We need to go through the entire GraphQL schema and make sure that all privileged or private fields and functions are set to proper access restrictions. When developing we didn't limit this but we definitely need to secure this before allowing any public users to access the service.
Yader Velasquez referenced this ticket in commit af290a7.
Yader Velasquez referenced this ticket in commit ab95efd.
OK, every single instance if the Id isn't needed for future/other queries, this needs to be restricted. So for every type assume
Id
should be checked and removed if it can be. I'll list the rest of the type/fields that should be restricted below.#Organization
- OwnerId?
#Payment
- payment_net, fee should be private at least (probably
@admin
)#OrgLink
- orgId, unread, starred
#OrgUser
I think this should probably be restricted from the public all together? Maybe @admin?
I see quite a few with things like orgId or domainId exposed publicly. Just make sure they should be
Yader Velasquez referenced this ticket in commit 9b2d480.
Note: I removed
OrgUser
because it was not used anywhere.
Yader Velasquez referenced this ticket in commit 4fc051f.
Peter Sanchez referenced this ticket in commit 2339a37.