Fix data leaked to unauthorized users

akomm · Jeremiah VALERIE · commit c23cbfebdc02 · 2018-09-21T08:47:35.000+02:00
fixed #387
diff --git a/Resolver/AccessResolver.php b/Resolver/AccessResolver.php
@@ -14,6 +14,8 @@
 use GraphQL\Executor\Promise\Adapter\SyncPromise;
 use GraphQL\Executor\Promise\Promise;
 use GraphQL\Executor\Promise\PromiseAdapter;
+use GraphQL\Type\Definition\ListOfType;
+use GraphQL\Type\Definition\ResolveInfo;
 use Overblog\GraphQLBundle\Error\UserError;
 use Overblog\GraphQLBundle\Error\UserWarning;
 use Overblog\GraphQLBundle\Relay\Connection\Output\Connection;
@@ -66,7 +68,10 @@ function ($result) use ($accessChecker, $resolveArgs) {
 
     private function processFilter($result, $accessChecker, $resolveArgs)
     {
-        if (is_array($result)) {
+        /** @var ResolveInfo $resolveInfo */
+        $resolveInfo = $resolveArgs[3];
+
+        if (\is_array($result) && $resolveInfo->returnType instanceof ListOfType) {
             $result = array_map(
                 function ($object) use ($accessChecker, $resolveArgs) {
                     return $this->hasAccess($accessChecker, $object, $resolveArgs) ? $object : null;
diff --git a/Tests/Functional/App/config/access/mapping/access.types.yml b/Tests/Functional/App/config/access/mapping/access.types.yml
@@ -6,6 +6,10 @@ RootQuery:
             user:
                 type: User
                 resolve: '@=resolver("query")'
+            youShallNotSeeThisUnauthenticated:
+                type: SecureField
+                access: '@=isFullyAuthenticated()'
+                resolve: '@=[]'
 
 Mutation:
     type: object
@@ -47,6 +51,17 @@ User:
         interfaces: [Human]
         isTypeOf: true
 
+SecureField:
+    type: object
+    config:
+        fields:
+            secretValue:
+                type: String!
+                resolve: 'top secret'
+            youAreAuthenticated:
+                type: Boolean!
+                resolve: '@=isFullyAuthenticated()'
+
 friendConnection:
     type: relay-connection
     config:
diff --git a/Tests/Functional/Security/AccessTest.php b/Tests/Functional/Security/AccessTest.php
@@ -96,6 +96,38 @@ public function testNotAuthenticatedUserAccessToUserName()
         $this->assertResponse($this->userNameQuery, $expected, static::ANONYMOUS_USER, 'access');
     }
 
+    public function testNonAuthenticatedUserAccessSecuredFieldWhichInitiallyResolvesToArray(): void
+    {
+        $expected = [
+            'data' => [
+                'youShallNotSeeThisUnauthenticated' => null,
+            ],
+            'extensions' => [
+                'warnings' => [
+                    [
+                        'message' => 'Access denied to this field.',
+                        'locations' => [
+                            [
+                                'line' => 2,
+                                'column' => 3,
+                            ],
+                        ],
+                        'path' => ['youShallNotSeeThisUnauthenticated'],
+                    ],
+                ],
+            ],
+        ];
+        $query = <<<'EOF'
+{
+  youShallNotSeeThisUnauthenticated {
+    secretValue
+    youAreAuthenticated
+  }
+}
+EOF;
+        $this->assertResponse($query, $expected, static::ANONYMOUS_USER, 'access');
+    }
+
     public function testFullyAuthenticatedUserAccessToUserName()
     {
         $expected = [
