search

overblog / GraphQLBundle

This bundle provides tools to build a complete GraphQL API server in your Symfony App.
MIT License
783 stars 221 forks source link

Symfony AccessControl on Batching endpoint #1059

Closed jonasled closed 2 years ago

jonasled commented 2 years ago
Q A
Bug report? yes
Feature request? no
BC Break report? no
RFC? no
Version/Branch v0.15.0

Hi, I have a symfony project with the security component and the graphQLBundle. For the single query endpoint everything is working fine, but with the batching endpoint the role check isn't working. Below is my configuration.

Query.types.yaml:

Query:
  type: object
  config:
    description: "Sprint Board API Query"
    fields:
      items:
        type: "[Item]"
        description: "Returns a list of items, matching the given filters. All filters are combined with an AND operator."
        access: "@=hasRole('ROLE_ADMIN')"
        resolve: '@=resolver("getItems", [args])'
        args:
          team:
            type: "String"
            description: "The team to filter by"
            defaultValue: null

graphql.yaml:

overblog_graphql:
    definitions:
        schema:
            query: Query
            mutation: Mutation
        mappings:
            types:
                -
                    type: yaml
                    dir: "%kernel.project_dir%/config/graphql/types"
                    suffix: null
    batching_method: "apollo"

security.yaml:

security:
  enable_authenticator_manager: true
  # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
  password_hashers:
    Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
  # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
  providers:
    main:
      id: App\Security\UserProvider
  firewalls:
    dev:
      pattern: ^/(_(profiler|wdt)|css|images|js)/
      security: false
    main:
      lazy: true
      custom_authenticators:
        - App\Security\SessionAuthenticator
  access_control:
    # This was only added for testing, but this is also not working
    - { path: ^/api/graphql/batch, roles: ROLE_USER }
    - { roles: PUBLIC_ACCESS }

batch_endpoint profiler

Vincz commented 2 years ago

Hi @jonasled :) I'm not sure I really understand. Do you mean that the access: "@=hasRole('ROLE_ADMIN')" is ignored when using batching? From your screenshots, I don't see any particular problem as the - { path: ^/api/graphql/batch, roles: ROLE_USER } kicks first if the user is not connected, then the access should be checked. Do you mind yo clarify?

jonasled commented 2 years ago

yes, the hasRole is ignored. The entry in the security.yaml was only for testing, there is a active session with the admin and the user role, which also works for other endpoints (e.g. the graphql endpoint without batching). Only on the batching endpoint this is not working.

jonasled commented 2 years ago

OK, problem found it was my fault. The apollo Angular module doesn't include the session cookie