Skip to content

Commit c017efe

Browse files
TomasDJoAniruddh25
TomasDJo
and
Aniruddh25
authored
Fix: Restore EntityName after processing nested filter for CosmosDB (#3072)
## Why make this change? - Closes #3070 - When filtering on multiple different nested objects in CosmosDB (e.g., `toOwnership` and `fromOwnership`), the query fails with `AuthorizationCheckFailed` error even though the user has proper permissions. ## What is this change? When processing non-list nested object filters for CosmosDB in `GQLFilterParser.Parse()`, the `EntityName` property of `cosmosQueryStructure` is mutated to the nested type name but **not restored** after the recursive parsing completes. This causes subsequent nested filters to use the wrong entity name for authorization checks: 1. First nested filter (e.g., `toOwnership`) → `EntityName` set to "ToOwnership" 2. `DatabaseObject.Name` and `SourceAlias` are restored ✓ 3. `EntityName` is **NOT** restored ✗ (still "ToOwnership") 4. Second nested filter (e.g., `fromOwnership`) → authorization check uses wrong entity → **fails** The fix adds a single line to restore `EntityName` alongside the existing restoration of `DatabaseObject.Name` and `SourceAlias`. ## How was this tested? - [x] Manual testing against real CosmosDB with nested filter queries - [x] Integration Tests - [ ] Unit Tests ### Before fix: ```json {"errors":[{"message":"Access forbidden to a field referenced in the filter.","extensions":{"code":"AuthorizationCheckFailed"}}],"data":null} ``` ### After fix: ```json {"data":{"transactions":{"items":[{"id":"31654581"},{"id":"28285539"}]}}} ``` ## Sample Request(s) ```graphql # This query failed before the fix { transactions(filter: { toOwnership: { toOwnerType: { eq: "Privat" } }, fromOwnership: { fromOwnerType: { eq: "Privat" } } }, first: 2) { items { id } } } ``` --------- Co-authored-by: Aniruddh Munde <[email protected]>
1 parent b0ecbf6 commit c017efe

2 files changed

Lines changed: 26 additions & 0 deletions

File tree

src/Core/Models/GraphQLFilterParsers.cs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -227,6 +227,7 @@ public Predicate Parse(
227227

228228
cosmosQueryStructure.DatabaseObject.Name = sourceName;
229229
cosmosQueryStructure.SourceAlias = sourceAlias;
230+
cosmosQueryStructure.EntityName = entityName;
230231
}
231232
}
232233
}

src/Service.Tests/CosmosTests/QueryFilterTests.cs

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -899,6 +899,31 @@ public async Task TestFilterWithEntityNameAlias()
899899
await ExecuteAndValidateResult(_graphQLQueryName, gqlQuery, dbQuery);
900900
}
901901

902+
/// <summary>
903+
/// Test filters on two different nested objects simultaneously
904+
/// </summary>
905+
[TestMethod]
906+
public async Task TestFilterOnTwoDifferentNestedObjects()
907+
{
908+
string gqlQuery = @"{
909+
planets(first: 10, " + QueryBuilder.FILTER_FIELD_NAME + @" : {
910+
character: { name: { eq: ""planet character"" } },
911+
earth: { type: { eq: ""earth4"" } }
912+
})
913+
{
914+
items {
915+
id
916+
name
917+
}
918+
}
919+
}";
920+
921+
string dbQuery = "SELECT c.id, c.name FROM c " +
922+
"WHERE c.character.name = \"planet character\" AND c.earth.type = \"earth4\"";
923+
924+
await ExecuteAndValidateResult(_graphQLQueryName, gqlQuery, dbQuery);
925+
}
926+
902927
/// <summary>
903928
/// For "item-level-permission-role" role, DB policies are defined. This test confirms that all the DB policies are considered.
904929
/// For the reference, Below conditions are applied for an Entity in Db Config file.

0 commit comments

Comments
 (0)