~netlandish/links#60: 
Tighten up GraphQL schema

We need to go through the entire GraphQL schema and make sure that all privileged or private fields and functions are set to proper access restrictions. When developing we didn't limit this but we definitely need to secure this before allowing any public users to access the service.

Status
RESOLVED IMPLEMENTED
Submitter
~petersanchez
Assigned to
No-one
Submitted
2 months ago
Updated
a month ago
Labels
No labels applied.

~yaderv 2 months ago

Yader Velasquez referenced this ticket in commit af290a7.

~yaderv 2 months ago

Yader Velasquez referenced this ticket in commit ab95efd.

~petersanchez 2 months ago

OK, every single instance if the Id isn't needed for future/other queries, this needs to be restricted. So for every type assume Id should be checked and removed if it can be. I'll list the rest of the type/fields that should be restricted below.

#Organization

  • OwnerId?

#Payment

  • payment_net, fee should be private at least (probably @admin)
  • orgId, unread, starred

#OrgUser

I think this should probably be restricted from the public all together? Maybe @admin?

I see quite a few with things like orgId or domainId exposed publicly. Just make sure they should be

~yaderv 2 months ago

Yader Velasquez referenced this ticket in commit 9b2d480.

~yaderv 2 months ago

Note: I removed OrgUser because it was not used anywhere.

~yaderv 2 months ago

Yader Velasquez referenced this ticket in commit 4fc051f.

~petersanchez REPORTED IMPLEMENTED 2 months ago

~petersanchez a month ago

Peter Sanchez referenced this ticket in commit 2339a37.

Register here or Log in to comment, or comment via email.