You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This a severe security issue. I requested a CVE number.
It affects all versions from 2.2.0 to 2.3.5, this issue has been fixed in 2.3.6.
The patch: #2441
Hello,
I have permission problem with delete mutation.
mutation { deleteOffice(input: {id: "/api/books/240", clientMutationId: ""}) { id } }
This query is valid and the book will be deleted . If I have permission to delete
office
, I can delete another entity.I think need check
$resourceClass
and class$item
there https://github.com/api-platform/core/blob/v2.3.4/src/GraphQl/Resolver/Factory/ItemMutationResolverFactory.php#L87.if ($resourceClass !== get_class($item)) { return; }
P.S. Thank you for your work.
P.S.S. Sorry for my English )
The text was updated successfully, but these errors were encountered: