allow graphql operators in filter query

VulcanJS / vulcan-npm

The full-stack JavaScript App Framework

https://vulcan-docs.vercel.app

MIT License

31 stars 8 forks source link

allow graphql operators in filter query #96

Closed GraemeFulton closed 2 years ago

GraemeFulton commented 2 years ago

GraphQL filters such as _and, _or or _not throws a permissions issue: "You don't have permission to filter model Letter by the following fields: $and. Field is not readable or do not exist." it looks like it's being treated as a field?

to reproduce issue, try an _and query, something like this in /api/graphql:

query {
  vulcanUsers(
    input: { filter: { _and: [{ _id: { _eq: "61ccb24e536dde646bdb3080" } }] } }
  ) {
    results {
      _id
    }
  }
}

This patch will check if the permissions diff is an graphQl operator, and allow the query to continue if so.

netlify[bot] commented 2 years ago

❌ Deploy Preview for vulcan-npm failed.

🔨 Explore the source changes: e812208e7c15b23f3483c31c58065f44084b2a94

🔍 Inspect the deploy log: https://app.netlify.com/sites/vulcan-npm/deploys/61cf02b744d5c1000868380b

eric-burel commented 2 years ago

I think the issue is upper: the "fields" array should not contain the operators in the first place, but a list of all the fields in the selector (including nested ones). Also, I am not sure why we do this check against the actual Mongo selector ($and) and not the Graphql selector (_and) but there might be a good reason (like handling views/parameters)

eric-burel commented 2 years ago

Solved in 0.4.11, the default query resolver was getting the wrong fields to test