You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Was just skimming through some of the code when I fixed the __typename issue and it looks like authorization rules on objects are ignored when the query resolved them through a union or interface. This seems like a pretty important case to cover. This would make any nodes in a relay style graph accessible without auth checks through the node or nodes queries.
The text was updated successfully, but these errors were encountered:
Just checked it and there are test cases for union and interface types, but you're right. Right now test cases only handle fields of union and interface types but there is an issue with rules attached to members of union or interface types themselves.
Was just skimming through some of the code when I fixed the __typename issue and it looks like authorization rules on objects are ignored when the query resolved them through a union or interface. This seems like a pretty important case to cover. This would make any nodes in a relay style graph accessible without auth checks through the
node
ornodes
queries.The text was updated successfully, but these errors were encountered: