insert and insert_one mutations triggering update permissions

[amille14]

I recently updated to v1.3.0 and am running into an issue where insert_x_one and insert_x mutations seem to be triggering the permissions on update for the current role instead of the permissions on insert. This is problematic as I have different permissions for updating vs inserting (update looks for a header containing the id of the model that is being updated, which obviously doesn't exist when inserting).

[tirumaraiselvan]

@amille14 I am not able to reproduce this. Can you give a sample table, permissions and the mutation that you are trying to perform?

Is this an insert with on_conflict clause? Then you might be hitting this issue: #3659

[amille14]

@tirumaraiselvan Here's some example metadata for the table in question:

- table:
    schema: public
    name: community
  object_relationships:
  - name: owner
    using:
      foreign_key_constraint_on: owner_id
  array_relationships:
  - name: memberships
    using:
      foreign_key_constraint_on:
        column: community_id
        table:
          schema: public
          name: community_membership
  - name: roles
    using:
      manual_configuration:
        remote_table:
          schema: public
          name: community_role
        column_mapping:
          id: community_id
  insert_permissions:
  - role: action
    permission:
      check: {}
      set:
        owner_id: x-hasura-User-Id
      columns:
      - is_public
      - name
      - owner_id
      - slug
      backend_only: false
  select_permissions:
  - role: action
    permission:
      columns:
      - id
      - is_public
      - name
      - owner_id
      - slug
      - created_at
      - updated_at
      filter: {}
      allow_aggregations: true
  update_permissions:
  - role: action
    permission:
      columns:
      - is_public
      - name
      - owner_id
      filter:
        _or:
        - owner_id:
            _eq: X-Hasura-User-Id
        - _exists:
            _where:
              _and:
              - user_id:
                  _eq: X-Hasura-User-Id
              - community_id:
                  _eq: X-Hasura-Community-Id  # THIS IS WHAT'S CAUSING THE ERROR
              - role:
                  permissions:
                    _contains:
                      can_manage_community: true
            _table:
              schema: public
              name: community_membership
      check: null
  delete_permissions:
  - role: action
    permission:
      filter:
        owner_id:
          _eq: X-Hasura-User-Id

I'm making the following mutation from an action handler (which uses the "action" role seen in the metadata, and forwards headers from the client):

mutation CreateCommunity($data: community_insert_input!) {
  insert_community_one(object: $data) {
    id
  }
}

Notice I am NOT using on_conflict, so it shouldn't be trying to do an upsert.

When I try to execute this mutation, I get the following error:
GraphQL error: "x-hasura-community-id" header is expected but not found

[amille14]

@tirumaraiselvan I just tried setting the x-hasura-community-id header to an arbitrary value (empty string) and the mutation appears to work so long as that header is set. Maybe it's not actually running the update permission check, just ensuring that the headers are present (even if those headers aren't actually used for inserting).

This is consistent with this comment from #3659, but again, I'm not using on_conflict at all so I would not expect this behavior.

[tirumaraiselvan]

@amille14 My bad. If you see this comment: #3659 (comment) , it actually seems to imply that update permission session variables are validated even if on_conflict is not used.

I am going to close this issue as dupe of #3659. Let's continue there.