---------------- | -----
| Bug report? | yes
| Feature request? | no
| BC Break report? | no
| RFC? | no
| Version/Branch | xxx
Hey, I encountered a problem on field access control.
So I got this schema:
Query:
type: object
config:
fields:
site:
type: Site
resolve: "@=resolver('site', [args])"
access: "@=hasPermission(object, 'view')"
args:
id:
type: "Int"
Site:
type: object
config:
fields:
alpGroups:
type: "[AlpGroup]!"
resolve: "@=resolver('alp_groups_for_site', [value])"
AlpGroup:
type: object
config:
fields:
id:
type: Int!
platform:
type: Site!
access: "@=hasPermission(object, 'view')"
The user has access to site and site.alpGroups, but he does not have access to site.alpGroups.X.platform.
Here is a small example of what the query can returns:

However, when I try to access site.alpGroups.X.platform, every values of data.site.alpGroups are null.

Why does it not return something like below?
Did I misunderstand how field access works, or it's a bug?
{
"data": {
"site": {
"alpGroups": [
{
"id": 1,
"platform": null
},
{
"id": 2,
"platform": null
},
{
"id": 3,
"platform": null
},
{
"id": 4,
"platform": null
}
]
}
}
}
Thanks!
Hi @Kocal,
Does the user has access to every site in site.alpGroups.X.platform?
If this is the case can you try to verify the type of site (array or object) in site.alpGroups.X.platform and root.site?
This can be done easily by accessing to the generated type resolvers.
Nope, site.alpGroups.X.platform is a different site than site :confused:
In our project, a platform is a _special site_ which has children sites.
So, the owner of site should not have access to its site's parent (the platform)
Ok. "@=resolver('alp_groups_for_site', [value])" returns an array of array or an array of object?
It returns an array of object
Can you verify manually that both objects returns true for$container->get('security.authorization_checker')->isGranted('view', $siteFromSite) and
$container->get('security.authorization_checker')->isGranted('view', $siteFromAlpGroupsSite) ?


As expected, the user can view its site, but not the parent (platform) of its site.
Ok I understand your bug
when using access if the return callback is false the protected field will be set to null but if your field is not nullable all the parent will be set to null. The true bug here is the non return of the error in response errors section.
So to fix this
AlpGroup:
type: object
config:
fields:
id:
type: Int!
platform:
type: Site # <- nullable
access: "@=hasPermission(object, 'view')"
Aaaaah!! You're right!
It seems logical that it can not returns null if my field is non-nullable, I totally forgot this behaviour :disappointed:
It's working as needed now, thanks :smile:

I'm closing this issue, I think you can remove bug label and put the question one.
Thanks again :smiley: