Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GraphQL] Check item resource class in mutation #2441

Merged
merged 1 commit into from Jan 9, 2019

Conversation

lukasluecke
Copy link
Contributor

Q A
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets #2364
License MIT
Doc PR

This prevents passing IRIs belonging to different resource classes, which would bypass access control in some instances (see #2364).

@lukasluecke
Copy link
Contributor Author

Fixed php-cs failure

@alanpoulain
Copy link
Member

Nice! Could you add tests?

@lukasluecke
Copy link
Contributor Author

@alanpoulain

I added a Behat test but can't get it to succeed. I think it's something to do with the escaped quotes in the error message, any ideas? 🙈

@alanpoulain
Copy link
Member

Could you try to remove the escaping of the double quotes (or maybe to escape the non escaped ones)?

@lukasluecke
Copy link
Contributor Author

lukasluecke commented Jan 9, 2019

I tried almost every combination I could think of (single quotes, double quotes, double-escape, no escape). I'll have another look, but from the output of Behat it should match, shouldn't it?

Edit: json_decode on the string worked 👍

This prevents passing IRIs belonging to different resource classes
@lukasluecke
Copy link
Contributor Author

@alanpoulain Fixed the test. Is there anything else needed?

@alanpoulain
Copy link
Member

LGTM 🙂

@alanpoulain alanpoulain merged commit b14e1b2 into api-platform:2.3 Jan 9, 2019
@alanpoulain
Copy link
Member

Thank you @lukasluecke

dunglas pushed a commit that referenced this pull request Jan 15, 2019
This prevents passing IRIs belonging to different resource classes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants