New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GraphQL] Check item resource class in mutation #2441

Merged
merged 1 commit into from Jan 9, 2019

Conversation

Projects
None yet
2 participants
@lukasluecke
Copy link
Contributor

lukasluecke commented Jan 9, 2019

Q A
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets #2364
License MIT
Doc PR

This prevents passing IRIs belonging to different resource classes, which would bypass access control in some instances (see #2364).

@lukasluecke lukasluecke force-pushed the whatwedo:2.3 branch from d9691bc to 5b44e7e Jan 9, 2019

@lukasluecke

This comment has been minimized.

Copy link
Contributor Author

lukasluecke commented Jan 9, 2019

Fixed php-cs failure

@alanpoulain

This comment has been minimized.

Copy link
Contributor

alanpoulain commented Jan 9, 2019

Nice! Could you add tests?

@lukasluecke lukasluecke force-pushed the whatwedo:2.3 branch from 5b44e7e to 47914fa Jan 9, 2019

@lukasluecke

This comment has been minimized.

Copy link
Contributor Author

lukasluecke commented Jan 9, 2019

@alanpoulain

I added a Behat test but can't get it to succeed. I think it's something to do with the escaped quotes in the error message, any ideas? 🙈

@alanpoulain

This comment has been minimized.

Copy link
Contributor

alanpoulain commented Jan 9, 2019

Could you try to remove the escaping of the double quotes (or maybe to escape the non escaped ones)?

@lukasluecke

This comment has been minimized.

Copy link
Contributor Author

lukasluecke commented Jan 9, 2019

I tried almost every combination I could think of (single quotes, double quotes, double-escape, no escape). I'll have another look, but from the output of Behat it should match, shouldn't it?

Edit: json_decode on the string worked 👍

Check item resource class in mutation
This prevents passing IRIs belonging to different resource classes

@lukasluecke lukasluecke force-pushed the whatwedo:2.3 branch from 47914fa to 8324e70 Jan 9, 2019

@lukasluecke

This comment has been minimized.

Copy link
Contributor Author

lukasluecke commented Jan 9, 2019

@alanpoulain Fixed the test. Is there anything else needed?

@alanpoulain

This comment has been minimized.

Copy link
Contributor

alanpoulain commented Jan 9, 2019

LGTM 🙂

@alanpoulain alanpoulain added the GraphQL label Jan 9, 2019

@alanpoulain alanpoulain merged commit b14e1b2 into api-platform:2.3 Jan 9, 2019

11 checks passed

Scrutinizer Analysis: No new issues – Tests: passed
Details
SymfonyInsight Code quality OK.
Details
ci/circleci: behat-coverage Your tests passed on CircleCI!
Details
ci/circleci: merge-and-upload-coverage Your tests passed on CircleCI!
Details
ci/circleci: php-cs-fixer Your tests passed on CircleCI!
Details
ci/circleci: phpstan Your tests passed on CircleCI!
Details
ci/circleci: phpunit-coverage Your tests passed on CircleCI!
Details
codecov/patch 100% of diff hit (target 96.4%)
Details
codecov/project 96.4% (+<.01%) compared to 78cd201
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@alanpoulain

This comment has been minimized.

Copy link
Contributor

alanpoulain commented Jan 9, 2019

Thank you @lukasluecke

dunglas added a commit that referenced this pull request Jan 15, 2019

Check item resource class in mutation (#2441)
This prevents passing IRIs belonging to different resource classes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment