New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Query Authorization per field or property not working #22
Comments
As of 3.1.0 class query auth also fails. Websocket message shows "Cannot find suitable method" |
Hi. Best regards |
Hi Morris, this is how I have the code right now. This works:
This doesn't, the field shows regardless if the user doesn't meet the requirement:
|
Thank you for the example code. |
I tried all the way up to 3.1.5 and the issue wasn't resolved. Above 3.1.5 I got the handshake websocket error I mentioned in the other issue. |
I will try upgrading the clients later during the day and I will report my findings to you. Thanks |
Ah okay I understand. |
Hello Morris, I checked this with client at 3.1.4-alpha and server at 3.1.7-alpha. The issue persists, field and property auth doesn't work, however class auth Queries do work with both function and policy. |
Ok thank you for further investigating the issue. I'll fix it soon. |
Hello Morris, is there an update on this bug? |
Hi @adriani10. Sorry letting you wait for so long. I tried reproducing the issue with the following example: public class Base
{
[Key]
public int Id { get; set; }
public virtual string TestValue { get; set; } = "test";
}
public class QueryFields : Base
{
...
[QueryAuth("requireAdmin")]
public override string TestValue { get; set; } = "Test Value";
} And this works. When not logged in as admin the result looks like this: Maybe you could take a look and let me know if I forgot something. |
Thanks to the screenshot you send me I was able to find the problem. |
Hi. The new version ist 3.1.8-alpha and you need to update both client and server to this version. I hope this fixes your issue, let me know if it's working. Best regards Morris |
Hi. That's something I'm aware of. If you're using the Include-Operator the referenced classes authorize attributes will not get called. That's also described in the documentation of the Include-Operator. That's because at moment of implementing the include feature it was too complicated to handle the auth recursively, but it's already planned to come soon. Meanwhile I would highly encourage you to not use the Include-Operator for performance reasons, because the server is not able to handle changes effectively and has to reload every related entity on change of any of the used tables entities. Best regards Morris |
Hi Morris, ok I understand. I will try not to use includes. I found one more bug, that I was able to fix myself. It's in your "GetCustomHeader" in WebSocketHelper. Since not all clients return the header with a space (for instance Android phones using React Native) the query auth would decline access to valid tokens. This is how I fixed it:
|
Query authorization only works for class authorization, not for field. Tested in 3.0.0
The text was updated successfully, but these errors were encountered: