Querying a relation field (one-to-one, one-to-many, or many-to-many) which is not included in the fields list of a permissions parameter declaration incorrectly (and insecurely) ignores the permission declaration and traverses the relation.
Reproduction
(using a self-relation here for succinctness but any relation field yields the same result)
types.graphql
type GymGroup @model {
id: ID! @isUnique
name: String!
secretCodeName: String
bestBud: User @relation(name: "UserBestBud")
}
As expected, this query (executed without an authorization header) throws an InsufficientPermissions error:
query {
User(id: $someid) {
id
name
secretCodeName
}
}
However, this query (also executed with no authorization header) does not:
query {
User(id: $someid) {
id
name
bestBud {
id
name
}
}
}
The ID and Name of the user's best bud are returned from the query with no errors thrown, even though the bestBud field is excluded from the "fields" list in the permission parameters declaration.
Expected behavior?
Permission declarations which identify the fields to which they are applied should not ignore relation fields. If a relation field is not included in the permission's field list then a query requesting to traverse that relation and return nested elements should fail with an InsufficientPermissions error (as scalar fields correctly do now)
Again I am happy to look into making a pull request for this if you point me to the right section of code.
Current behavior
Querying a relation field (one-to-one, one-to-many, or many-to-many) which is not included in the fields list of a permissions parameter declaration incorrectly (and insecurely) ignores the permission declaration and traverses the relation.
Reproduction
(using a self-relation here for succinctness but any relation field yields the same result)
types.graphql
graphcool.yml
As expected, this query (executed without an authorization header) throws an InsufficientPermissions error:
However, this query (also executed with no authorization header) does not:
The ID and Name of the user's best bud are returned from the query with no errors thrown, even though the bestBud field is excluded from the "fields" list in the permission parameters declaration.
Expected behavior?
Permission declarations which identify the fields to which they are applied should not ignore relation fields. If a relation field is not included in the permission's field list then a query requesting to traverse that relation and return nested elements should fail with an InsufficientPermissions error (as scalar fields correctly do now)
Again I am happy to look into making a pull request for this if you point me to the right section of code.