Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filters of @authorization directive are not taken into account for top-level aggregate queries #4840

Closed
andreloeffelmann opened this issue Mar 7, 2024 · 5 comments
Closed

Filters of @authorization directive are not taken into account for top-level aggregate queries #4840

andreloeffelmann opened this issue Mar 7, 2024 · 5 comments
Labels
bug report Something isn't working
Projects
Bug Triage

Comments

@andreloeffelmann
Copy link

Describe the bug
When invoking a top-level aggregate query the @authorization filter directive is not taken into account.
Instead, the count of all existing data is returned.

Type definitions

type Product @authorization(filter: [{requireAuthentication: false, operations: [READ], where: {AND: [{node:{isPublic:true}}] }}]) {
  name: String
  isPublic: Boolean!
}

To Reproduce
Steps to reproduce the behavior:

  1. Execute the following Mutation:
mutation {
  createProducts(input: [{ name: "1" isPublic:true }{ name: "2" isPublic:false }]) {
    info {
      nodesCreated
    }
  }
}
  1. Then run the following Query:
query {
  productsAggregate{
    count
  }
}
  1. A count of 2 instead of 1 is returned.

Expected behavior
It seems that the filter of the @authorization directive is not taken into account for the aggregate query. The query should return a count value of 1 instead of 2.

System (please complete the following information):

  • Version: @neo4j/graphql@5.1.0
@andreloeffelmann andreloeffelmann added the bug report Something isn't working label Mar 7, 2024
@neo4j-team-graphql
Copy link
Collaborator

Many thanks for raising this bug report @andreloeffelmann. 🐛 We will now attempt to reproduce the bug based on the steps you have provided.

Please ensure that you've provided the necessary information for a minimal reproduction, including but not limited to:

  • Type definitions
  • Resolvers
  • Query and/or Mutation (or multiple) needed to reproduce

If you have a support agreement with Neo4j, please link this GitHub issue to a new or existing Zendesk ticket.

Thanks again! 🙏

@neo4j-team-graphql neo4j-team-graphql added this to Bug reports in Bug Triage Mar 7, 2024
@mjfwebb
Copy link
Contributor

mjfwebb commented Mar 7, 2024
edited

Hi @andreloeffelmann, please use the AGGREGATE operation instead of READ inside your @authorization arguments:

    type Product
        @authorization(
            filter: [
                {
                    requireAuthentication: false
                    operations: [AGGREGATE]
                    where: { AND: [{ node: { isPublic: true } }] }
                }
            ]
        ) {
        name: String
        isPublic: Boolean!
    }

Edit:

Also worth noting AGGREGATE can be added to the list of operations, instead of being the only entry:

    type Product
        @authorization(
            filter: [
                {
                    requireAuthentication: false
                    operations: [READ, AGGREGATE]
                    where: { AND: [{ node: { isPublic: true } }] }
                }
            ]
        ) {
        name: String
        isPublic: Boolean!
    }

@andreloeffelmann
Copy link
Author

Hi @mjfwebb, thanks for the quick reply!
I can confirm that this works :)
Unfortunately I found nothing about the several options for operations in the docs here. That's why I was not aware of this option and raised this bug.
Is this documented somewhere else? What other options are allowed for the operations field?

@mjfwebb
Copy link
Contributor

mjfwebb commented Mar 7, 2024
edited

Oh, I'm sorry about that! I'll ensure the documentation is updated ASAP. As you say, it is missing.

The options available for the operations field for the directives are as follows:

Authentication directive

READ
AGGREGATE
CREATE
UPDATE
DELETE
CREATE_RELATIONSHIP
DELETE_RELATIONSHIP
SUBSCRIBE

Authorization directive

filter:

READ
AGGREGATE
UPDATE
DELETE
CREATE_RELATIONSHIP
DELETE_RELATIONSHIP

validate:

READ
AGGREGATE
CREATE
UPDATE
DELETE
CREATE_RELATIONSHIP
DELETE_RELATIONSHIP

@mjfwebb mjfwebb mentioned this issue Mar 7, 2024
Closed
@andreloeffelmann
Copy link
Author

Oh wow, that's a lot more supported functionality than I was aware of :)
Thanks for the clarification!
This can be closed.

@MacondoExpress MacondoExpress moved this from Bug reports to In review in Bug Triage Mar 12, 2024
@MacondoExpress MacondoExpress moved this from In review to Done (current month) in Bug Triage Mar 12, 2024
@darrellwarde darrellwarde moved this from Done (current month) to Closed in Bug Triage Mar 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug report Something isn't working
Projects
Bug Triage
Closed
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andreloeffelmann @mjfwebb @neo4j-team-graphql