New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GraphQl public catalog endpoints expose some data that should not be visible #30625
Comments
Hi @rogyar. Thank you for your report.
Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:
For more details, please, review the Magento Contributor Assistant documentation. Please, add a comment to assign the issue:
🕙 You can find the schedule on the Magento Community Calendar page. 📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket. 🎥 You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel ✏️ Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel |
Agree with these as well:
But if we remove them, will need to make sure sorting in categories still works (ex: if the category products are sorted by |
I can see a case where you have a "promotion" of a price and you want to say until when it's available: "1 day left" The problem is that removing fields is backward incompatible and should be approved. |
@cpartica. Thanks for sharing your thoughts, it makes sense. As for the architectural proposal, If you could create that, it would be great. Thanks! |
@rogyar could you please link the PR? |
@magento I'm working on it |
Hi @cspruiell. Thank you for working on this issue.
|
Hi @mauragcyrus. Thank you for working on this issue.
|
Hi @cpartica. Thank you for working on this issue.
|
Preconditions (*)
CatalogGraphQl
module enabledSteps to reproduce (*)
Take a look at the ProductInterface
It allows retrieving some data for the non-authorized users that we usually expose neither on the standard storefront nor with the REST API.
For example, the following fields
special_from_date
special_to_date
are not supposed to be visible for a non-authorized client since this data exposes information about sales period that should be hidden by default.
The same about
created_at
updated_at
websites
attribute_set_id
Expected result (*)
Actual result (*)
Proposed solution
At least, remove the following fields from the schema
special_from_date
special_to_date
The other fields mentioned in the issue need to be discussed
The text was updated successfully, but these errors were encountered: