Check authorization of returned type #2

joemcbride · 2018-02-02T08:00:23Z

At present the validation rule doesn’t check the returned GraphType of the Field that is being request, only that the current Field itself is allowed. The returned GraphType may have different authorization policies applied to it.

authorization/src/GraphQL.Authorization/AuthorizationValidationRule.cs

Line 40 in b9f3edf

CheckAuth(fieldAst, fieldDef, userContext, context, operationType);

I believe the fix is to add this additional line:

CheckAuth(fieldAst, fieldDef.ResolvedType, userContext, context, operationType);

See graphql-dotnet/graphql-dotnet#502 (comment)

The text was updated successfully, but these errors were encountered:

Fixes #2

* Check ResolvedType for authorization policies Fixes #2

joemcbride added the bug Something isn't working label Feb 2, 2018

joemcbride added a commit that referenced this issue Jun 12, 2018

Check ResolvedType for authorization policies

a235894

Fixes #2

joemcbride mentioned this issue Jun 12, 2018

Check ResolvedType for authorization policies #9

Merged

joemcbride added a commit that referenced this issue Jun 12, 2018

Check ResolvedType for authorization policies

7a85970

Fixes #2

joemcbride closed this as completed in #9 Jun 12, 2018

joemcbride added a commit that referenced this issue Jun 12, 2018

Check ResolvedType for authorization policies (#9)

cc41298

* Check ResolvedType for authorization policies Fixes #2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Check authorization of returned type #2

Check authorization of returned type #2

joemcbride commented Feb 2, 2018

Check authorization of returned type #2

Check authorization of returned type #2

Comments

joemcbride commented Feb 2, 2018