Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: skip validation of where query paths from access result #9349

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: skip validation of where query paths from access result #9349

wants to merge 2 commits into from
+108 −19

Conversation

r1tsuu
Copy link
Member

@r1tsuu r1tsuu commented Nov 19, 2024
edited
Loading

What?

Previously, payload.findByID with overrideAccess: false and this collection config

{
  slug: 'fields-and-top-access',
  access: {
    read: () => ({
      secret: {
        equals: '12345',
      },
    }),
  },
  fields: [
    {
      type: 'text',
      name: 'secret',
      access: { read: () => false },
    },
  ],
},

Led to the The following path cannot be queried: secret error because where input to validateQueryPaths also includes the result from access control, which shouldn't be.

This works when using payload.find.

The same applies to find with drafts / joins where. We need to validate only user where input, not access control that we defined in our config.

Also, this exact logic seems be used in find without drafts - we don't use fullWhere here but where, that's why this error isn't being thrown with find but only findByID.

payload/packages/payload/src/collections/operations/find.ts

Line 134 in d9c6288

let fullWhere = combineQueries(where, accessResult)

payload/packages/payload/src/collections/operations/find.ts

Lines 166 to 171 in d9c6288

} else {
await validateQueryPaths({
collectionConfig,
overrideAccess,
req,
where,

Fixes #9210

@r1tsuu r1tsuu changed the title fix: skip access validation of where constraints from access result fix: skip validation of query paths from access result Nov 19, 2024
@r1tsuu r1tsuu changed the title fix: skip validation of query paths from access result fix: skip validation of where query paths from access result Nov 19, 2024
@denolfe denolfe removed the v3 label Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
created-by: Payload team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Validation Query Path Issue
2 participants
@r1tsuu @denolfe