Unsupported filter pattern for graph traversal error thrown when using permissions profile.

[KK7NZY]

Hello,

I'm getting Unsupported filter pattern for graph traversal ($Product_66.ctx.businessUnit IN literal [ "320859222"]) when I use the following permissions profile.

entityName:
  permissions:
      - access:
          - create
          - read
          - update
        roles:
          - /^editor-bu-(.*)$/
        restrictions:
          - field: ctx.businessUnit
            valueTemplate: $1

The entities have a ctx entity extension with businessUnit field. I'm hoping you can give me some information on why this might be occurring and how I might be able to resolve.

Look forward to hearing back.

[mfusser]

@jdsantiagojr could you please provide the definition of your root entity and the type of the ctx field?

[KK7NZY]

@mfusser Yes. Pasted the root entity and context entity extension below. Really appreciate you taking look.

type Product
  @rootEntity(
    flexSearch: true
    flexSearchLanguage: EN
    permissionProfile: "product"
  ) {
  name: String!
  createdBy: User! @relation
  securityOwner: User @relation
  image: String
  icon: String
  description: String
  url: String
  tags: [Tag!] @relation
  productIdentifiers: ProductIdentifiers
  operatingSystems: [OperatingSystemInstance] @relation
  architectures: [String]
  programmingLanguages: [String]
  compilers: [String]
  vendor: Vendor @relation
  productFamily: ProductFamily @relation
  environmentalControls: EnvironmentalControls
  parent: Product @relation
  children: [Product!] @relation
  group: Group! @relation
  businessUnits: [Group!] @relation
  assets: [AssetVersion!] @relation
  allInnerChildren: [Product] @collect(path: "children{1,7}")
  relativeRiskScore: Float
  absoluteRiskScore: Float
  ctx: EntityCtx @flexSearch(includeInSearch: false) @accessField
}


type EntityCtx @entityExtension {
  businessUnit: ID @flexSearch(includeInSearch: false) @accessField
  product: ID @flexSearch(includeInSearch: false) @accessField
}

[mfusser]

@jdsantiagojr
At first glance this looks like it might be a problem with the "children and parent" structure combined with accessFields.
Could you please (just to investigate if this might cause the problem) try to temporarily remove the relations "children" and "parent" and see if that changes anything?

On an unrelated note, you don't have to provide "includeInSearch: false" as that is the default. Although of course you can if you want to define that explicitly.

[KK7NZY]

@mfusser The allInnerChildren: [Product] @collect(path: "children{1,7}") looks like is the cause of the error. Removing it from query or modifying the max depth to children{0, 1} succeeds. Error is bubbling from line 1440 in the aql-generator.ts.

I did tinker with the code and removed the condition on line 1490. I left only the else portion (filterFrag = aql\nFILTER ${processNode(segment.vertexFilter, filterContext)};) and everything works as expected. I know this is not proper fix, but not sure what the root cause is.

[mfusser]

Sorry I didn't have the time to look at it yet. I'll try to have a look today.

[Yogu]

the error can be thrown at these two places:

cruddl/src/database/arangodb/aql-generator.ts

Line 1364 in 3567747

throw new Error(`Unsupported filter pattern for graph traversal`);

cruddl/src/database/arangodb/aql-generator.ts

Line 1374 in 3567747

throw new Error(`Unsupported filter pattern for graph traversal`);

both cases assert that the condition is of the form "vertex.field value". In your case , it's not just a simple field but a nested one (ctx.businessUnit). I guess I did not consider @collect when adding support for nested restriction fields.

Could you try if it works if you move the businessUnit up to the root entity in the permission restriction? Then we know it's that.

I think it should be possible to fix this locally in the getRelationTraversalFragment function.