User object is null inside a repeater, missing email outside of repeater.

[zync09]

Hey ya mate, firstly huge thanks on this plugin, it's been great so far.

I'm having a small issue where a user object is null inside a repeater. Well I should clarify. It's fine in GraphiQL in wordpress. But in my NUXT app or even postman, it's null - that's when it's in a repeater.

Outside of a repeater email address is also null in the user object but at least the ID firstname and last name come through.

Any ideas what could be up with that?

In Postman:

In GraphiQL

[jasonbahl]

@zync09 this might be a capabilities issue.

Users in WordPress are considered private unless they've published content. A user with no published content is considered private. For the users that are not showing in the repeater, my guess is they are not published authors?

Email addresses of users are also considered private.

The reason you can see this data in WPGraphiQL is because you are authenticated and you have permission to see that data, but when you're not authenticated you don't have permission to see it.

If you want to display information about people that are not published authors of content, consider using a Custom Post Type to show that information?

[zync09]

Cheers @jasonbahl

I did think about that originally and it is a custom post type at the moment with users in an ACF field.

I originally was working with a custom REST API point and that was fetching the data fine (abit over-fetching things I didn't need, hence why trying out GraphQL now) but I'm guessing because it was custom that's why the users fields had no issues coming across hey.

Sorry I know this is probbaly not an issue with the plugin now but what do you mean by using a custom Post type?

[zync09]

Also tried your suggestion and tried making another user the author of a test post. But their details still didn't come though. All I need about the user is their name and ID really, it's for a RSVP Page for a wedding.

Edit: Actually sorry that's not true. These users need to be able to log into the site as well and set their RSVP Status.

And just did some more testing with ACF in a standard REST endpoint - not custom. That data comes through fine with the users. So maybe it's not a Wordpress issue, just the way the plugins display their data? Is it possible to add this support to acf graphql?

[zync09]

Don't suppose oyu know where abouts I could being looking for this to change? I wouldn't mind helping to contribute to the plugin if I am able to.

[lejager]

@zync09 were you able to solve this? I'm also stuck on this issue. Any insight would be much appreciated!

[esamattis]

Maybe this is duplicate with #167

Does this workaround help? https://github.com/wp-graphql/wp-graphql-acf/issues/167#issuecomment-734312502

[jasonbahl]

In my testing with v0.5.2 (and my testing for upcoming v0.6.0 (#262)), this appears to be working as I would expect.

I've created a field group like described:

• Repeater named Family Members
• Sub Field:
  • user field, named Family Member

Then, I go to edit the post and I add one family member that is a published author (jasonbahl), and one family member that is not a published author (b_jasonbahl):

ACF 2 REST API will show both users and all the user data, including email addresses, first names and last names. While this seems helpful, this behavior is a violation of WordPress Access Control rights.

Users that have not published content of a public post_type are considered non-public entities by WordPress. For example, visiting the archive url for an unpublished user will return a 404. As far as public users of WordPress are concerned, these users don't exist.

Once users have published content of a public post_type, they become public entities. You can visit their archive url for the user and not get a 404. But, not every property of a User is public.

Users have a display name which is used publicly, while the first and last name of the user are not exposed publicly.

ACF 2 REST API is violating WordPress Access Control rights by exposing this information publicly.

You can take the ID of one of these users and put it in the core REST endpoint /wp-json/wp/v2/posts/$id and see that the email, first name, and last name are not exposed.

WordPress core keeps this data private, but ACF 2 REST API is making it public.

Based on the screenshot you shared with this data blacked out, I believe you also have the expectation that this data should be private and random visitors to your REST / GraphQL endpoints shouldn't be able to get this data. 😄

Anyway, based on this understanding of Access Control rights, we can query the data like so:

v0.5.2

{
  post(id: 2179, idType: DATABASE_ID) {
    id
    postTest {
      familyMembers {
        familyMember {
          name
          email
        }
      }
    }
  }
}

Authenticated Request:

As an authenticated user, I can see both family members, including email addresses.

Public Request:

As a public, non-authenticated requestor, I can only see the published author, and while I can see the published authors name, I cannot see the email address of the published author, because email addresses are still considered private, even for published authors.

v0.6.0

The Schema is changing a bit for WPGraphQL for ACF v0.6.0, but the behavior is largely the same regarding Access Control.

{
  post(id: 2179, idType: DATABASE_ID) {
    id
    postTest {
      familyMembers {
        familyMember {
          node {
            name
            email
          }
        }
      }
    }
  }
}

Authenticated Request:

As an authenticated user, I can see both family members, including email addresses.

Public Request:

As a public, non-authenticated requestor, I can only see the published author, and while I can see the published authors name, I cannot see the email address of the published author, because email addresses are still considered private, even for published authors.

---

I'm going to close this issue, as I believe it's working as expected.

If you want to expose fields, such as email publicly, you can filter the WPGraphQL Model layer to allow these fields that are private by default, to be publicly exposed.

This snippet shows how to filter the WPGraphQL Model layer to add a field to the model: https://www.wpgraphql.com/recipes/filter-to-add-restricted-field-on-model/

If you wanted to allow the email field to be exposed to public, non-authenticated requests, you could modify that filter like so:

add_filter( 'graphql_allowed_fields_on_restricted_type', function( $fields, $model_name ) {
    if ( 'UserObject' === $model_name ) {
        $fields[] = 'email';
    }
    return $fields;
}, 10, 2 );