alaister
April 8, 2021, 11:22am
1
Hello,
type User
@auth(
query: {
rule: """
query ($USER: ID!) {
queryUser(filter: {id: [$USER]}) {
id
}
}
"""
}
) {
id: ID!
name: String!
}
# Dgraph.Authorization {...}
I would assume that this would allow users to only see their own user nodes. However when I run:
{
queryUser {
id
name
}
}
I get back all the users in my system. Am I doing something wrong here? I’m new to Dgraph’s auth system so I could have just missed something.
Thanks
amaster507
April 8, 2021, 12:31pm
2
What version of Dgraph are you running? This may be related to this fix in the recent 21.03.0 release.
Fix(GraphQL): Fix @auth rules evaluation in case of null variables in custom claims. (#7380 )
alaister
April 8, 2021, 12:33pm
3
I’m using Slash GraphQL, so v20.11.2.
repomaa
April 17, 2021, 10:32am
4
I had the exact same problem. The weird thing is: if i encode the username in the token instead of the id and use that in the auth query, it works.
Once 21.03 is released, I would be curious to see if the problem exists. Should be before May 1st.
J
minhaj
April 20, 2021, 3:51am
8
Hi @alaister , I have reproduced this locally. Accepting this as a bug. Will try to prioritize this bug fix.
3 Likes
minhaj
May 3, 2021, 4:33am
9
This issue has been fixed in the master. See this PR for more details.
1 Like
alaister
May 3, 2021, 4:36am
10
Thanks! Any idea when this will be in Slash GraphQL?
kolmez
August 5, 2021, 12:16pm
11
Update, I just tested this and it seems like this fix isn’t available in the v21.03 release, or am I wrong? Is there a way around this? IMO this is a serious security issue… authorizing to see only your account should be the default expected behaviour, or not?
jackl
September 20, 2021, 5:21pm
12
@minhaj This does not seem to be fixed. I’m using v21.03. When I add this as a rule, it grants access to any User.