You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Updates to a relationship field where that relationship is part of a many-to-many fails when the user does not have permission to both lists. Upon failure, records between the two joining tables are now inconsistent as one of them has been updated and the other has not.
To Reproduce
Setup a Keystone instance with the Knex Postgres adatper
Setup two lists: User and Interest. A user may have many different interest and each interest can relate to many users. ie. This is a many-to-many relationship.
Setup the permissions so a user can update their own user record but may not add to - or otherwise update - the list of interests.
{
"errors": [
{
"message": "You do not have access to this resource",
"name": "AccessDeniedError",
"time_thrown": "2020-04-22T01:57:49.204Z",
"data": {
"type": "mutation",
"target": "updateUser"
},
"path": [
"updateUser"
],
"uid": "ck9aotfzl0000Yus4grsyh5hr"
}
],
"data": {
"updateUser": null
}
}
In addition, looking at the database, there are two joining tables between User and Interest. These are: User_interests and Interest_users. When the above error is received, User_interests has been updated to include the connection of the two interests above, but Interest_users has NOT been updated. So now there is inconsistency in the data in the database.
Expected behaviour
The update should succeed providing the user has update permission to either list.
Specifically, when Keystone has a many-to-many relationship between two lists, and a user with the rights to update a record in one of the lists (but not the other) attempts to create a relationship between two records on each side of that relationship, that update should succeed. At the very least it should fail in an atomic way (ie. neither of the joining tables should be updated)
Screenshots
N/A
System information
OS: MacOS 10.15.3
Additional context
If I modify the Interest list to allow updates from everyone (ie. update: userIsAdmin --> update: true), the update succeeds as expected.
The text was updated successfully, but these errors were encountered:
Hey bud 👋 The relationship integrity part of this is covered in #1925 and has only recently been fixed. What version of KS was this on? If you're on Keystone ^8.0.0 you should only get a single relationship table.
That doesn't address your main question around how access control effects editing relationships though. I suspect this is by design but will defer to @timleslie.
Hey @molomby. Thanks for the detail. This case was definitely on an older version. Keen to know more about how permissions work on joining tables though (removing or adding relationships between many-many or even one-many relationships)
This should indeed now work. An update operation on a relationship field takes its access control fields from the list being updated, so in your case you are doing an updateUser, so the permission to perform the connect operations would be determined from the User list. If you did an updateInterests and updated the users field, the access control would be determined from the Interests field. You need to be a little bit careful when setting up the access control on related fields, as the same piece of data (the join table in the DB) can have different access control rules depending on which list you attempt to access it from.
I'm going to close out this issue now, but if you can reproduce the error with the latest versions, or anything is still unclear then feel free to reopen this issue or create a new issue 👍
Bug report
Summary
Updates to a relationship field where that relationship is part of a many-to-many fails when the user does not have permission to both lists. Upon failure, records between the two joining tables are now inconsistent as one of them has been updated and the other has not.
To Reproduce
User
andInterest
. A user may have many different interest and each interest can relate to many users. ie. This is a many-to-many relationship.My list definitions look like this:
User:
Interest:
When I authenticate as the user I want to update, and then attempt to add some interests to the user via the following GraphQL...
... I receive the following error:
In addition, looking at the database, there are two joining tables between
User
andInterest
. These are:User_interests
andInterest_users
. When the above error is received,User_interests
has been updated to include the connection of the two interests above, butInterest_users
has NOT been updated. So now there is inconsistency in the data in the database.Expected behaviour
The update should succeed providing the user has update permission to either list.
Specifically, when Keystone has a many-to-many relationship between two lists, and a user with the rights to update a record in one of the lists (but not the other) attempts to create a relationship between two records on each side of that relationship, that update should succeed. At the very least it should fail in an atomic way (ie. neither of the joining tables should be updated)
Screenshots
N/A
System information
Additional context
If I modify the
Interest
list to allow updates from everyone (ie.update: userIsAdmin
-->update: true
), the update succeeds as expected.The text was updated successfully, but these errors were encountered: