diff --git a/graphql/resolve/auth_delete_test.yaml b/graphql/resolve/auth_delete_test.yaml index b4212bec76c..1c9c7a59ed2 100644 --- a/graphql/resolve/auth_delete_test.yaml +++ b/graphql/resolve/auth_delete_test.yaml @@ -197,10 +197,10 @@ } ticket(func: uid(Ticket5)) { title : Ticket.title - onColumn : Ticket.onColumn @filter(uid(Column15)) { - inProject : Column.inProject @filter(uid(Project13)) { - roles : Project.roles @filter(uid(Role11)) { - assignedTo : Role.assignedTo @filter(uid(User10)) { + onColumn : Ticket.onColumn @filter(uid(Column6)) { + inProject : Column.inProject @filter(uid(Project8)) { + roles : Project.roles @filter(uid(Role10)) { + assignedTo : Role.assignedTo @filter(uid(User12)) { username : User.username age : User.age dgraph.uid : uid @@ -225,27 +225,27 @@ } } var(func: uid(Ticket5)) { - Column6 as Ticket.onColumn + Column7 as Ticket.onColumn } - Column15 as var(func: uid(Column6)) @filter(uid(ColumnAuth14)) + Column6 as var(func: uid(Column7)) @filter(uid(ColumnAuth15)) var(func: uid(Column6)) { - Project7 as Column.inProject + Project9 as Column.inProject } - Project13 as var(func: uid(Project7)) @filter(uid(ProjectAuth12)) - var(func: uid(Project7)) { - Role8 as Project.roles + Project8 as var(func: uid(Project9)) @filter(uid(ProjectAuth14)) + var(func: uid(Project8)) { + Role11 as Project.roles } - Role11 as var(func: uid(Role8)) - var(func: uid(Role8)) { - User9 as Role.assignedTo + Role10 as var(func: uid(Role11)) + var(func: uid(Role10)) { + User13 as Role.assignedTo } - User10 as var(func: uid(User9)) - ProjectAuth12 as var(func: uid(Project7)) @cascade { + User12 as var(func: uid(User13)) + ProjectAuth14 as var(func: uid(Project9)) @cascade { roles : Project.roles @filter(eq(Role.permission, "VIEW")) { assignedTo : Role.assignedTo @filter(eq(User.username, "user1")) } } - ColumnAuth14 as var(func: uid(Column6)) @cascade { + ColumnAuth15 as var(func: uid(Column7)) @cascade { inProject : Column.inProject { roles : Project.roles @filter(eq(Role.permission, "VIEW")) { assignedTo : Role.assignedTo @filter(eq(User.username, "user1")) diff --git a/graphql/resolve/auth_query_test.yaml b/graphql/resolve/auth_query_test.yaml index 015c78fa290..907798c441d 100644 --- a/graphql/resolve/auth_query_test.yaml +++ b/graphql/resolve/auth_query_test.yaml @@ -23,10 +23,10 @@ queryContact(func: uid(ContactRoot)) { id : uid nickName : Contact.nickName - adminTasks : Contact.adminTasks @filter(uid(AdminTask5)) { + adminTasks : Contact.adminTasks @filter(uid(AdminTask1)) { id : uid name : AdminTask.name - occurrences : AdminTask.occurrences @filter(uid(TaskOccurrence4)) { + occurrences : AdminTask.occurrences @filter(uid(TaskOccurrence3)) { due : TaskOccurrence.due comp : TaskOccurrence.comp dgraph.uid : uid @@ -36,14 +36,14 @@ ContactRoot as var(func: uid(Contact6)) Contact6 as var(func: type(Contact)) var(func: uid(ContactRoot)) { - AdminTask1 as Contact.adminTasks + AdminTask2 as Contact.adminTasks } - AdminTask5 as var(func: uid(AdminTask1)) + AdminTask1 as var(func: uid(AdminTask2)) var(func: uid(AdminTask1)) { - TaskOccurrence2 as AdminTask.occurrences + TaskOccurrence4 as AdminTask.occurrences } - TaskOccurrence4 as var(func: uid(TaskOccurrence2)) @filter(uid(TaskOccurrenceAuth3)) - TaskOccurrenceAuth3 as var(func: uid(TaskOccurrence2)) @filter(eq(TaskOccurrence.role, "ADMINISTRATOR")) @cascade + TaskOccurrence3 as var(func: uid(TaskOccurrence4)) @filter(uid(TaskOccurrenceAuth5)) + TaskOccurrenceAuth5 as var(func: uid(TaskOccurrence4)) @filter(eq(TaskOccurrence.role, "ADMINISTRATOR")) @cascade } - name: "Deep RBAC rule - Level 0 false" @@ -97,8 +97,8 @@ id : uid nickName : Contact.nickName } - ContactRoot as var(func: uid(Contact5)) - Contact5 as var(func: type(Contact)) + ContactRoot as var(func: uid(Contact6)) + Contact6 as var(func: type(Contact)) } - name: "Deep RBAC rule with cascade - Level 1 false" @@ -126,10 +126,10 @@ queryContact(func: uid(ContactRoot)) @cascade { id : uid nickName : Contact.nickName - adminTasks : Contact.adminTasks @filter(uid(AdminTask6)) { + adminTasks : Contact.adminTasks @filter(uid(AdminTask1)) { id : uid name : AdminTask.name - occurrences : AdminTask.occurrences @filter(uid(TaskOccurrence4)) { + occurrences : AdminTask.occurrences @filter(uid(TaskOccurrence3)) { due : TaskOccurrence.due comp : TaskOccurrence.comp dgraph.uid : uid @@ -139,15 +139,15 @@ ContactRoot as var(func: uid(Contact7)) Contact7 as var(func: type(Contact)) var(func: uid(ContactRoot)) { - AdminTask1 as Contact.adminTasks + AdminTask2 as Contact.adminTasks } - AdminTask6 as var(func: uid(AdminTask1)) @filter(uid(AdminTask5)) + AdminTask1 as var(func: uid(AdminTask2)) @filter(uid(AdminTask6)) var(func: uid(AdminTask1)) { - TaskOccurrence2 as AdminTask.occurrences + TaskOccurrence4 as AdminTask.occurrences } - TaskOccurrence4 as var(func: uid(TaskOccurrence2)) @filter(uid(TaskOccurrenceAuth3)) - TaskOccurrenceAuth3 as var(func: uid(TaskOccurrence2)) @filter(eq(TaskOccurrence.role, "ADMINISTRATOR")) @cascade - AdminTask5 as var(func: uid()) + TaskOccurrence3 as var(func: uid(TaskOccurrence4)) @filter(uid(TaskOccurrenceAuth5)) + TaskOccurrenceAuth5 as var(func: uid(TaskOccurrence4)) @filter(eq(TaskOccurrence.role, "ADMINISTRATOR")) @cascade + AdminTask6 as var(func: uid()) } - name: "Deep RBAC rule - Level 2 false" @@ -175,17 +175,17 @@ queryContact(func: uid(ContactRoot)) { id : uid nickName : Contact.nickName - adminTasks : Contact.adminTasks @filter(uid(AdminTask3)) { + adminTasks : Contact.adminTasks @filter(uid(AdminTask1)) { id : uid name : AdminTask.name } } - ContactRoot as var(func: uid(Contact4)) - Contact4 as var(func: type(Contact)) + ContactRoot as var(func: uid(Contact5)) + Contact5 as var(func: type(Contact)) var(func: uid(ContactRoot)) { - AdminTask1 as Contact.adminTasks + AdminTask2 as Contact.adminTasks } - AdminTask3 as var(func: uid(AdminTask1)) + AdminTask1 as var(func: uid(AdminTask2)) } - name: "Deep RBAC rule - Level 1 type without auth." @@ -213,10 +213,10 @@ queryContact(func: uid(ContactRoot)) { id : uid nickName : Contact.nickName - tasks : Contact.tasks @filter(uid(Task5)) { + tasks : Contact.tasks @filter(uid(Task1)) { id : uid name : Task.name - occurrences : Task.occurrences @filter(uid(TaskOccurrence4)) { + occurrences : Task.occurrences @filter(uid(TaskOccurrence3)) { due : TaskOccurrence.due comp : TaskOccurrence.comp dgraph.uid : uid @@ -226,14 +226,14 @@ ContactRoot as var(func: uid(Contact6)) Contact6 as var(func: type(Contact)) var(func: uid(ContactRoot)) { - Task1 as Contact.tasks + Task2 as Contact.tasks } - Task5 as var(func: uid(Task1)) + Task1 as var(func: uid(Task2)) var(func: uid(Task1)) { - TaskOccurrence2 as Task.occurrences + TaskOccurrence4 as Task.occurrences } - TaskOccurrence4 as var(func: uid(TaskOccurrence2)) @filter(uid(TaskOccurrenceAuth3)) - TaskOccurrenceAuth3 as var(func: uid(TaskOccurrence2)) @filter(eq(TaskOccurrence.role, "ADMINISTRATOR")) @cascade + TaskOccurrence3 as var(func: uid(TaskOccurrence4)) @filter(uid(TaskOccurrenceAuth5)) + TaskOccurrenceAuth5 as var(func: uid(TaskOccurrence4)) @filter(eq(TaskOccurrence.role, "ADMINISTRATOR")) @cascade } - name: "Auth query with @dgraph pred." @@ -289,7 +289,7 @@ query { getProject(func: uid(ProjectRoot)) @filter(type(Project)) { projID : uid - columns : Project.columns @filter(uid(Column3)) { + columns : Project.columns @filter(uid(Column1)) { name : Column.name colID : uid } @@ -302,10 +302,10 @@ } } var(func: uid(ProjectRoot)) { - Column1 as Project.columns + Column2 as Project.columns } - Column3 as var(func: uid(Column1)) @filter(uid(ColumnAuth2)) - ColumnAuth2 as var(func: uid(Column1)) @cascade { + Column1 as var(func: uid(Column2)) @filter(uid(ColumnAuth3)) + ColumnAuth3 as var(func: uid(Column2)) @cascade { inProject : Column.inProject { roles : Project.roles @filter(eq(Role.permission, "VIEW")) { assignedTo : Role.assignedTo @filter(eq(User.username, "user1")) @@ -419,7 +419,7 @@ dgquery: |- query { queryUser(func: uid(UserRoot)) { - issues : User.issues @filter(uid(Issue3)) { + issues : User.issues @filter(uid(Issue1)) { id : uid } dgraph.uid : uid @@ -427,10 +427,10 @@ UserRoot as var(func: uid(User4)) User4 as var(func: type(User)) var(func: uid(UserRoot)) { - Issue1 as User.issues + Issue2 as User.issues } - Issue3 as var(func: uid(Issue1)) @filter(uid(IssueAuth2)) - IssueAuth2 as var(func: uid(Issue1)) @cascade { + Issue1 as var(func: uid(Issue2)) @filter(uid(IssueAuth3)) + IssueAuth3 as var(func: uid(Issue2)) @cascade { owner : Issue.owner @filter(eq(User.username, "user1")) } } @@ -454,8 +454,8 @@ username : User.username dgraph.uid : uid } - UserRoot as var(func: uid(User2)) - User2 as var(func: type(User)) + UserRoot as var(func: uid(User3)) + User3 as var(func: type(User)) } - name: "Auth with top level AND rbac true" @@ -746,7 +746,7 @@ query { queryUser(func: uid(UserRoot)) { username : User.username - tickets : User.tickets @filter(uid(Ticket3)) { + tickets : User.tickets @filter(uid(Ticket1)) { id : uid title : Ticket.title } @@ -755,10 +755,10 @@ UserRoot as var(func: uid(User4)) User4 as var(func: type(User)) var(func: uid(UserRoot)) { - Ticket1 as User.tickets + Ticket2 as User.tickets } - Ticket3 as var(func: uid(Ticket1)) @filter(uid(TicketAuth2)) - TicketAuth2 as var(func: uid(Ticket1)) @cascade { + Ticket1 as var(func: uid(Ticket2)) @filter(uid(TicketAuth3)) + TicketAuth3 as var(func: uid(Ticket2)) @cascade { onColumn : Ticket.onColumn { inProject : Column.inProject { roles : Project.roles @filter(eq(Role.permission, "VIEW")) { @@ -786,7 +786,7 @@ query { queryUser(func: uid(UserRoot)) { username : User.username - tickets : User.tickets @filter(uid(Ticket3)) { + tickets : User.tickets @filter(uid(Ticket1)) { id : uid title : Ticket.title } @@ -795,10 +795,10 @@ UserRoot as var(func: uid(User4)) User4 as var(func: type(User)) var(func: uid(UserRoot)) { - Ticket1 as User.tickets @filter(anyofterms(Ticket.title, "graphql")) + Ticket2 as User.tickets @filter(anyofterms(Ticket.title, "graphql")) } - Ticket3 as var(func: uid(Ticket1)) @filter(uid(TicketAuth2)) - TicketAuth2 as var(func: uid(Ticket1)) @cascade { + Ticket1 as var(func: uid(Ticket2)) @filter(uid(TicketAuth3)) + TicketAuth3 as var(func: uid(Ticket2)) @cascade { onColumn : Ticket.onColumn { inProject : Column.inProject { roles : Project.roles @filter(eq(Role.permission, "VIEW")) { @@ -854,7 +854,7 @@ query { queryMovie(func: uid(MovieRoot), orderasc: Movie.content) @cascade { content : Movie.content - regionsAvailable : Movie.regionsAvailable @filter(uid(Region2)) (orderasc: Region.name, first: 10, offset: 10) { + regionsAvailable : Movie.regionsAvailable @filter(uid(Region1)) (orderasc: Region.name, first: 10, offset: 10) { name : Region.name global : Region.global dgraph.uid : uid @@ -873,9 +873,9 @@ regionsAvailable : Movie.regionsAvailable @filter(eq(Region.global, true)) } var(func: uid(MovieRoot)) { - Region1 as Movie.regionsAvailable @filter(eq(Region.name, "Region123")) + Region2 as Movie.regionsAvailable @filter(eq(Region.name, "Region123")) } - Region2 as var(func: uid(Region1)) + Region1 as var(func: uid(Region2)) } - name: "Auth deep query - 3 level" @@ -904,10 +904,10 @@ query { queryMovie(func: uid(MovieRoot), orderasc: Movie.content) { content : Movie.content - regionsAvailable : Movie.regionsAvailable @filter(uid(Region7)) (orderasc: Region.name, first: 10, offset: 10) @cascade { + regionsAvailable : Movie.regionsAvailable @filter(uid(Region1)) (orderasc: Region.name, first: 10, offset: 10) @cascade { name : Region.name global : Region.global - users : Region.users @filter(uid(User6)) (orderasc: User.username, first: 10, offset: 10) { + users : Region.users @filter(uid(User3)) (orderasc: User.username, first: 10, offset: 10) { username : User.username age : User.age isPublic : User.isPublic @@ -934,18 +934,18 @@ regionsAvailable : Movie.regionsAvailable @filter(eq(Region.global, true)) } var(func: uid(MovieRoot)) { - Region1 as Movie.regionsAvailable @filter(eq(Region.name, "Region123")) + Region2 as Movie.regionsAvailable @filter(eq(Region.name, "Region123")) } - Region7 as var(func: uid(Region1)) + Region1 as var(func: uid(Region2)) var(func: uid(Region1)) { - User2 as Region.users @filter(eq(User.username, "User321")) + User4 as Region.users @filter(eq(User.username, "User321")) } - User6 as var(func: uid(User2)) - var(func: uid(User2)) { - UserSecret3 as User.secrets @filter(allofterms(UserSecret.aSecret, "Secret132")) + User3 as var(func: uid(User4)) + var(func: uid(User3)) { + UserSecret6 as User.secrets @filter(allofterms(UserSecret.aSecret, "Secret132")) } - UserSecret5 as var(func: uid(UserSecret3)) @filter(uid(UserSecretAuth4)) - UserSecretAuth4 as var(func: uid(UserSecret3)) @filter(eq(UserSecret.ownedBy, "user1")) @cascade + UserSecret5 as var(func: uid(UserSecret6)) @filter(uid(UserSecretAuth7)) + UserSecretAuth7 as var(func: uid(UserSecret6)) @filter(eq(UserSecret.ownedBy, "user1")) @cascade } - name: "Auth with complex filter" @@ -1052,8 +1052,8 @@ username : User.username dgraph.uid : uid } - UserRoot as var(func: uid(User2)) - User2 as var(func: type(User)) + UserRoot as var(func: uid(User3)) + User3 as var(func: type(User)) } - name: "Query with missing variable - partial jwt token" @@ -1142,11 +1142,11 @@ dgquery: |- query { queryUser(func: uid(UserRoot)) { - ticketsAggregate : User.tickets @filter(uid(Ticket3)) { + ticketsAggregate : User.tickets @filter(uid(TicketAggregateResult1)) { ticketsAggregate_titleVar as Ticket.title dgraph.uid : uid } - count_ticketsAggregate : count(User.tickets) @filter(uid(Ticket3)) + count_ticketsAggregate : count(User.tickets) @filter(uid(TicketAggregateResult1)) titleMin_ticketsAggregate : min(val(ticketsAggregate_titleVar)) titleMax_ticketsAggregate : max(val(ticketsAggregate_titleVar)) dgraph.uid : uid @@ -1154,10 +1154,10 @@ UserRoot as var(func: uid(User4)) User4 as var(func: type(User)) var(func: uid(UserRoot)) { - TicketAggregateResult1 