graphql icon indicating copy to clipboard operation
graphql copied to clipboard

Published 20 hours ago verified publisher icon neo4j

Check auth definition on wrong node

Open Andy2003 opened this issue 2 years ago • 3 comments

It seems that the following condition is wrong:

https://github.com/neo4j/graphql/blob/296574085021165d57dd9d7adea8da2890444611/packages/graphql/src/translate/create-update-and-params.ts#L157-L168

A check for refNode.auth should be used instead.

Andy2003 avatar Apr 14 '22 09:04 Andy2003

Many thanks for raising this bug report @Andy2003. :bug: We will now attempt to reproduce the bug based on the steps you have provided.

Please ensure that you've provided the necessary information for a minimal reproduction, including but not limited to:

  • Type definitions
  • Resolvers
  • Query and/or Mutation (or multiple) needed to reproduce

If you have a support agreement with Neo4j, please link this GitHub issue to a new or existing Zendesk ticket.

Thanks again! :pray:

neo4j-team-graphql avatar Apr 14 '22 09:04 neo4j-team-graphql

Hi @Andy2003! Thanks for raising this! Would you be able to elaborate a bit more on why? It would be helpful if you could add a (use) case. Thank you!

tbwiss avatar Apr 19 '22 09:04 tbwiss

While going through the code (due to java portation), I noticed that the mentioned call to createAuthAndParams is made with the entity-parameter set to refNode, but around the call a check for the existence nodes - auth-object is done instead checking for refNodes auth. This looks like a bug to me. I do not have a concrete test case. In other places in the code, however, the same object which is passed as entity to createAuthAndParams is always checked for its existence beforehand.

Andy2003 avatar Apr 19 '22 10:04 Andy2003

This should now certainly be resolved in the new authorization features of the library in 3.23.0. 🙂

darrellwarde avatar Jul 06 '23 13:07 darrellwarde