Skip to content

Getting Access forbidden message when trying to use filter on graphql queries #1434

Closed
#1501
#1468
Closed
Getting Access forbidden message when trying to use filter on graphql queries#1434
#1501
#1468
Assignees
mbhaskarsajeetharantarazou9
Labels
authbugSomething isn't workingcosmosengineissues that require change in engine codegraphql
@dgcaron

Description

@dgcaron
dgcaron
opened on Apr 12, 2023

Discussed in #1423

Originally posted by sumchans April 7, 2023
I have been trying out the data api builder for azure cosmos db and so far was successfully able to pull data from Azure Cosmos db. The issue I am having now is, when I use filter on the queries I get "Access forbidden to a field referenced in the filter." I believe this has something to do configuring the permissions on the dab-config.json, but I am not able to get a head start so far on this.

Here is my query -

query filteritems {
    items(filter: { userPhoneNumber: { contains: "4160000000" } }) {
        items {
            partitionKey
            userPhoneNumber
            userDisplayName
        }
    }
}

Here is the result -

{
  "errors": [
    {
      "message": "Access forbidden to a field referenced in the filter.",
      "extensions": {
        "code": "AuthorizationCheckFailed"
      }
    }
  ]
}

Also attaching my dab-config json file -

{
  "$schema": "https://github.com/Azure/data-api-builder/releases/download/v0.6.13/dab.draft.schema.json",
  "data-source": {
    "database-type": "cosmosdb_nosql",
    "options": {
      "database": "Database",
      "schema": "schema.gql"
    },
    "connection-string": "connection-string;"
  },
  "runtime": {
    "graphql": {
      "allow-introspection": true,
      "enabled": true,
      "path": "/graphql"
    },
    "host": {
      "mode": "development",
      "cors": {
        "origins": [],
        "allow-credentials": false
      },
      "authentication": {
        "provider": "StaticWebApps"
      }
    }
  },
  "entities": {
    "Item": {
      "source": "Items",
      "graphql": true,
      "permissions": [
        {
          "role": "anonymous",
          "actions": [
            "*"
          ],
          "fields": {
            "include": [
              "*"
            ]
          }
        }
      ]
    }
  }
}

i have tried changing the configation and types of permissions but it looks like something broken between the current build (0.6.13)
and the previous (0.35.5).

the stacktrace shows

[dataApi] info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
[dataApi]       Request starting HTTP/1.1 POST http://localhost:4280/graphql application/json 247
[dataApi] info: Microsoft.AspNetCore.Routing.EndpointMiddleware[0]
[dataApi]       Executing endpoint 'Hot Chocolate GraphQL Pipeline'
[dataApi] fail: Azure.DataApiBuilder.Service.Startup[0]
[dataApi]       Access forbidden to a field referenced in the filter.
[dataApi] fail: Azure.DataApiBuilder.Service.Startup[0]
[dataApi]          at Azure.DataApiBuilder.Service.Models.GQLFilterParser.Parse(IMiddlewareContext ctx, IInputField filterArgumentSchema, List`1 fields, BaseQueryStructure queryStructure) in /_/src/Service/Models/GraphQLFilterParsers.cs:line 159   
[dataApi]          at Azure.DataApiBuilder.Service.Resolvers.CosmosQueryStructure.Init(IDictionary`2 queryParams) in /_/src/Service/Resolvers/CosmosQueryStructure.cs:line 160
[dataApi]          at Azure.DataApiBuilder.Service.Resolvers.CosmosQueryEngine.ExecuteAsync(IMiddlewareContext context, IDictionary`2 parameters) in /_/src/Service/Resolvers/CosmosQueryEngine.cs:line 64
[dataApi]          at Azure.DataApiBuilder.Service.Services.ResolverMiddleware.InvokeAsync(IMiddlewareContext context) in /_/src/Service/Services/ResolverMiddleware.cs:line 95
[dataApi]          at HotChocolate.Utilities.MiddlewareCompiler`1.ExpressionHelper.AwaitTaskHelper(Task task)
[dataApi]          at HotChocolate.Execution.Processing.Tasks.ResolverTask.ExecuteResolverPipelineAsync(CancellationToken cancellationToken)
[dataApi]          at HotChocolate.Execution.Processing.Tasks.ResolverTask.TryExecuteAsync(CancellationToken cancellationToken)
[dataApi] info: Microsoft.AspNetCore.Routing.EndpointMiddleware[1]
[dataApi]       Executed endpoint 'Hot Chocolate GraphQL Pipeline'
[dataApi] info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
[dataApi]       Request finished HTTP/1.1 POST http://localhost:4280/graphql application/json 247 - 500 - application/json;+charset=utf-8 864.3125ms

the code is not picking up any of the permissions (not explicit, not * and not if left empty) always returning false from this line

data-api-builder/src/Service/Models/GraphQLFilterParsers.cs

Line 151 in 893f503

bool columnAccessPermitted = queryStructure.AuthorizationResolver.AreColumnsAllowedForOperation(

if i revert to previous version, the exact same definition works fine.

Metadata

Metadata

Assignees

Labels

authbugSomething isn't workingcosmosengineissues that require change in engine codegraphql

Type

No type

Projects

Data API builder

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions