From a676b35b6b90ca3573658acf36c3c5b152991849 Mon Sep 17 00:00:00 2001 From: Ayush Agarwal Date: Thu, 2 May 2024 13:04:57 +0530 Subject: [PATCH] Perform recursive authz and request validation only when multiple-create is enabled. --- src/Core/Resolvers/SqlMutationEngine.cs | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/Core/Resolvers/SqlMutationEngine.cs b/src/Core/Resolvers/SqlMutationEngine.cs index 73377bfd2e..f9e166d048 100644 --- a/src/Core/Resolvers/SqlMutationEngine.cs +++ b/src/Core/Resolvers/SqlMutationEngine.cs @@ -100,10 +100,12 @@ public SqlMutationEngine( // If authorization fails, an exception will be thrown and request execution halts. AuthorizeMutation(context, parameters, entityName, mutationOperation); - // Multiple create mutation request is validated to ensure that the request is valid semantically. string inputArgumentName = IsPointMutation(context) ? MutationBuilder.ITEM_INPUT_ARGUMENT_NAME : MutationBuilder.ARRAY_INPUT_ARGUMENT_NAME; - if (parameters.TryGetValue(inputArgumentName, out object? param) && mutationOperation is EntityActionOperation.Create) + if (_runtimeConfigProvider.GetConfig().IsMultipleCreateOperationEnabled() && + parameters.TryGetValue(inputArgumentName, out object? param) && + mutationOperation is EntityActionOperation.Create) { + // Multiple create mutation request is validated to ensure that the request is valid semantically. IInputField schemaForArgument = context.Selection.Field.Arguments[inputArgumentName]; MultipleMutationEntityInputValidationContext multipleMutationEntityInputValidationContext = new( entityName: entityName, @@ -2034,7 +2036,7 @@ public void AuthorizeMutation( { string inputArgumentName = MutationBuilder.ITEM_INPUT_ARGUMENT_NAME; string clientRole = AuthorizationResolver.GetRoleOfGraphQLRequest(context); - if (mutationOperation is EntityActionOperation.Create) + if (mutationOperation is EntityActionOperation.Create && _runtimeConfigProvider.GetConfig().IsMultipleCreateOperationEnabled()) { if (!IsPointMutation(context)) {