as User.tickets @filter(anyofterms(Ticket.title, "graphql")) + TicketAggregateResult2 as User.tickets @filter(anyofterms(Ticket.title, "graphql")) } - Ticket3 as var(func: uid(TicketAggregateResult1)) @filter(uid(TicketAuth2)) - TicketAuth2 as var(func: uid(TicketAggregateResult1)) @cascade { + TicketAggregateResult1 as var(func: uid(TicketAggregateResult2)) @filter(uid(TicketAuth3)) + TicketAuth3 as var(func: uid(TicketAggregateResult2)) @cascade { onColumn : Ticket.onColumn { inProject : Column.inProject { roles : Project.roles @filter(eq(Role.permission, "VIEW")) { @@ -1190,18 +1190,18 @@ dgquery: |- query { queryUser(func: uid(UserRoot)) { - ticketsAggregate : User.tickets @filter(uid(Ticket3)) { + ticketsAggregate : User.tickets @filter(uid(TicketAggregateResult1)) { ticketsAggregate_titleVar as Ticket.title dgraph.uid : uid } titleMin_ticketsAggregate : min(val(ticketsAggregate_titleVar)) - issuesAggregate : User.issues @filter(uid(Issue6)) { + issuesAggregate : User.issues @filter(uid(IssueAggregateResult4)) { issuesAggregate_msgVar as Issue.msg dgraph.uid : uid } - count_issuesAggregate : count(User.issues) @filter(uid(Issue6)) + count_issuesAggregate : count(User.issues) @filter(uid(IssueAggregateResult4)) msgMax_issuesAggregate : max(val(issuesAggregate_msgVar)) - tickets : User.tickets @filter(uid(Ticket9)) { + tickets : User.tickets @filter(uid(Ticket7)) { title : Ticket.title dgraph.uid : uid } @@ -1210,10 +1210,10 @@ UserRoot as var(func: uid(User10)) User10 as var(func: type(User)) var(func: uid(UserRoot)) { - TicketAggregateResult1 as User.tickets @filter(anyofterms(Ticket.title, "graphql")) + TicketAggregateResult2 as User.tickets @filter(anyofterms(Ticket.title, "graphql")) } - Ticket3 as var(func: uid(TicketAggregateResult1)) @filter(uid(TicketAuth2)) - TicketAuth2 as var(func: uid(TicketAggregateResult1)) @cascade { + TicketAggregateResult1 as var(func: uid(TicketAggregateResult2)) @filter(uid(TicketAuth3)) + TicketAuth3 as var(func: uid(TicketAggregateResult2)) @cascade { onColumn : Ticket.onColumn { inProject : Column.inProject { roles : Project.roles @filter(eq(Role.permission, "VIEW")) { @@ -1223,17 +1223,17 @@ } } var(func: uid(UserRoot)) { - IssueAggregateResult4 as User.issues + IssueAggregateResult5 as User.issues } - Issue6 as var(func: uid(IssueAggregateResult4)) @filter(uid(IssueAuth5)) - IssueAuth5 as var(func: uid(IssueAggregateResult4)) @cascade { + IssueAggregateResult4 as var(func: uid(IssueAggregateResult5)) @filter(uid(IssueAuth6)) + IssueAuth6 as var(func: uid(IssueAggregateResult5)) @cascade { owner : Issue.owner @filter(eq(User.username, "user1")) } var(func: uid(UserRoot)) { - Ticket7 as User.tickets @filter(anyofterms(Ticket.title, "graphql2")) + Ticket8 as User.tickets @filter(anyofterms(Ticket.title, "graphql2")) } - Ticket9 as var(func: uid(Ticket7)) @filter(uid(TicketAuth8)) - TicketAuth8 as var(func: uid(Ticket7)) @cascade { + Ticket7 as var(func: uid(Ticket8)) @filter(uid(TicketAuth9)) + TicketAuth9 as var(func: uid(Ticket8)) @cascade { onColumn : Ticket.onColumn { inProject : Column.inProject { roles : Project.roles @filter(eq(Role.permission, "VIEW")) { @@ -1260,21 +1260,21 @@ dgquery: |- query { queryUser(func: uid(UserRoot)) { - issuesAggregate : User.issues @filter(uid(Issue3)) { + issuesAggregate : User.issues @filter(uid(IssueAggregateResult1)) { issuesAggregate_msgVar as Issue.msg dgraph.uid : uid } - count_issuesAggregate : count(User.issues) @filter(uid(Issue3)) + count_issuesAggregate : count(User.issues) @filter(uid(IssueAggregateResult1)) msgMin_issuesAggregate : min(val(issuesAggregate_msgVar)) dgraph.uid : uid } UserRoot as var(func: uid(User4)) User4 as var(func: type(User)) var(func: uid(UserRoot)) { - IssueAggregateResult1 as User.issues + IssueAggregateResult2 as User.issues } - Issue3 as var(func: uid(IssueAggregateResult1)) @filter(uid(IssueAuth2)) - IssueAuth2 as var(func: uid(IssueAggregateResult1)) @cascade { + IssueAggregateResult1 as var(func: uid(IssueAggregateResult2)) @filter(uid(IssueAuth3)) + IssueAuth3 as var(func: uid(IssueAggregateResult2)) @cascade { owner : Issue.owner @filter(eq(User.username, "user1")) } } @@ -1724,7 +1724,7 @@ checkProjectPassword(func: uid(ProjectRoot)) @filter((eq(val(pwd), 1) AND type(Project))) { name : Project.name projID : uid - columns : Project.columns @filter(uid(Column3)) { + columns : Project.columns @filter(uid(Column1)) { name : Column.name colID : uid } @@ -1737,10 +1737,10 @@ } } var(func: uid(ProjectRoot)) { - Column1 as Project.columns + Column2 as Project.columns } - Column3 as var(func: uid(Column1)) @filter(uid(ColumnAuth2)) - ColumnAuth2 as var(func: uid(Column1)) @cascade { + Column1 as var(func: uid(Column2)) @filter(uid(ColumnAuth3)) + ColumnAuth3 as var(func: uid(Column2)) @cascade { inProject : Column.inProject { roles : Project.roles @filter(eq(Role.permission, "VIEW")) { assignedTo : Role.assignedTo @filter(eq(User.username, "user1")) diff --git a/graphql/resolve/auth_test.go b/graphql/resolve/auth_test.go index af888f172f7..3b56253b3cc 100644 --- a/graphql/resolve/auth_test.go +++ b/graphql/resolve/auth_test.go @@ -435,7 +435,7 @@ func mutationQueryRewriting(t *testing.T, sch string, authMeta *testutil.AuthMet ticket(func: uid(TicketRoot)) { id : uid title : Ticket.title - onColumn : Ticket.onColumn @filter(uid(Column3)) { + onColumn : Ticket.onColumn @filter(uid(Column1)) { colID : uid name : Column.name } @@ -452,10 +452,10 @@ func mutationQueryRewriting(t *testing.T, sch string, authMeta *testutil.AuthMet } } var(func: uid(TicketRoot)) { - Column1 as Ticket.onColumn + Column2 as Ticket.onColumn } - Column3 as var(func: uid(Column1)) @filter(uid(ColumnAuth2)) - ColumnAuth2 as var(func: uid(Column1)) @cascade { + Column1 as var(func: uid(Column2)) @filter(uid(ColumnAuth3)) + ColumnAuth3 as var(func: uid(Column2)) @cascade { inProject : Column.inProject { roles : Project.roles @filter(eq(Role.permission, "VIEW")) { assignedTo : Role.assignedTo @filter(eq(User.username, "user1")) @@ -484,7 +484,7 @@ func mutationQueryRewriting(t *testing.T, sch string, authMeta *testutil.AuthMet ticket(func: uid(TicketRoot)) { id : uid title : Ticket.title - onColumn : Ticket.onColumn @filter(uid(Column3)) { + onColumn : Ticket.onColumn @filter(uid(Column1)) { colID : uid name : Column.name } @@ -501,10 +501,10 @@ func mutationQueryRewriting(t *testing.T, sch string, authMeta *testutil.AuthMet } } var(func: uid(TicketRoot)) { - Column1 as Ticket.onColumn + Column2 as Ticket.onColumn } - Column3 as var(func: uid(Column1)) @filter(uid(ColumnAuth2)) - ColumnAuth2 as var(func: uid(Column1)) @cascade { + Column1 as var(func: uid(Column2)) @filter(uid(ColumnAuth3)) + ColumnAuth3 as var(func: uid(Column2)) @cascade { inProject : Column.inProject { roles : Project.roles @filter(eq(Role.permission, "VIEW")) { assignedTo : Role.assignedTo @filter(eq(User.username, "user1")) diff --git a/graphql/resolve/query_rewriter.go b/graphql/resolve/query_rewriter.go