-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix issue 13454. Allow to query checkout by ID as unauthorized user #15768
Conversation
…hen checkout.user is set.
Hello @i-so-late thank you for your contribution! |
Hello, thank you for your response. Based on my understanding, what I need to do is to modify the three testing functions in pytest to adapt to the new logic. Then I would begin to work on this and submit a new PR. |
@i-so-late |
Hello, I've encountered an issue when modifying a pytest test case. After changing the function logic in Thank you. |
Hello @i-so-late , the difference between those tests are different graphql queries. When you try to access |
Hey @i-so-late let me know if you intend to finish this PR so we know if we should wait or update it and merge 🙌 |
Hello @i-so-late thanks for your contribution to the project! I'm closing this PR since this change was introduced here as a part of 3 separate issues. |
Description
This pull request relates to issue #13454.
Before the change, the
checkout
query doesn't allow fetching the checkout by ID when the checkout.user field is set and an unauthorized user sends the request. The logic of this query is as follows: ifcheckout.user
is not set, it returnscheckout
. Ifcheckout.user
is set,checkout
is returned only when the currently authenticated user corresponds tocheckout.user
. Therefore, unauthenticated users cannot querycheckout
by ID.Now, according to the instructions in the issue, when the channel is active,
checkout
will always be returned.Testing
This pull request utilizes both pytest and manual testing. For manual testing, after running the project locally, I followed the instructions in the documentation to create a token in the GraphQL interface and then created and queried checkouts. The results were as expected.
For pytest, after running the test sets,
test_anonymous_client_cant_fetch_checkout_with_attached_user
,test_query_customer_checkout_as_anonymous_customer
andtest_query_other_customer_checkout_as_customer
failed, which also was expected since the logic of this function has changed.Impact
Docs
In the #Permissions# section, if we apply this change, we need to modify this description. Because now querying checkout only requires using the ID.
Pull Request Checklist
ADDED_IN_X
,PREVIEW_FEATURE
, etc.)