-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Bug - @auth GraphQL @hasInverse Security Hole #8193
Comments
Let me try to help explain this. I think you missed one of the explanations from the discuss post linked so I was really confused. The mutation you posted above of What wouldn't respect the Let's try to explain it with a better example. # GraphQL Schema
type User @auth({
update: { rule: "query { queryUser(filter:{not: {archived:true}}){ id } }" }
}) {
id: ID!
username: String! @id
accounts: [Account]
archived: Boolean! @seach
}
type Account {
number: String! @id
for: User! @hasInverse(field: "accounts")
} Logically we don't want to be able to update any Users that are archived. We would think that this would include ALL predicates AND edges. So in theory we would not be able to add the equivalent of any triple (through the GraphQL API) that has the subject of a User that has a predicate value of Which is partially true. We cannot directly run any But, what we can do [which is the bug] is create or update an account and link/unlink it to/from an existing User that is archived, which will create/delete the inverse edge having the subject of the restricted User. For some situations this may be wanted. For instance You might have a rule that prevents someone from creating/updating Users, but you want to allow them to create accounts for users. So in order to make a node and all of it's outbound edges 100% immutable, you have to either choose to not use the More or less this is another reason that shows the need for field level auth. And to make sure that field level auth is not just for predicate values, but also edges. |
This issue has been stale for 60 days and will be closed automatically in 7 days. Comment to keep it open. |
Really important to at least know and document if not fix. |
https://discuss.dgraph.io/t/cant-update-node-to-create-edge-due-to-auth-rules/13061
https://discuss.dgraph.io/t/bug-auth-rules-of-parent-not-respected-when-child-with-hasinverse-is-added/12955/5
Even if you have an @auth rule on a node, the inverse node can still be created:
schema.graphql
mutation
query - Node was indeed created!
Update-Rules of parent should be respected when an inverse connection exists.
This is a HUGE security risk. However, as @amaster507 said, this may should not be fixed until the field-level-auth feature is implemented in order to protect the individual fields.
J
The text was updated successfully, but these errors were encountered: