Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Null ClaimsPrincipal makes all access checks pass
See original GitHub issueSteps to reproduce
Configure a field with RequiresAllRoles():
schema.UpdateQuery(queryType =>queryType.ReplaceField(...).RequiresAllRoles("my_role"));
Call ExecuteRequest() with user set to null:
_schemaProvider.ExecuteRequest(query, _graphQLOverallSchema, HttpContext.RequestServices, null);
In this case, the RequiresAllRoles() check appears to be bypassed, and instead of getting the error You are not authorized to access the 'example' field on type 'Query'., we get data back instead.
This feels to me like a bug (albeit a minor one 🙂). If I pass null for the user in ExecuteRequest(), I would expect that all fields that have been configured with RequiresAllRoles() would fail with an access denied message.
(I’ve tested this on EntityGraphQL 3.0.5 but not on the 4.0 branch)
Issue Analytics
- State:
- Created a year ago
- Comments:9 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hmm this is “by design”. Might not be good design!
If you pass
nullit “assumed no access check should happen”. If you pass auser“checks should happen”.At this stage (because the library has evolved a lots since access check were first introduced) I think a better is to always do checks if they are on fields/types and error on
nulluser.If we still want the ability to bypass access checks, making it more explicit via an execution option would be better.
Sweet! 🙂