[Bug/Wrong way] when limited access resource by searchQuery

ThanhSonITNIC commented 3 weeks ago

Description

Product (hasMany Pricing) Pricing (belongsTo Tax): product_id, tax_id, salesman_display

PricingResource: _only return for salesman when salesman_display is true_

public function searchQuery(RestRequest $request, Builder $query)
{
    if (auth()->user()->isSalesman()) {
        return $query->where('salesman_display', true);
    }

    return $query;
}

When filter Product includes.relation: 'pricings' then query:
```
select * from `pricings` where `pricings`.`product_id` in (?, ?, ?) and `salesman_display` = ?
```
-> SQL is include salesman_display=true
But when filter Product includes.relation: 'pricings.tax' then query:
```
select * from `pricings` where `pricings`.`product_id` in (?, ?, ?)
select * from `taxes` where `taxes`.`id` in (?)
```
-> SQL is not include salesman_display, so limited access Pricing is not working, it's return all Pricing

GautierDele commented 3 weeks ago

Hello,

I think i'm seeing what you mean, for me each resource needs to be secured its own way so you should also impact the tax query in your way because your resource could also be accessed directly and it won't be secured

Tell me if it's fixing your problem

ThanhSonITNIC commented 3 weeks ago

hmm, TaxResource should be public for all, Pricing is limited. Schema including Product.Pricing.Tax: this mean Tax only belongs when Pricing is present

GautierDele commented 2 weeks ago

then if the resource should be public you shouldn't impact the "search query" but instead apply a filter on your include

Lomkit / laravel-rest-api

[Bug/Wrong way] when limited access resource by searchQuery #119

Description