Mutation always results in 'insufficient permissions'


#1

Hi guys,

I have had some trouble using permission queries, so I tried to make it a simple as possible:

In my types, I have one simple object, named ‘Test’ with a permission query on ‘Test.create’. This permission query checks if 1 or more Test’s exists, thats all, no authentication needed.

After I creating 1 Test object using the gateway root-token, the permission query should return true, but I still cannot create a Test object without authentication.

The permission query returns true in the permission-playground:

query test {
  SomeTestExists
}

Why can’t I create a ‘Test’ object without authentication and an already existing ‘Test’ object in the database?

(I know this isn’t a real life use case, but this isolates the problem I’m having)

These are all the files needed to reproduce this case:

graphcool.yml:

types: ./types.graphql

permissions:

  # TEST
  - operation: Test.read
    authenticated: false
    query: testExists.graphql

  - operation: Test.create
    authenticated: false
    query: testExists.graphql

  - operation: Test.update
    authenticated: false

  - operation: Test.delete
    authenticated: false

rootTokens:
  - gateway

types.graphql:

type Test @model {

    id: ID! @isUnique
    createdAt: DateTime!
    updatedAt: DateTime!
}

testExists.graphcool:

query test {
  SomeTestExists
}

#2

Hey,
I suppose you’ve made a typo and the name of the bottom file is testExists.graphql :slightly_smiling_face: .

What you are trying to do is filter without any filters. Your Permission query should include at least a basic filter to be valid and return true. Hence your query is not valid, it always returns true, prohibiting your user from creating a new Test.

I recommend you read this:
https://www.graph.cool/docs/reference/auth/authorization/permission-queries-iox3aqu0ee
and check Permissions queries used here:
https://www.graph.cool/docs/tutorials/auth/authorization-for-a-cms-miesho4goo

Hope this helps you in any way :smile:


#3

Hi Matic,

Thanks for the response!

yes, .graphcool is .graphql, that was a typo.

Shouldn’t a not valid query always return false, instead of true? This query without filters does work in the permisson playground.

The original problem was with a permissionquery with a filter, but I tried to simplify things to isolate the problem.

Adding a filter does solve the problem! So I will have to check the differences between this simple model and our actual project.


#4

There was a problem with the way we created an object: createTest{id} without any input parameters, results in an ‘insufficient permissions’ error. Without any permissionquery, createTest{id} without any input params is valid and works!!

I will report this as a bug on github.


#5

The problem was not with the filter query, but with the parameters. I have added my own answer which solves the problem, without having a filter in the permissionquery.


#6

Allright, the problem seems to be with the way we create a ‘Test’. Whenever we create a test like this:

mutation{
  createTest{
    name
  }
}

This results in an ‘insufficient permissions’ error!

When we create a Test like this:

mutation{
  createTest(name:"test"){
    name
  }
}

It does work!

Creating objects without input parameters works without permissionqueries, so this should be considered a bug.


#7

You could also just make your text input required, which would probably solve your problem.

Also, can you share you permission query as making text property nullable might be the reason for your errors. :slightly_smiling_face:


#8

a bit late, but the permission query was still this:

query test {
  SomeTestExists
}