I struggled to understand why in the following situation my request would fail:
- create a custom resolver that fetch protected content (with all permissions)
- give permission to the “Guest” role to call this custom resolver
- when Guest call the resolver, request fails even though the resolver execute properly
Reason is, iI had set in my GraphQL Response Schema definition that the response contained the restricted resource type. (like { result: Foo }
where Foos would be a restricted table to Guest role).
I thought allowing Guest to call the function was enough to run a restricted operation but you also need to avoid using the type in the response to avoid rules check. (I turned it into JSON as I - any - control the content sent from the resolver).