GraphQL: honor access control rules #1602
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dunglas
force-pushed
the
graphql-security
branch
2 times, most recently
from
31edb9b
to
1b12bf8
Compare
dunglas
force-pushed
the
graphql-security
branch
from
1b12bf8
to
2d70d9b
Compare
alanpoulain
reviewed
Dec 24, 2017
features/authorization/deny.feature
Outdated
| @@ -59,7 +58,7 @@ Feature: Authorization checking | |||
| """ | |||
| Then the response status code should be 201 | |||
|
|
|||
| Scenario: An user retrieve cannot retrieve an item he doesn't own | |||
| Scenario: An user retrieves cannot retrieve an item he doesn't own | |||
There was a problem hiding this comment.
Better? An user cannot retrieve an item he doesn't own
alanpoulain
reviewed
Dec 24, 2017
| @@ -65,6 +68,12 @@ public function __invoke(string $resourceClass = null, string $rootClass = null, | |||
| } | |||
|
|
|||
| $resourceMetadata = $this->resourceMetadataFactory->create($resourceClass); | |||
| if (null !== $this->resourceAccessChecker) { | |||
There was a problem hiding this comment.
Shouldn't you put this in an abstract or a service? This is duplicated in CollectionResolverFactory.
There was a problem hiding this comment.
I've moved this logic in a trait in the meantime.
alanpoulain
reviewed
Dec 24, 2017
| /** | ||
| * @expectedException \Symfony\Component\Security\Core\Exception\AccessDeniedException | ||
| */ | ||
| public function testIsNotGranted() |
There was a problem hiding this comment.
Use @dataProvider and remove the duplication?
There was a problem hiding this comment.
It should be done in the lowest branch or it will create merge conflicts later :(
dunglas
force-pushed
the
graphql-security
branch
from
8ddda03
to
236f224
Compare
dunglas
force-pushed
the
graphql-security
branch
from
fbb114a
to
6e747a4
Compare
hoangnd25
pushed a commit
to hoangnd25/core
that referenced
this pull request
Feb 23, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
And now the GraphQL subsystem is hooked in the authorization mechanism.
Next step: validation, and we'll be almost done!
TODO: