Merge pull request #4008 from donmasakayan/graphql_policies_fix-v3

Graphql policies fix
2025-08-10 17:58:07 +00:00 · 2019-09-16 11:29:21 +02:00 · 2019-09-16 11:29:21 +02:00 · f59b4a5c7b
commit f59b4a5c7b
parent 36e4e73ad3 17c4244f14
5 changed files with 58 additions and 26 deletions
--- a/docs/3.0.0-beta.x/guides/graphql.md
+++ b/docs/3.0.0-beta.x/guides/graphql.md
@ -492,7 +492,7 @@ module.exports = {
    Query: {
      post: {
        description: 'Return a single post',
-        policy: ['plugins.users-permissions.isAuthenticated', 'isOwner'], // Apply the 'isAuthenticated' policy of the `Users & Permissions` plugin, then the 'isOwner' policy before executing the resolver.
+        policies: ['plugins.users-permissions.isAuthenticated', 'isOwner'], // Apply the 'isAuthenticated' policy of the `Users & Permissions` plugin, then the 'isOwner' policy before executing the resolver.
      },
      posts: {
        description: 'Return a list of posts', // Add a description to the query.
@ -504,7 +504,7 @@ module.exports = {
      },
      postsByTags: {
        description: 'Return the posts published by the author',
-        resolverOf: 'Post.findByTags', // Will apply the same policy on the custom resolver than the controller's action `findByTags`.
+        resolverOf: 'Post.findByTags', // Will apply the same policy on the custom resolver as the controller's action `findByTags`.
        resolver: (obj, options, ctx) => {
          // ctx is the context of the Koa request.
          await strapi.controllers.posts.findByTags(ctx);
@ -516,7 +516,7 @@ module.exports = {
    Mutation: {
      attachPostToAuthor: {
        description: 'Attach a post to an author',
-        policy: ['plugins.users-permissions.isAuthenticated', 'isOwner'],
+        policies: ['plugins.users-permissions.isAuthenticated', 'isOwner'],
        resolver: 'Post.attachToAuthor'
      }
    }
@ -677,7 +677,7 @@ module.exports = {
    Query: {
      posts: {
        description: 'Return a list of posts',
-        policy: [
+        policies: [
          'plugins.users-permissions.isAuthenticated',
          'isOwner',
          'global.logging',
@ -687,7 +687,10 @@ module.exports = {
    Mutation: {
      createPost: {
        description: 'Create a new post',
-        policy: ['plugins.users-permissions.isAuthenticated', 'global.logging'],
+        policies: [
+          'plugins.users-permissions.isAuthenticated',
+          'global.logging',
+        ],
      },
    },
  },
@ -782,7 +785,7 @@ module.exports = {
    Query: {
      posts: {
        description: 'Return a list of posts by author',
-        resolverOf: 'Post.find', // Will apply the same policy on the custom resolver than the controller's action `find` located in `Post.js`.
+        resolverOf: 'Post.find', // Will apply the same policy on the custom resolver as the controller's action `find` located in `Post.js`.
        resolver: (obj, options, context) => {
          // You can return a raw JSON object or a promise.

--- a/packages/strapi-plugin-graphql/services/Mutation.js
+++ b/packages/strapi-plugin-graphql/services/Mutation.js
@ -19,11 +19,15 @@ module.exports = {
   * @return Promise or Error.
   */

-  composeMutationResolver: function(_schema, plugin, name, action) {
+  composeMutationResolver: function({ _schema, plugin, name, action }) {
    // Extract custom resolver or type description.
    const { resolver: handler = {} } = _schema;

-    const queryName = `${action}${_.capitalize(name)}`;
+    let queryName = `${action}${_.capitalize(name)}`;
+
+    if (_.has(handler, `Mutation.${action}`)) {
+      queryName = action;
+    }

    // Retrieve policies.
    const policies = _.get(handler, `Mutation.${queryName}.policies`, []);
@ -155,7 +159,7 @@ module.exports = {
    }

    if (strapi.plugins['users-permissions']) {
-      policies.push('plugins.users-permissions.permissions');
+      policies.unshift('plugins.users-permissions.permissions');
    }

    // Populate policies.
--- a/packages/strapi-plugin-graphql/services/Query.js
+++ b/packages/strapi-plugin-graphql/services/Query.js
@ -69,7 +69,7 @@ module.exports = {
   * @return Promise or Error.
   */

-  composeQueryResolver: function(_schema, plugin, name, isSingular) {
+  composeQueryResolver: function({ _schema, plugin, name, isSingular }) {
    const params = {
      model: name,
    };
@ -236,7 +236,7 @@ module.exports = {
    }

    if (strapi.plugins['users-permissions']) {
-      policies.push('plugins.users-permissions.permissions');
+      policies.unshift('plugins.users-permissions.permissions');
    }

    // Populate policies.
--- a/packages/strapi-plugin-graphql/services/Resolvers.js
+++ b/packages/strapi-plugin-graphql/services/Resolvers.js
@ -326,11 +326,21 @@ const buildShadowCRUD = (models, plugin) => {
    const queries = {
      singular:
        _.get(resolver, `Query.${singularName}`) !== false
-          ? Query.composeQueryResolver(_schema, plugin, name, true)
+          ? Query.composeQueryResolver({
+              _schema,
+              plugin,
+              name,
+              isSingular: true,
+            })
          : null,
      plural:
        _.get(resolver, `Query.${pluralName}`) !== false
-          ? Query.composeQueryResolver(_schema, plugin, name, false)
+          ? Query.composeQueryResolver({
+              _schema,
+              plugin,
+              name,
+              isSingular: false,
+            })
          : null,
    };

@ -376,15 +386,30 @@ const buildShadowCRUD = (models, plugin) => {
    const mutations = {
      create:
        _.get(resolver, `Mutation.create${capitalizedName}`) !== false
-          ? Mutation.composeMutationResolver(_schema, plugin, name, 'create')
+          ? Mutation.composeMutationResolver({
+              _schema,
+              plugin,
+              name,
+              action: 'create',
+            })
          : null,
      update:
        _.get(resolver, `Mutation.update${capitalizedName}`) !== false
-          ? Mutation.composeMutationResolver(_schema, plugin, name, 'update')
+          ? Mutation.composeMutationResolver({
+              _schema,
+              plugin,
+              name,
+              action: 'update',
+            })
          : null,
      delete:
        _.get(resolver, `Mutation.delete${capitalizedName}`) !== false
-          ? Mutation.composeMutationResolver(_schema, plugin, name, 'delete')
+          ? Mutation.composeMutationResolver({
+              _schema,
+              plugin,
+              name,
+              action: 'delete',
+            })
          : null,
    };

--- a/packages/strapi-plugin-graphql/services/Schema.js
+++ b/packages/strapi-plugin-graphql/services/Schema.js
@ -228,22 +228,22 @@ const schemaBuilder = {
              const [name, action] = acc[type][resolver].split('.');
              const normalizedName = _.toLower(name);

-              acc[type][resolver] = Mutation.composeMutationResolver(
-                strapi.plugins.graphql.config._schema.graphql,
+              acc[type][resolver] = Mutation.composeMutationResolver({
+                _schema: strapi.plugins.graphql.config._schema.graphql,
                plugin,
-                normalizedName,
-                action
-              );
+                name: normalizedName,
+                action,
+              });
              break;
            }
            case 'Query':
            default:
-              acc[type][resolver] = Query.composeQueryResolver(
-                strapi.plugins.graphql.config._schema.graphql,
+              acc[type][resolver] = Query.composeQueryResolver({
+                _schema: strapi.plugins.graphql.config._schema.graphql,
                plugin,
-                resolver,
-                'force' // Avoid singular/pluralize and force query name.
-              );
+                name: resolver,
+                isSingular: 'force', // Avoid singular/pluralize and force query name.
+              });
              break;
          }
        }