graphql-ruby icon indicating copy to clipboard operation
graphql-ruby copied to clipboard

Published 20 hours ago verified publisher icon rmosolgo

authorized? for GraphQL::Schema::EnumValue is not working

Open vitaliiorlov opened this issue 1 year ago • 2 comments

Describe the bug

Hi! I found a bug regarding the authorization enum value. According to source code, this class has the same authorization methods as argument, object, and field classes. But is for EnumValue method authorized? not working.

module GraphQL
  class Schema
    class EnumValue < GraphQL::Schema::Member
      ...

      def visible?(_ctx); true; end
      def authorized?(_ctx); true; end
    end
  end
end

Versions

graphql version: 2.2.7 rails: 7.1.3

Code example

class Types::Enums::BaseEnum < GraphQL::Schema::Enum
  enum_value_class(Types::Enums::BaseEnumValue)
end

class Types::Enums::BaseEnumValue < GraphQL::Schema::EnumValue
  def visible?(_ctx); true; end
  def authorized?(_ctx); false; end
end

Steps to reproduce

Use the code above.

Expected behavior

It works in the same way as for fields, objects, and arguments and denies access to all denied enum values.

Actual behavior It ignores def authorized?(_ctx); false; end method, and even does not stop in there if put debugger to the method.

vitaliiorlov avatar Feb 06 '24 09:02 vitaliiorlov

Hey, thanks for reporting this. Did you find this documented somewhere? I didn't find it in the documentation and I don't see it addressed in the relevant spec (https://github.com/rmosolgo/graphql-ruby/blob/master/spec/graphql/authorization_spec.rb), so I think it was just never dreamed of!

But we could definitely add it. My first thought on a place to add it would be to hook in here:

https://github.com/rmosolgo/graphql-ruby/blob/18f3deda9944febcbd97a84a4943362f68c8a373/lib/graphql/execution/interpreter/runtime.rb#L570-L572

and here:

https://github.com/rmosolgo/graphql-ruby/blob/18f3deda9944febcbd97a84a4943362f68c8a373/lib/graphql/schema/argument.rb#L264-L268

Which go here:

https://github.com/rmosolgo/graphql-ruby/blob/18f3deda9944febcbd97a84a4943362f68c8a373/lib/graphql/schema/enum.rb#L143-L166

I think if those two methods (coerce_input and coerce_result) included enum_value.authorized? checks, it would implement this feature.

Feel free to give it a try if you're interested, otherwise I'll keep this open and try to take a crack at it when I find time!

rmosolgo avatar Feb 06 '24 14:02 rmosolgo

@rmosolgo thank you for looking into this.

Did you find this documented somewhere? I didn't find it in the documentation...

No, there is no documentation regarding this. I just looked around the source code and found that the enum value also has those methods (visible? and authorized?). So, I have such a case in my project where I would like to have such a feature, but tried to work with that and found out that visible? is working correctly, but authorized? does not. This is a short story about how I created this bug because, in the gem's source code, I've seen such a method and anticipated it should work then.

vitaliiorlov avatar Feb 06 '24 15:02 vitaliiorlov