Comments (3)
seantleonard
commented on August 25, 2024
When you are adding a filter to your GraphQL request, you will be subject to the permissions set for the given entity. Your example role, role-A, must be defined on the entity you are querying against.
Note that DAB does not perform role inheritance. The entity definition in the dab-config.json must include a permission which defines the role role-A and the associated permissions. Based on that requirement, I'm classifying this as a feature request for now.
To help us best understand your ask: please add a minimum reproducible example with:
- Applicable dab-config.json (specifically, the configuration for your target entity)
- Database schema (specific table/sample data)
- Applicable GraphQL request (You already noted a
x-ms-api-roleheader value)
from data-api-builder.
lionelschiepers
commented on August 25, 2024
Hi, the actual behavior is not consistent.
if you have entity-a that only define one permission: anonymous read access. Why can you query that entity with role-a even if that role is not defined at the entity level? If you have access to the fields of that entity from role-a, why can't you filter on the fields you have access to?
I'm not opposed to define role-a for all entities in our environment but everything is automated with dab cli and the cli doesn't permits to define multiple permissions by entity. Do you have any advise about how to handle this?
from data-api-builder.
lionelschiepers
commented on August 25, 2024
Here is an example. The attributes entity below only defines the anonymous role.
Why can I query the attributes entity and read the values of all fields when the query is executing under the role-a but I can't filter on the same fields? The engine should have a consistent behavior in term of access permission. If I have access to the fields I should be able to filter on them.
"Attributes": {
"source": {
"object": "xxx",
"type": "table",
"key-fields": [
"id"
]
},
...
"permissions": [
{
"role": "anonymous",
"actions": [
{
"action": "read",
}
]
}
this kind of query works under role-a even if attributes doesn't define any access for role-a. Is it the expected behavior?
query
{
attributes
{
items
{
id
}
}
}
my X-MS-CLIENT-PRINCIPAL looks like this:
{
"userId": "xxx",
"userRoles": [
"anonymous",
"authenticated",
"role-a"
],
"identityProvider": "xxx"
}
and X-MS-API-ROLE = role-a.
from data-api-builder.
Related Issues (20)
- Pagination logic depends only on hasNextPage, but should also consider endCurso for GraphQL requests.
- Remove duplicate erros from `dab validate`
- Evaluate if refactor of CreateMutation.Build() to accept RuntimeConfig object is beneficial HOT 2
- .NET 8 upgrade HOT 1
- Improve readability and extensibility in the test suite HOT 1
- Validate `linking.source.fields` and `linking.source.fields` define valid backing columns of `linking.object` HOT 2
- Validate source/linkingSource and target/linkingTarget fields in a many to many relationship scenario
- Enhance logic for determining the referencing entity when fields backed by a column with default value is present. HOT 4
- Add codespaces config for .NET 6 and .NET 8 for easier code review
- [Bug]: GraphQL filtering by relation property causes `Incorrect database name ''` HOT 2
- [Bug]: GraphQL type doesn't match any entity name or singular type in the runtime config. HOT 2
- Support multiple create mutation for self-referencing relationships.
- DataApiBuilderException: Cannot obtain Schema for entity with underlying database object source: due to: Connection Timeout Expired. HOT 1
- Container image does not deploy to an ACA environment (v0.11.127) HOT 9
- [Bug]: ./azure-container-apps-deploy.sh is broken. HOT 2
- GraphQL Query failure when mappings exist for relationship fields HOT 1
- [Bug]: GraphQL Query failure when mappings exist for relationship fields
- Add docs for Whats new in 0.11 HOT 2
- Expose Header Information in App Console Logs
- [Bug]: nextLink is broken when hosted on Static Web App
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from data-api-builder.