You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using access control to restrict access to a collection, the GraphQL api will give errors and not return the correct data if some but not all records are denied readability in a relation field with many related records.
If all are read-allowed, it works fine. If all are denied, it's also fine. But if some are allowed and some are not, it returns null for the entire field.
on my test environment (the min repro attached), I have 4 Demo records stored in the demoRelationship field.
If there is a contiguous group of visibile records, followed by a contiguous group of not-visible records, the query works. In all other cases, the error occurs. For example, if 1 and 2 are visible, but 3 and 4 are not, the query works. Same behavior occurs with more records.
I tested reordering them as well, and what matters is the position in the relationship, not the ID of the record. So if you reordered the above to 3, 1, 4, 2, then visibility where the query works are:
All visible
3, 1, 4 visible
3, 1 visible
3 visible
none visible
All other visibility settings for that order will fail with Error: Cannot return null for non-nullable field DemoGlobal.demoRelationship
The issue seems to be here. The field is supposed to be an array of non-null values, but it inserts false-y values into the array (results[i] = result on L467).
A simple solutution is to modify L480 to return results.filter(result => result !== null). I'm not sure if there would be a more efficient way to do this in parallel. If you changed createPopulationPromise to push, then you cannot guarantee the order. I think a syncronous once-over to filter out a constant value (null) shouldn't be too much of a performance impact.
I can implement this change, create some tests, and submit a PR if this solution sounds good to the maintainers.
Describe the Bug
When using access control to restrict access to a collection, the GraphQL api will give errors and not return the correct data if some but not all records are denied readability in a
relation
field with many related records.If all are read-allowed, it works fine. If all are denied, it's also fine. But if some are allowed and some are not, it returns null for the entire field.
Link to the code that reproduces this issue
https://github.com/6TELOIV/graphql-null-relations
Reproduction Steps
Run the server on your local machine with a local PostgreSQL DB
On the
DemoGlobal
, add multiple relatedDemo
items, checkingvisible
on some but not others.Visit
localhost:3000/api/graphql-playground
in a private window/logged out contextInput the following query:
Observe the error:
Error: Cannot return null for non-nullable field DemoGlobal.demoRelationship.
Which area(s) are affected? (Select all that apply)
area: core, db-postgres
Environment Info
The text was updated successfully, but these errors were encountered: