GraphQL - Roles defined without read action returns error #1464
Comments
|
In this case, the database operation succeeds (the update/insert/delete goes through without any issues), but we return error since the Note: We don't see this behavior with Cosmos. Even if read action is not defined for the role, valid response (response with values for the fields specified in the selection set) is returned. To make the behavior more consistent, we could do one of the following things. b) The AuthZ checks before executing the @yorek @JerryNixon @Aniruddh25 @seantleonard @sajeetharan Please kindly share your thoughts |
|
We'll need to see if HotChocolate supports grouping the update/read-result to be protected by the runtime config defined permissions for the update operation, out of the box. Since the selection set is a read operation, HotChocolate would enforce the authorization rules we set on the Object Type definition in the GraphQL schema for read operations. |
Desired behaviorIf |
|
@JerryNixon, shouldnt the select be allowed to all the fields that are allowed for the mutation: e.g. |
|
From a GraphQL standpoint, the behaviour of SQL backends is correct while Cosmos is incorrect, based on the auth config provided the In a custom GraphQL server where you aren't doing one-to-one data mapping a mutation doesn't have to represent a data construct in our backend, it's indicating a concept that you're performing. Using a trivia game example, you could have a mutation So is it more of an education piece, people aren't aware that they are really performing two database operations |
…sions - SQL database types (#1874) ## Why make this change? - Closes #1464 - At the moment, when a mutation operation is executed using a role which does not have read permissions (and Anonymous does not have read permissions), the mutation operation succeeds at the database layer but a generic AuthZ error message is returned. This could lead to the user concluding that the database operation did not go through because of the error response. - This PR adds changes to return a helpful error message to the users - `The mutation operation {operation name} was successful but the current user is unauthorized to view the response due to lack of read permissions` ## What is this change? - The objective of this change is to return a helpful error message that lets users know a) what has happened as a result of executing this mutation request b) the reason as why this error message is returned - Presence of read permission is evaluated for the current role (with which the request was executed) as well as Anonymous role (because, for graphQL, read permissions is inherited from Anonymous role by other roles). If read permission is inapplicable, then a custom error message is returned. ## How was this tested? - [x] Integration Testing - [x] Manual Testing The request is executed in the context of Anonymous role. Anonymous role does not have read permissions configured but has the other three - create, update and delete configured. **Response:**  **Create operation executed successfully**  ## Error Messages **Current Format (for mutation without read permission)**  **New Format introduced by this change (for mutation without read permission)**  The operation name such as `createbook`/`createPublisher` is included in the error message to help identify the operation which resulted in error when there are multiple mutations in the same request 
When a role is defined without
readaction, mutations performed in the context of that role, returns an error response. However, at the database level, the mutation(update,insert, etc. action) succeeds.Repro steps:
readaction for theAnonymousroleAnonymousroleConfig file:
{ "$schema": "https://github.com/Azure/data-api-builder/releases/download/vmajor.minor.patch/dab.draft.schema.json", "data-source": { "database-type": "mssql", "connection-string": "...", "options": { "set-session-context": false } }, "runtime": { "rest": { "enabled": true, "path": "/api" }, "graphql": { "enabled": true, "path": "/graphql", "allow-introspection": true }, "host": { "cors": { "origins": [], "allow-credentials": false }, "authentication": { "provider": "StaticWebApps" }, "mode": "development" } }, "entities": { "Book": { "source": { "object": "books", "type": "table" }, "graphql": { "enabled": true, "type": { "singular": "book", "plural": "books" } }, "rest": { "enabled": true }, "permissions": [ { "role": "anonymous", "actions": [ { "action": "create" }, { "action": "update" }, { "action": "delete" } ] }, { "role": "authenticated", "actions": [ { "action": "create" }, { "action": "read" }, { "action": "update" }, { "action": "delete" } ] } ] } } }The mutation was executed in the context of
Anonymousrole.In these requests,
a) The database operation goes through when the corresponding permission is setup (create action for a create mutation, update action for update mutation, etc.)
b) The lack of read action causes the authz error to be thrown.
Note We observe this behavior only in SQL DB types. With cosmos, even when read permission is not setup, valid response (response with values for fields requested in the selection set) is returned.
Tasks
The text was updated successfully, but these errors were encountered: