Access rules apply to returned response based on graphql type

gahabeen · December 2, 2020, 11:32am

I struggled to understand why in the following situation my request would fail:

create a custom resolver that fetch protected content (with all permissions)
give permission to the “Guest” role to call this custom resolver
when Guest call the resolver, request fails even though the resolver execute properly

Reason is, iI had set in my GraphQL Response Schema definition that the response contained the restricted resource type. (like { result: Foo } where Foos would be a restricted table to Guest role).

I thought allowing Guest to call the function was enough to run a restricted operation but you also need to avoid using the type in the response to avoid rules check. (I turned it into JSON as I - any - control the content sent from the resolver).

sebastian.scholl · December 2, 2020, 3:28pm

So just because the custom resolver is permitted to the Guest role doesn’t mean the API calls made inside the custom resolver are Permitted - as those API calls are treated independently.

If you want to make a call using the ctx.api and have permissions ignored, use:

ctx.api.gqlRequest(SOME_QUERY, { ...variables }, { checkPermissions: false })

gahabeen · December 2, 2020, 5:06pm

@sebastian.scholl So I did understood that part. The queries inside run all very well. It’s only when returning the result of some fetched documents within the response that fail.

Example: if within that resolver I retrieve a User document and I set as a response type { result: User }, it seems like your rule system is triggering a warning when seeing the type and applying read User rules to allow or not the result to be passed on.

sebastian.scholl · December 23, 2020, 3:41am

Hmmmmmm…this isn’t something we’d validate at that level of a custom resolver. Do you have the schema.graphql file and resolver handler to share?