API Platform GraphQL Security in Relationships

My problem is the security implementation of the entities when consumed through GraphQL, the queries are perfect, they return the necessary data, but the problem occurs when a query is generated and the many-to-one relationship is limited to having a role "ROLE_ADMIN", the query returns the data even when the user has the role "IS_AUTHENTICATED_ANONYMOUSLY"

How to add the security layer so that data from protected relationships cannot be obtained?

Additional Information

GraphQL Query User Admin

query {
    userAdmin(id: "api/user_admins/1") {
        id
        name
    }
}

GraphQL Query User Admin Result OK

{
  "errors": [
    {
      "message": "Sorry, but you don't have access",
      "extensions": {
        "category": "graphql"
      }
  ]
}

GraphQL Query Product

query {
    products {
        edges {
            node {
                name
                price
                user {
                    name
                }
            }
        }
    }
}

GraphQL Query Product Result FAILED

{
  "data": {
    "products": {
      "edges": [
        {
          "node": {
            "name": "GERLACH-HAAG",
            "price": "175",
            "user": {
              "name": "Sidney Deane" /** this information should not be seen **/
            }
          }
        }
      ]
    }
  }
}

Entity Product Configuration

<?php

/**
 * @ApiResource(
 *     graphql={
 *          "item_query",
 *          "collection_query",
 *          "delete"={ "security" = "is_granted('ROLE_ADMIN')" },
 *          "create"={ "security" = "is_granted('ROLE_ADMIN')" },
 *          "update"={ "security" = "is_granted('ROLE_ADMIN')" }
 *     }
 * )
 * @ORMTable(name="TBL_PRODUCTS")
 * @ORMEntity(repositoryClass=ProductRepository::class)
 * @ORMHasLifecycleCallbacks()
 */
class Product
{
    /**
     * @ORMId()
     * @ORMGeneratedValue()
     * @ORMColumn(type="bigint", name="ID")
     */
    private $id;

    /**
     * @ORMColumn(type="string", length=180, name="NAME")
     */
    private $name;

    /**
     * @ORMManyToOne(targetEntity="AppEntityUserAdmin")
     * @ORMJoinColumn(name="USER", referencedColumnName="ID")
     */
    private $user;

Entity User Admin Configuration

<?php

/**
 * @ApiResource(
 *     graphql={
 *          "item_query"={ "security" = "is_granted('ROLE_ADMIN')" },
 *          "collection_query"={ "security" = "is_granted('ROLE_ADMIN')" },
 *          "delete"={ "security" = "is_granted('ROLE_ADMIN')" },
 *          "create"={ "security" = "is_granted('ROLE_ADMIN')" },
 *          "update"={ "security" = "is_granted('ROLE_ADMIN')" }
 *     }
 * )
 * @ORMTable(name="TBL_USERS_ADMIN")
 * @ORMEntity(repositoryClass=UserAdminRepository::class)
 * @ORMHasLifecycleCallbacks()
 */
class UserAdmin implements UserInterface
{
    /**
     * @ORMId()
     * @ORMGeneratedValue()
     * @ORMColumn(type="bigint", name="ID")
     */
    private $id;

    /**
     * @ORMColumn(type="string", length=180, name="USERNAME")
     */
    private $username;

    /**
     * @ORMColumn(type="string", length=180, name="PASSWORD")
     */
    private $password;

    /**
     * @ORMColumn(type="string", length=180, name="NAME")
     */
    private $name;

Please help !!!!

Source: Symfony Questions

Was this helpful?

0 / 0

Leave a Reply 0

Your email address will not be published. Required fields are marked *