Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Null ClaimsPrincipal makes all access checks pass

See original GitHub issue

Steps to reproduce Configure a field with RequiresAllRoles():

schema.UpdateQuery(queryType =>queryType.ReplaceField(...).RequiresAllRoles("my_role"));

Call ExecuteRequest() with user set to null:

_schemaProvider.ExecuteRequest(query, _graphQLOverallSchema, HttpContext.RequestServices, null);

In this case, the RequiresAllRoles() check appears to be bypassed, and instead of getting the error You are not authorized to access the 'example' field on type 'Query'., we get data back instead.

This feels to me like a bug (albeit a minor one 🙂). If I pass null for the user in ExecuteRequest(), I would expect that all fields that have been configured with RequiresAllRoles() would fail with an access denied message.

(I’ve tested this on EntityGraphQL 3.0.5 but not on the 4.0 branch)

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:9 (2 by maintainers)

github_iconTop GitHub Comments

lukemurraycommented, Sep 25, 2022

Hmm this is “by design”. Might not be good design!

If you pass null it “assumed no access check should happen”. If you pass a user “checks should happen”.

At this stage (because the library has evolved a lots since access check were first introduced) I think a better is to always do checks if they are on fields/types and error on null user.

If we still want the ability to bypass access checks, making it more explicit via an execution option would be better.

Eli-Black-Workcommented, Mar 20, 2023

Sweet! 🙂

Read more comments on GitHub >

github_iconTop Results From Across the Web

Claims values returned null c# - Stack Overflow
Also created the new ASP.NET MVC project with the same solution. My issue is after the successful login I'm adding some important access...
Read more >
ClaimsPrincipal Class (System.Security.Claims)
User as ClaimsPrincipal; if (null != principal) { foreach (Claim claim in ... Inline claims-based code access checks can be performed by configuring...
Read more >
3 Common Problems with ClaimsIdentity and ...
Usually, this is because the claims that are passed in to ClaimsIdentity have the wrong ClaimType value for roles. By default, the claim...
Read more >
Accessing and Extending Authorization Claims in ASP.NET ...
If you've written code to access user information in ASP.NET MVC, you've worked with the ClaimsPrincipal object.
Read more >
Support ClaimsPrincipal as a parameter with minimal APIs?
While an improvement over the endpoint version, the HttpContext parameter is retained due to the need to access the user to access the ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found