index 30933b6efc0..03f019f9a68 100644 --- a/graphql/resolve/query_rewriter.go +++ b/graphql/resolve/query_rewriter.go @@ -63,8 +63,6 @@ type commonAuthQueryVars struct { // Stores queries which aggregate filters and auth rules. Eg. // // User6 as var(func: uid(User2), orderasc: ...) @filter((eq(User.username, "User1") AND (...Auth Filter)))) selectionQry *gql.GraphQuery - // Contains name of the generated filterVarName - filterVarName string } // NewQueryRewriter returns a new QueryRewriter. @@ -750,7 +748,7 @@ func (authRw *authRewriter) addAuthQueries( Args: []gql.Arg{{Value: authRw.parentVarName}}, } - // The final query that includes the user's filter and auth processsing is thus like + // The final query that includes the user's filter and auth processing is thus like // // queryTodo(func: uid(Todo1)) @filter(uid(Todo2) AND uid(Todo3)) { ... } // Todo1 as var(func: ... ) @filter(...) @@ -950,39 +948,37 @@ func buildTypeFunc(typ string) *gql.Function { func buildCommonAuthQueries( f schema.Field, auth *authRewriter, - parentQryName string) commonAuthQueryVars { + parentSelectionName string) commonAuthQueryVars { // This adds the following query. - // var(func: uid(Ticket)) { - // User as Ticket.assignedTo + // var(func: uid(Ticket1)) { + // User4 as Ticket.assignedTo // } - // where `Ticket` is the nodes selected at parent level and `User` is the nodes we - // need on the current level. + // where `Ticket1` is the nodes selected at parent level after applying auth and `User4` is the + // nodes we need on the current level. parentQry := &gql.GraphQuery{ Func: &gql.Function{ Name: "uid", - Args: []gql.Arg{{Value: auth.parentVarName}}, + Args: []gql.Arg{{Value: parentSelectionName}}, }, Attr: "var", - Children: []*gql.GraphQuery{{Attr: f.ConstructedForDgraphPredicate(), Var: parentQryName}}, + Children: []*gql.GraphQuery{{Attr: f.ConstructedForDgraphPredicate(), Var: auth.varName}}, } // This query aggregates all filters and auth rules and is used by root query to filter // the final nodes for the current level. - // User6 as var(func: uid(User2), orderasc: ...) @filter((eq(User.username, "User1") AND (...Auth Filter)))) - filterVarName := auth.varGen.Next(f.ConstructedFor(), "", "", auth.isWritingAuth) + // User3 as var(func: uid(User4)) @filter((eq(User.username, "User1") AND (...Auth Filter)))) selectionQry := &gql.GraphQuery{ - Var: filterVarName, + Var: auth.parentVarName, Attr: "var", Func: &gql.Function{ Name: "uid", - Args: []gql.Arg{{Value: parentQryName}}, + Args: []gql.Arg{{Value: auth.varName}}, }, } return commonAuthQueryVars{ - parentQry: parentQry, - selectionQry: selectionQry, - filterVarName: filterVarName, + parentQry: parentQry, + selectionQry: selectionQry, } } @@ -1102,10 +1098,10 @@ func buildAggregateFields( var parentVarName, parentQryName string if len(f.SelectionSet()) > 0 && !auth.isWritingAuth && auth.hasAuthRules { parentVarName = auth.parentVarName - parentQryName = auth.varGen.Next(f.Type(), "", "", auth.isWritingAuth) + parentQryName = auth.varName + auth.parentVarName = auth.varGen.Next(f.Type(), "", "", auth.isWritingAuth) + auth.varName = auth.varGen.Next(f.Type(), "", "", auth.isWritingAuth) } - auth.parentVarName = parentVarName - auth.varName = parentQryName var fieldAuth, retAuthQueries []*gql.GraphQuery var authFilter *gql.FilterTree if rbac == schema.Uncertain { @@ -1120,7 +1116,7 @@ func buildAggregateFields( // appended only once. This also merges auth filters and any other filters