New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
@authentication
filter operation
#3788
Comments
Many thanks for raising this bug report @jroith. 🐛 We will now attempt to reproduce the bug based on the steps you have provided. Please ensure that you've provided the necessary information for a minimal reproduction, including but not limited to:
If you have a support agreement with Neo4j, please link this GitHub issue to a new or existing Zendesk ticket. Thanks again! 🙏 |
Many thanks for raising this bug report @jroith. 🐛 We will now attempt to reproduce the bug based on the steps you have provided. Please ensure that you've provided the necessary information for a minimal reproduction, including but not limited to:
If you have a support agreement with Neo4j, please link this GitHub issue to a new or existing Zendesk ticket. Thanks again! 🙏 |
Hey @jroith, we just discussed this one. The conclusion is we all pretty much agree that this should be an option when using the |
@darrellwarde I see. I think this makes sense for filtering (as long as the "where" can then be disabled completely to ensure nobody can use it to peak at hidden data). For "validate" rules I'm having some doubts. To me it seems like those should produce an error in any case. But, sure, supporting this for the FILTER operation you're thinking about would also help, as long as both validate and filters are enforced correctly. |
@authorization
filter operation
@authorization
filter operation@authentication
filter operation
This only makes sense in the sense of the |
I created a bug a few months ago for the @auth directive and hoped the issue would be resolved with the new directive, but this is not the case. Basically, authorization can be bypassed to read any protected type or field by checking fields using filters on related types.
Here is an example:
So a direct query like
{ foos { name }}
would fail as expected.But it is possible to run:
{ bars(where: { foo: { name_STARTS_WITH: "a" }}) { test }}
This query should be rejected - it should not be possible to read name indirectly this way. I would expect an error to be thrown whenever "foo" appears in this filter and it does not meet the requirements. If this is not technically possible then the query should still be unconditionally rejected if "foo" occurs in the filter at all, rather than leaking protected data.
The query would also fails with a "filter" authorization on Foo. It does not work both for related objects and related lists.
The text was updated successfully, but these errors were encountered: