fix(GraphQL): fix interface query with auth rules. #7401
Conversation
github-actions
bot
added
the
area/graphql
There was a problem hiding this comment.
The user on the discuss post says that they also say this bug for delete Mutations, can we verify that is fixed as well?
Reviewed 5 of 5 files at r1.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @minhaj-shakeel)
graphql/resolve/auth_query_test.yaml, line 1952 at r1 (raw file):
jwtvar: ROLE: "ADMIN" USER: "user"
What about the other Auth rule about the user, is that not applied here?
graphql/resolve/query_rewriter.go, line 790 at r1 (raw file):
// then simply we need to Put uid(Todo1) with OR in the main query filter. // 2. If rbac evaluates to `Positive` which means RBAC rule is satisfied. // Either it is the only auth rule, or it is present with `OR`, which means
Can't it be present with AND as well? Is it necessary that it can only have OR?
There was a problem hiding this comment.
Yeah, essentially all the operations for the query in which `RBAC were evaluated to positive were giving incorrect results due to error in query rewriting.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @pawanrawal)
graphql/resolve/auth_query_test.yaml, line 1952 at r1 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
What about the other Auth rule about the user, is that not applied here?
Yeah, because RBACRB rules are evaluated to positive so it should return all the nodes.
graphql/resolve/query_rewriter.go, line 790 at r1 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
Can't it be present with
ANDas well? Is it necessary that it can only haveOR?
No, if the RBAC rule is present with AND this means that if the auth rules passed, we still need to attach the auth queries to our DQL query.
There was a problem hiding this comment.
Reviewable status:
complete! all files reviewed, all discussions resolved (waiting on @minhaj-shakeel)
Fixes GRAPHQL-1013.
This PR fixes a bug in query rewriting for interface query with auth rules. For more context please read here.
This change is