of count // aggregation fields / mainField. if len(f.SelectionSet()) > 0 && !auth.isWritingAuth && auth.hasAuthRules { - commonAuthQueryVars := buildCommonAuthQueries(f, auth, parentQryName) + commonAuthQueryVars := buildCommonAuthQueries(f, auth, parentVarName) // add child filter to parent query, auth filters to selection query and // selection query as a filter to child commonAuthQueryVars.selectionQry.Filter = authFilter @@ -1134,10 +1130,13 @@ func buildAggregateFields( aggregateChild.Filter = &gql.FilterTree{ Func: &gql.Function{ Name: "uid", - Args: []gql.Arg{{Value: commonAuthQueryVars.filterVarName}}, + Args: []gql.Arg{{Value: commonAuthQueryVars.selectionQry.Var}}, }, } } + // Restore the auth state after processing is done. + auth.parentVarName = parentVarName + auth.varName = parentQryName } // otherAggregation Children are appended to aggregationChildren to return them. // This step is performed at the end to ensure that auth and other filters are @@ -1254,9 +1253,9 @@ func addSelectionSetFrom( var parentVarName, parentQryName string if len(f.SelectionSet()) > 0 && !auth.isWritingAuth && auth.hasAuthRules { parentVarName = auth.parentVarName - parentQryName = auth.varGen.Next(f.Type(), "", "", auth.isWritingAuth) - auth.parentVarName = parentQryName - auth.varName = parentQryName + parentQryName = auth.varName + auth.parentVarName = auth.varGen.Next(f.Type(), "", "", auth.isWritingAuth) + auth.varName = auth.varGen.Next(f.Type(), "", "", auth.isWritingAuth) } var selectionAuth []*gql.GraphQuery @@ -1264,13 +1263,16 @@ func addSelectionSetFrom( selectionAuth = addSelectionSetFrom(child, f, auth) } - if len(f.SelectionSet()) > 0 && !auth.isWritingAuth && auth.hasAuthRules { - // Restore the state after processing is done. - auth.parentVarName = parentVarName - auth.varName = parentQryName + restoreAuthState := func() { + if len(f.SelectionSet()) > 0 && !auth.isWritingAuth && auth.hasAuthRules { + // Restore the auth state after processing is done. + auth.parentVarName = parentVarName + auth.varName = parentQryName + } } if f.Type().IsInbuiltOrEnumType() && (fieldSeenCount[f.DgraphAlias()] > 0) { + restoreAuthState() continue } fieldSeenCount[f.DgraphAlias()]++ @@ -1304,6 +1306,7 @@ func addSelectionSetFrom( } else if rbac == schema.Negative { // If RBAC rules are evaluated to Negative, we don't write queries for deeper levels. // Hence we don't need to do any further processing for this field. + restoreAuthState() continue } @@ -1313,7 +1316,7 @@ func addSelectionSetFrom( } if len(f.SelectionSet()) > 0 && !auth.isWritingAuth && auth.hasAuthRules { - commonAuthQueryVars := buildCommonAuthQueries(f, auth, parentQryName) + commonAuthQueryVars := buildCommonAuthQueries(f, auth, parentVarName) // add child filter to parent query, auth filters to selection query and // selection query as a filter to child commonAuthQueryVars.parentQry.Children[0].Filter = child.Filter @@ -1321,13 +1324,14 @@ func addSelectionSetFrom( child.Filter = &gql.FilterTree{ Func: &gql.Function{ Name: "uid", - Args: []gql.Arg{{Value: commonAuthQueryVars.filterVarName}}, + Args: []gql.Arg{{Value: commonAuthQueryVars.selectionQry.Var}}, }, } authQueries = append(authQueries, commonAuthQueryVars.parentQry, commonAuthQueryVars.selectionQry) } authQueries = append(authQueries, selectionAuth...) authQueries = append(authQueries, fieldAuth...) + restoreAuthState() } // Sort the required fields before adding them to q.Children so that the query produced after