New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Graphql permission problem with delete mutation #2364

Closed
SkvokeN opened this Issue Dec 4, 2018 · 5 comments

Comments

Projects
None yet
4 participants
@SkvokeN
Copy link

SkvokeN commented Dec 4, 2018

Hello,

I have permission problem with delete mutation.

mutation { deleteOffice(input: {id: "/api/books/240", clientMutationId: ""}) { id } }

This query is valid and the book will be deleted . If I have permission to delete office, I can delete another entity.

I think need check $resourceClass and class $item there https://github.com/api-platform/core/blob/v2.3.4/src/GraphQl/Resolver/Factory/ItemMutationResolverFactory.php#L87.

if ($resourceClass !== get_class($item)) { return; }

P.S. Thank you for your work.
P.S.S. Sorry for my English )

@SkvokeN SkvokeN changed the title Graphql problem with delete mutation Graphql permission problem with delete mutation Dec 4, 2018

@SkvokeN

This comment has been minimized.

Copy link
Author

SkvokeN commented Dec 19, 2018

Is there anyone?

@alanpoulain

This comment has been minimized.

Copy link
Contributor

alanpoulain commented Jan 9, 2019

Fixed in the next bugfix version (2.3.6).

@alanpoulain alanpoulain closed this Jan 9, 2019

@alanpoulain alanpoulain added the bug label Jan 9, 2019

@SkvokeN

This comment has been minimized.

Copy link
Author

SkvokeN commented Jan 11, 2019

thank you

@dunglas

This comment has been minimized.

Copy link
Member

dunglas commented Jan 15, 2019

This a severe security issue. I requested a CVE number.
It affects all versions from 2.2.0 to 2.3.5, this issue has been fixed in 2.3.6.
The patch: #2441

@Simperfit

This comment has been minimized.

Copy link
Member

Simperfit commented Feb 14, 2019

CVE number is: CVE-2019-1000011

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment