Graphql permission problem with delete mutation

[SkvokeN]

Hello,

I have permission problem with delete mutation.

mutation { deleteOffice(input: {id: "/api/books/240", clientMutationId: ""}) { id } }

This query is valid and the book will be deleted . If I have permission to delete office, I can delete another entity.

I think need check $resourceClass and class $item there https://github.com/api-platform/core/blob/v2.3.4/src/GraphQl/Resolver/Factory/ItemMutationResolverFactory.php#L87.

if ($resourceClass !== get_class($item)) { return; }

P.S. Thank you for your work.
P.S.S. Sorry for my English )

[SkvokeN]

Is there anyone?

[alanpoulain]

Fixed in the next bugfix version (2.3.6).

[SkvokeN]

thank you

[dunglas]

This a severe security issue. I requested a CVE number.
It affects all versions from 2.2.0 to 2.3.5, this issue has been fixed in 2.3.6.
The patch: #2441

[Simperfit]

CVE number is: CVE-2019-1000011