New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding permission check when querying content using GraphQL #12734
Adding permission check when querying content using GraphQL #12734
Conversation
src/OrchardCore/OrchardCore.ContentManagement.GraphQL/Options/GraphQLContentOptions.cs
Outdated
Show resolved
Hide resolved
@jtkech are you able to help with the failing test case? The problem is that the role "Anonymous" has permission to view all contents. So when the test I think all these GraphQl tests should run with "Anonymous" and "Authenticated" that has NO "ViewContents" permissions assigned to them. Is there a better approach for this beside creating a recipe for GraphQL and maybe |
Okay, I think I found the issue, I will comment it. |
@jtkech is the issue different than what I described above? |
So, I saw that when removing in
Then I looked at
Which I think is wrong, so I replaced it by
Then the test was working because a validation error was added. That said maybe you don't need to add the |
yeah that works but I still think in all the GraphQL tests we should remove ViewContents permission from the "Anonymous" and "Authenticated" roles. These tests should be adding their permission is each test. the only reason what you did works is because you enforce 2 permissions not just the 1 as we had. |
What did you do? Just removing
In this test it adds explicitly the
I don't understand |
About I think that's okay to keep it case sensitive, to force people to provide by code the exact type name, as it is automatically done when using the generic |
Just to say that I did nothing, at the end just applied the mentioned fix. |
Hmm, just saw that it doesn't check if |
@jtkech I changed that. but one of the tests is still failing. I also changed the string check to |
Okay I'm going to look at it |
Okay looks like we need to reference the same static permission instance added in the test.
So I could make it working by using the following in
But needed to reference the But it shows that our fix is okay as it still works when having more than one permission, then for now I suggest to not add the |
@jtkech the tests are pass now. Let me know if you see something else before an approval. |
Fix #12693
Prior this PR, a user with permission to GraphQL can see all content regardless of their permissions. With the new added filter, we honor their permissions.
Also,
GraphQLContentOptions.ConfigureContentType(...)
had no effect. Like if the user configure contentType as hidden, we still show it anyway. This was also fixed.