Null ClaimsPrincipal makes all access checks passSee original GitHub issue
Steps to reproduce
Configure a field with
user set to
_schemaProvider.ExecuteRequest(query, _graphQLOverallSchema, HttpContext.RequestServices, null);
In this case, the
RequiresAllRoles() check appears to be bypassed, and instead of getting the error
You are not authorized to access the 'example' field on type 'Query'., we get data back instead.
This feels to me like a bug (albeit a minor one 🙂). If I pass
null for the
ExecuteRequest(), I would expect that all fields that have been configured with
RequiresAllRoles() would fail with an access denied message.
(I’ve tested this on
EntityGraphQL 3.0.5 but not on the 4.0 branch)
- Created a year ago
- Comments:9 (2 by maintainers)
Top GitHub Comments
Hmm this is “by design”. Might not be good design!
If you pass
null it “assumed no access check should happen”. If you pass a
user “checks should happen”.
At this stage (because the library has evolved a lots since access check were first introduced) I think a better is to always do checks if they are on fields/types and error on
If we still want the ability to bypass access checks, making it more explicit via an execution option would be better.