Fixes #1247

packages/strapi-plugin-graphql/services/GraphQL.js

@@ -328,7 +328,7 @@ module.exports = {
 
     return async (obj, options, context) => {
       // Hack to be able to handle permissions for each query.
-      const ctx = Object.assign(context, {
+      const ctx = Object.assign(_.clone(context), {
         request: Object.assign(_.clone(context.request), {
           graphql: null
         })
@@ -362,6 +362,7 @@ module.exports = {
           return values && values.toJSON ? values.toJSON() : values;
         }
 
+
         return resolver.call(null, obj, options, context);
       }
 
@@ -560,7 +561,7 @@ module.exports = {
 
               switch (association.nature) {
                 case 'manyToMany': {
-                  const arrayOfIds = obj[association.alias].map(related => {
+                  const arrayOfIds = (obj[association.alias] || []).map(related => {
                     return related[ref.primaryKey] || related;
                   });
 

packages/strapi-plugin-users-permissions/config/policies/permissions.js

@@ -39,9 +39,11 @@ module.exports = async (ctx, next) => {
   }, []);
 
   if (!permission) {
-    ctx.forbidden();
+    if (ctx.request.graphql === null) {
+      return ctx.request.graphql = strapi.errors.forbidden();
+    }
 
-    return ctx.request.graphql = ctx.body;
+    ctx.forbidden();
   }
 
   // Execute the policies.

packages/strapi/lib/middlewares/boom/index.js

@@ -19,6 +19,7 @@ module.exports = strapi => {
       this.delegator = delegate(strapi.app.context, 'response');
       this.createResponses();
 
+      strapi.errors = Boom;
       strapi.app.use(async (ctx, next) => {
         try {
           // App logic.