[v2.0.0-alpha.10] Relationship field query not respecting permissions

[renato]

I've recently upgraded from v1.3.3 to v2.0.0-alpha.10 and I'm facing some issues that didn't exist before, so I've setup a test instance on Heroku to isolate them. I can share the instance if needed, but it's easily reproducible.

I created a list_item table with a field user_id referencing user (id, name), with the proper foreign keys and relationships. On the permissions tab for list_item I have not allowed user_id. I've populated it with some test data.

However, this query works:

{
  list_item {
    #user_id
    user {
      id
      name
    }
  }
}

If i uncomment user_id I get the proper error that it doesn't exist.

[0x777]

On the permissions tab for list_item I have not allowed user_id.

The access of user field in list_item type is purely determined based on whether or not a select permission is defined on the user table for the role. It does not depend on whether or not user_id field is allowed in the select permission of list_item. This is the behaviour that existed in 1.0 too. We've fixed the other issue that you have reported here. This is the docker image for the latest commit on master: hasurabuild/graphql-engine:mono-branch-main-e0b197a0f which has a fix for #6931. Can you please give us a minimal reproduction for the above issue which shows different behaviour compared to v1.3?