GraphQL restoreEntities endpoint rejects with permission error

[karandashovrz]

Environment:

https://github.com/jmix-projects/scr-jmix

Problem:

For implementation data-tools addon on react-frontend, restoreEntities endpoint was implemented to restore soft-deleted records (jmix-projects/jmix-datatools#44). When trying to send this request with administrator credentials, it is rejected with permission error:
Request payload:

{
    "operationName": "restoreEntities",
    "variables": {
        "className": "scr_Car",
        "ids": [
            "fc63ccfc-e8e9-5486-5c38-98ae42f729da",
            "c7052489-3697-48f6-a0f3-8e874d732865",
            "c5a0c22e-a8ce-4c5a-9068-8fb142af26ae",
            "c4ef4c14-5be9-406a-8457-db0bc760913a",
            "c2a14bec-cd7d-a3e4-1581-db243cf704aa",
            "bf6791e6-0e0a-8ca1-6a98-75b0a8971676",
            "bc5b3371-7418-4c79-90e8-81b09c59d9a1",
            "b94eede4-c1da-43df-830d-36ef1414385b",
            "aa595879-484f-4e7d-b19a-429cb2d84f79",
            "a64e6ef7-49d6-4ce5-8973-8c95ac1576e0",
            "94505084-e12c-44c0-9e55-0ee9ef5f3a90",
            "8561ba7a-49c5-4683-9251-59f376018a89",
            "7db61cfc-1e50-4898-a76d-42347ffb763f",
            "73c05bf0-ef67-4291-48a2-1481fc7f17e6",
            "6b853033-db8c-4d51-ab4c-4b3146796348",
            "63e88502-3cf0-382c-8f5f-07a0c8a4d9b2",
            "5f14d58d-6f24-4590-eef9-4b5885ed3e34",
            "5db1dce7-ceee-42f8-a14b-ddb93c4ad999",
            "50277e41-97d1-4af2-a122-1e87ae3011d9",
            "3da61043-aaad-7e30-c7f5-c1f1328d3980",
            "2325c7af-9569-4f66-bcf7-bb52cba5388b",
            "f44d486f-2fa3-4789-d02a-c1d2b2c67fc6"
        ]
    },
    "query": "mutation restoreEntities($className: String!, $ids: [String]!) {\n  restoreEntities(className: $className, ids: $ids)\n}\n"
}

Response:

{
    "errors": [
        {
            "message": "User is not allowed to use query: restoreEntities",
            "extensions": {
                "classification": "ExecutionAborted"
            }
        }
    ]
}

Project info:

plugins {
    id 'io.jmix' version '1.1.0-M5'
    id 'java'
}

jmix {
    bomVersion = '1.1.0-SNAPSHOT'
    projectId = 'scr'
}

Solution:

Add @GraphQLPolicy(operations = "*") or @GraphQLPolicy(operations = "restoreEntities") to role.
Created GraphQLFullAccessRole in commit in separate branch.

UPDATE 2021-11-17:

1. Added branch https://github.com/jmix-projects/scr-jmix/tree/with-data-tools
2. Support for GraphiQL with oauth2 module (anonymous role has full access now)
3. User "admin" has full access to graphql now
4. Fixed build.gradle and user editor