-
-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GraphQL Plugin (bug): Content type's attributes marked as private are being exposed in the exported GraphQL schema #9805
Conversation
…t the private property within an attribute
Codecov Report
@@ Coverage Diff @@
## master #9805 +/- ##
=======================================
Coverage 57.86% 57.86%
=======================================
Files 183 183
Lines 6348 6348
Branches 1392 1392
=======================================
Hits 3673 3673
Misses 2215 2215
Partials 460 460
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report at Codecov.
|
@alexandrebodin can you have a look at this one as this bug is blocking us as it exposes private data in graphql schema. |
@alexandrebodin not sure why those tests are failing, not related to what I changed. Maybe you can help me understand why is it failing? |
@Convly is there any chance we can review this one this week? thanks |
@ralphsomeday We won't be able to review this until at least next week |
@alexandrebodin ok noted. Will then wait for next week. Cheers. |
@alexandrebodin is there any chance this can be reviewed this week? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will need to refactor in v4 to avoid doing all the filtering everywhere that's too error prone
…ivateAttribute function instead of isNotPrivate
…d that the model does indeed contain all private fields in an array at startup time
…use the already available isPrivateAttribute function
@alexandrebodin updated the code with your input. Let me know if all is fine and if we can look into the reason why the tests are failing. thanks. |
@ralphsomeday the code looks good. Indeed the tests are breaking in graphql because it now prevents users from creating entries with private attributes but the API should actually allow creating/editing private fields for now if the mutation is allowed. We should not remove private fields from the inputs |
@alexandrebodin the privately marked inputs should not be part of the graphql export. It should have the same behaviour as in the REST API. Those private fields are not available via the REST API and should not be via graphql. Isn't this the idea of the private fields? |
In the API If you have the right to Create/Update an entry you should be able to fill the private fields. Private is only for Read queries. In Rest too. |
Ok and where do you recon to do a check on this in the code? |
The only thing we can do is remove them from the Type but not from the input Type |
Looks good. Last thing would be to add some documentation in our documentation repository :) @pwizla & @derrickmehaffy can help you with that :) |
Hi @pwizla & @derrickmehaffy can you guys point me out to where would be the best place in the documentation to add this? thanks |
I think youc an add this arround here https://github.com/strapi/documentation/blob/main/docs/developer-docs/latest/development/plugins/graphql.md#disable-a-query-or-a-type |
@alexandrebodin done PR#269 |
@alexandrebodin can you let me know if this PR can now be merged. thanks |
The PR looks good We will wait for the doc PR to be approved first :) |
I've just approved the docs PR, thank you @ralphsomeday ! 👍 |
@alexandrebodin do you think this one can be added to v3.6.2? and when do you plan to release v3.6.2? |
What does it do?
It fixes a bug in the strapi graphql plugin in the functions generating input and types for graphql. The detection of an attribute as private was only applied to the privateAttributes array in the model.json file instead of also looking at the private property on an attribute within a model. There was also a bug in how the private attributes were filtered the attribute name was not being passed in the function so added the right filtering rule to only process fields that are not private and export them to the graphql schema file.
Why is it needed?
This fix will remove all private attributes from the graphql schema as this data is not meant to be exposed to the outside world if marked as private by the user.
How to test it?
In the content type builder, create an enum attribute and a string attribute as part of a content type and mark both as private and hit the save button. Open the graphql playground and click on the schema button on the right side of the screen and see if your enum and string value are not present in the exported schema.
Related issue(s)/PR(s)
Fixes issue #9804