-
|
Here's my security context: {
READ_PROFILE_PRIVATE: [
{
userId: "628d7c328d18b842c3d3a55b",
},
],
UPDATE_PROFILE: [
{
userId: "628d7c328d18b842c3d3a55b",
},
],
CREATE_PROJECT: true,
UPDATE_PROJECT: [
],
}And here's my security settings for my security: {
applySecurity: securityContext != null,
context: {
permissions: securityContext ?? {},
},
policies: {
user: {
domain: {
userId: "id",
projectId: null,
},
permissions: {
UPDATE_PROFILE: PERMISSION.UPDATE_ONLY,
DELETE_PROFILE: PERMISSION.DELETE_ONLY,
READ_PROFILE_PRIVATE: PERMISSION.READ_ONLY,
},
defaultPermissions: {
...PERMISSION.READ_ONLY,
read: {
email: false,
loginIdentities: false,
}
},
},
},
defaultPermission: PERMISSION.DENY,
operationDomain: (metadata) => metadata.securityDomain,
},I'm trying to run this query in GraphQL query($filter: UserFilterInput) {
users(filter: $filter) {
email
}
}
{
"filter": {
"id": { "eq": "628d7c328d18b842c3d3a55b" }
}
}However I'm getting the following error: {
"errors": [
{
"message": "[Security Policy Middleware] Unauthorized access to restricted fields.",
"locations": [
{
"line": 2,
"column": 3
}
],
"path": [
"users"
],
"extensions": {
"code": "INTERNAL_SERVER_ERROR",
"exception": {
"allowedProjection": {
"email": false,
"loginIdentities": false
},
"requestedProjection": {
"email": true
},
"unauthorizedProjection": {
"email": true
},
"permissions": [
[
"UPDATE_PROFILE",
[
{
"id": "628d7c328d18b842c3d3a55b"
}
]
],
[
"READ_PROFILE_PRIVATE",
[
{
"id": "628d7c328d18b842c3d3a55b"
}
]
]
],
"operationDomains": {},
}
}
}
],
"data": null
}My security context has READ_PROFILE_PRIVATE, but I can't access the email field. Could this be related to issue #207 ? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 14 replies
-
|
Hello, this is because you should specify the security domain of the operation inside the metadata of FindParams. For example see the following test, in particular the line 191: typetta/tests/security/security.test.ts Lines 188 to 193 in 4ea9331 In order to do this you should specify the correct generic in the EntityManager, see line 17: typetta/tests/security/security.test.ts Line 17 in 4ea9331 This is a workaround that we adopted in early development, in fact, we could extract the security domain from the filter, like in your example the security domain could be derived from the We are working in order to derive the SecurityDomain of the specific operation from the filter but it's not ready yet. Let me know if you have any other doubt. |
Beta Was this translation helpful? Give feedback.
-
|
Right now I can't get a regular const testusers = await securedEntityManager.user.findAll({ metadata: { securityDomain: { userId: ["628d7c328d18b842c3d3a55b"] }} });and it's throwing an Here's the error in further detail {
allowedProjection: {
avatarLink: true,
bannerLink: true,
createdAt: true,
id: true,
name: true,
projectMembers: true,
roles: true,
socials: true,
email: true,
loginIdentities: true,
},
requestedProjection: true,
unauthorizedProjection: true,
permissions: [
[
"UPDATE_PROFILE",
[
{
id: "628d7c328d18b842c3d3a55b",
},
],
],
[
"READ_PROFILE_PRIVATE",
[
{
id: "628d7c328d18b842c3d3a55b",
},
],
],
],
operationDomains: {
id: [
"628d7c328d18b842c3d3a55b",
],
},
}Is there something wrong with my security policy? EDIT: |
Beta Was this translation helpful? Give feedback.
-
|
After following your suggestion and making middleware for injecting the metadata, the filter at some point becomes malformed and contains an undefined value. Here's a param object from the Typetta internals, showing the undefined object. {
operation: "find",
params: {
filter: {
$and: [
undefined,
{
$or: [
{
id: {
in: [
"628d7c328d18b842c3d3a55b",
],
},
},
],
},
],
},
sorts: undefined,
relations: {
},
projection: {
email: true,
},
operationId: "a8726fe3-019a-43d5-944b-d8f0fcad94de",
metadata: {
securityDomain: {
userId: [
"628d7c328d18b842c3d3a55b",
],
},
},
},
continue: true,
}Here's my middleware (Note that middlewares: [
{
before: async (args, context) => {
console.log(`Injecting metadata before operation ${args.operation}.`)
if (metadata && args.operation == 'find') {
return {
...args,
params: {
...args.params,
metadata: {
...args.params.metadata,
...metadata
}
},
continue: true,
};
}
},
}
], |
Beta Was this translation helpful? Give feedback.
-
|
That seems a bug, can you try out 1.6.4-1? https://www.npmjs.com/package/@twinlogix/typetta/v/1.6.4-1 |
Beta Was this translation helpful? Give feedback.
-
|
With 1.6.4-2 you should be fine without the dummy metadata middleware |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, the workaround works now! 🎉 |
Beta Was this translation helpful? Give feedback.
Hello, this is because you should specify the security domain of the operation inside the metadata of FindParams. For example see the following test, in particular the line 191:
typetta/tests/security/security.test.ts
Lines 188 to 193 in 4ea9331
In order to do this you should specify the correct generic in the EntityManager, see line 17:
typetta/tests/security/security.test.ts
Line 17 in 4ea9331