API Platform GraphQL security

So I’m using API platform in my Symfony 4 project, and I’ve read that it supports graphQl, so I set up an access control in security.yml to allow users to access graphQl API:

- { path: ^/api/graphql, roles: IS_AUTHENTICATED_ANONYMOUSLY }

And in each entity I have access controls for itemOperations and collectinOperations. Example:

 * @ApiResource(
 *     itemOperations={
 *         "get"={
 *             "access_control"="is_granted('ROLE_ADMIN')"
 *         }
 *     },
 *     collectionOperations={
 *         "get"={
 *             "access_control"="is_granted('ROLE_ADMIN')"
 *         }
 *     }
 * )

But issue is, any user can access this entity through graphQL, because graphQL ignores the access controls for these operations.
Is there a way to force graphQL to follow these rules?

Source: Symfony Questions

Was this helpful?

0 / 0

Leave a Reply 0

Your email address will not be published. Required fields are marked *