Accidental delete of all rows in react-admin (using ra-data-hasura data connector)

[mduecker]

I just tried out react-admin with Hasura and used the ra-data-hasura data connector for that.

When selecting a single entry in my "Jobs" resource and then clicking "Delete" it will ultimately remove all rows in my jobs table.

How to reproduce?

This is the request generated by ra-data-hasura:
POST https://<HASURA_APP>.herokuapp.com/v1/query

Body:
{ "args": { "$set": {}, "returning": [ "id" ], "table": { "name": "jobs", "schema": "public" }, "where": { "id": {} } }, "type": "delete" }

Please notice the missing id argument in the where condition.

Expected Behavior

There's something wrong (maybe on my side) that no id is passed to the where condition of the delete query, but in any case this shouldn't lead to Hasura deleting all rows. Instead it should return an error that the id argument is missing and not do anything.

Maybe also having a setting to disallow bulk deletes/updates of all rows without any where conditions would be a good idea. As a reference please check this section about blocking Full-Table operations for the PostgREST project:
http://postgrest.org/en/v5.0/admin.html

[mduecker]

I just cloned the ra-data-hasura code from the master branch and linked it as a local package.
Now the id is passed correctly within the query. So must be a diff between this code and the npm package (version 0.0.6), which causes the bug.

Edit: Found it! The source code (content of /src) is identical for both, but for some weird reason there's a difference in the transpiled code.

In the source code (src/index.js) you have the following lines:

case 'DELETE_MANY':
        // delete multiple
        finalQuery = cloneQuery(deleteQuery);
        finalQuery.args.table = {'name': tableName, 'schema': schema};
        finalQuery.args.where = {};
        finalQuery.args.where[primaryKey] = { '$in': params.ids };
        finalQuery.args.returning = [primaryKey];
        break;

But the transpiled code for the npm package (lib/ra-data-hasura.js) has:

case 'DELETE_MANY':
        // delete multiple
        finalQuery = cloneQuery(_queries.deleteQuery);
        finalQuery.args.table = {
          'name': tableName,
          'schema': schema
        };
        finalQuery.args.where = {};
        finalQuery.args.where[primaryKey] = {
          '$in': params.id
        };
        finalQuery.args.returning = [primaryKey];
        break;

It should be '$in': params.ids

There must have been a mix-up in the build process before publishing the package.

[leoalves]

Regarding your first comment

where: {}

Will evaluate to where = true

#704

[mduecker]

Regarding your first comment

where: {}

Will evaluate to where = true

#704

Yes exactly, this results in a full-table delete without any conditions.
As described above, the problem lies with params.id, which should be params.ids
Therefore

where:
{
'$in': params.id 
}

results in

where
{
$in: undefined  // which gets ignored
}

[praveenweb]

@mduecker - Ah, i see. Not sure why transpiled code should be any different. But i will make a new release with a fix for #2100 in this PR #2727 and should fix this discrepancy with the new bundle.

[shahidhk]

Fixed in 0a64ef9