[BUG]: @auth rule not enforced properly for queries of type ...(filter: {id: ...}) {...}

[leonhma]

What version of Dgraph are you using?

I am using the free cloud tier, so this is the most I can do:

Built at 2021-05-28T22:00:10.859Z
Commit: 9debcc4
Commit Info: 9debcc4 Fri May 28 14:57:46 2021 -0700 (HEAD -> master, origin/master)

This is somewhere between 21.03.0 and 21.03.1

Tell us a little more about your go-environment?

...the cloud version...

Have you tried reproducing the issue with the latest release?

None

What is the hardware spec (RAM, CPU, OS)?

...again, the cloud version...

What steps will reproduce the bug?

For reference, this is a Stackoverflow question I created that has pretty much all info you would need in it: post. You add an @auth rule to the schema that looks like this: @auth(query: {rule: "query ($ID: [ID!]) {queryDevice(filter: {id: $ID}) {__typename} }"})...

Expected behavior and actual result.

...This uses the JWT claim ID and only lets the client access the entry corresponding to their own device. In theory. What actually happens is that the rule is not enforced. (I sure hope no one uses this feature in prod w/o testing). You are able to access the object as long as the precondition check (having the claim ID present in the JWT) is true. If you have one device's id -- or even gibberish for that matter -- inside this field, still, when querying using something like queryDevices {name} more than one result is returned.

Additional information

As Raphael noted on StackOverflow, using queries that don't depend on the id of an object work just fine.

[github-actions]

This issue has been stale for 60 days and will be closed automatically in 7 days. Comment to keep it open.