Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

[BUG]: @auth rule not enforced properly for queries of type ...(filter: {id: ...}) {...} #8815

Open
leonhma opened this issue May 2, 2023 · 1 comment
Labels
community Issue or PR created by the community. kind/bug Something is broken. status/accepted We accept to investigate/work on it.

Comments

@leonhma
Copy link

leonhma commented May 2, 2023

What version of Dgraph are you using?

I am using the free cloud tier, so this is the most I can do:

Built at 2021-05-28T22:00:10.859Z
Commit: 9debcc4
Commit Info: 9debcc4 Fri May 28 14:57:46 2021 -0700 (HEAD -> master, origin/master)

This is somewhere between 21.03.0 and 21.03.1

Tell us a little more about your go-environment?

...the cloud version...

Have you tried reproducing the issue with the latest release?

None

What is the hardware spec (RAM, CPU, OS)?

...again, the cloud version...

What steps will reproduce the bug?

For reference, this is a Stackoverflow question I created that has pretty much all info you would need in it: post. You add an @auth rule to the schema that looks like this: @auth(query: {rule: "query ($ID: [ID!]) {queryDevice(filter: {id: $ID}) {__typename} }"})...

Expected behavior and actual result.

...This uses the JWT claim ID and only lets the client access the entry corresponding to their own device. In theory. What actually happens is that the rule is not enforced. (I sure hope no one uses this feature in prod w/o testing). You are able to access the object as long as the precondition check (having the claim ID present in the JWT) is true. If you have one device's id -- or even gibberish for that matter -- inside this field, still, when querying using something like queryDevices {name} more than one result is returned.

Additional information

As Raphael noted on StackOverflow, using queries that don't depend on the id of an object work just fine.

@leonhma leonhma added the kind/bug Something is broken. label May 2, 2023
@mangalaman93 mangalaman93 added the status/accepted We accept to investigate/work on it. label May 3, 2023
@MichelDiz MichelDiz added the community Issue or PR created by the community. label May 5, 2023
Copy link

This issue has been stale for 60 days and will be closed automatically in 7 days. Comment to keep it open.

@github-actions github-actions bot added the Stale label Jul 17, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jul 25, 2024
@harshil-goel harshil-goel reopened this Jul 25, 2024
@github-actions github-actions bot removed the Stale label Jul 25, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
community Issue or PR created by the community. kind/bug Something is broken. status/accepted We accept to investigate/work on it.
Development

No branches or pull requests

4 participants