wp-graphql-woocommerce
wp-graphql-woocommerce copied to clipboard
wp-graphql
query orders only show all orders and not react on any modifiers like: first, search, include
query orders only show all orders and not react on any modifiers like: first, search, include
That's because it's those filters were simply strip from the Customer to Order connection because some of them were security risks.
@kidunot89 And is it not possible to verify that the requests that are filtered are exclusively from the person who makes the request after logging in via JWT?
Without the functionality of orders filters we can't for example pick up only the parent orders.
Thanks!
@kidunot89 I guess the security risk are in the customer fields, but i think the other ones are safety, since the Customer_order_connection verifies the actual customer Id or the order billing email, why is not possible whitelist this fields in the funcion get_connection_args when the acces is public?
public static function get_connection_args($access = 'public'): array
{
switch ($access) {
case 'private':
return array_merge(
get_wc_cpt_connection_args(),
array(
'statuses' => array(
'type' => array('list_of' => 'OrderStatusEnum'),
'description' => __('Limit result set to orders assigned a specific status.', 'wp-graphql-woocommerce'),
),
'customerId' => array(
'type' => 'Int',
'description' => __('Limit result set to orders assigned a specific customer.', 'wp-graphql-woocommerce'),
),
'customersIn' => array(
'type' => array('list_of' => 'Int'),
'description' => __('Limit result set to orders assigned a specific group of customers.', 'wp-graphql-woocommerce'),
),
'productId' => array(
'type' => 'Int',
'description' => __('Limit result set to orders assigned a specific product.', 'wp-graphql-woocommerce'),
),
'orderby' => array(
'type' => array('list_of' => 'OrdersOrderbyInput'),
'description' => __('What paramater to use to order the objects by.', 'wp-graphql-woocommerce'),
),
)
);
case 'public':
return
array(
'statuses' => array(
'type' => array('list_of' => 'OrderStatusEnum'),
'description' => __('Limit result set to orders assigned a specific status.', 'wp-graphql-woocommerce'),
),
'first' => array(
'type' => 'Int',
'description' => __('Limit result set to orders assigned a specific customer.', 'wp-graphql-woocommerce'),
),
'after' => array(
'type' => 'String',
'description' => __('Limit result set to orders assigned a specific customer.', 'wp-graphql-woocommerce'),
),
'where' => array(
'type' => 'WhereQueryInput',
'description' => __('Limit result set to orders assigned a specific customer.', 'wp-graphql-woocommerce'),
)
);
default:
return array(
'statuses' => array(
'type' => array('list_of' => 'OrderStatusEnum'),
'description' => __('Limit result set to orders assigned a specific status.', 'wp-graphql-woocommerce'),
),
'productId' => array(
'type' => 'Int',
'description' => __('Limit result set to orders assigned a specific product.', 'wp-graphql-woocommerce'),
),
'orderby' => array(
'type' => array('list_of' => 'OrdersOrderbyInput'),
'description' => __('What paramater to use to order the objects by.', 'wp-graphql-woocommerce'),
),
'search' => array(
'type' => 'String',
'description' => __('Limit results to those matching a string.', 'wp-graphql-woocommerce'),
),
'dateQuery' => array(
'type' => 'DateQueryInput',
'description' => __('Filter the connection based on dates.', 'wp-graphql-woocommerce'),
),
);
}
@RodrigoTomeES @alvarolog @AVert It's very much possible to restore some of these filter. At the time of development when I was made aware of the security issue. Complete removal was the simplest solution with the time crunch, and I'll support a PR that restores the non-risky where arguments of this query
query {
customer {
orders(where: {...}) {
...
}
}
}
Hi @kidunot89 , thank for the fast reply, could you add the pagination params too??
query orders {
orders(first: 2, after:"XXX", where: {parent: 0}){
...
}
}
@kidunot89 it doesn work if the logged user is not an admin, this function remove al filter params, because the function get_connection_args('public') returns empty:
// Remove any arguments that require querying user to have "shop manager" role.
$args = $not_manager && 'shop_order' === $post_object->name
? \array_intersect_key( $args, array_keys( self::get_connection_args( 'public' ) ) )
: $args;
public static function get_connection_args( $access = 'public' ): array {
switch ( $access ) {
case 'private':
return array(...);
case 'public': //This return empty and clears all filters
default:
return array(...);
}
´´´
@alvarolog That does not include the pagination arguments which are defined in WPGraphQL.