Skip to content

Commit

Permalink
Bypass ui.isAccessAllowed for sudo contexts (#6955)
Browse files Browse the repository at this point in the history
* Bypass `ui.isAccessAllowed` for the admin meta query for sudo contexts

* Remove debugger

* Unused import

* Fix test on postgres

Co-authored-by: Daniel Cousens <413395+dcousens@users.noreply.github.com>
emmatown and dcousens authored Nov 17, 2021
1 parent 7133616 commit 760ae82
Showing 5 changed files with 120 additions and 3 deletions.
5 changes: 5 additions & 0 deletions .changeset/loud-crabs-buy.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@keystone-next/keystone': patch
---

Fixed `ui.isAccessAllowed` not being respected in the admin meta query when no session strategy was defined
5 changes: 5 additions & 0 deletions .changeset/sixty-pots-worry.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@keystone-next/keystone': patch
---

The admin meta query now bypasses `ui.isAccessAllowed` for sudo contexts.
5 changes: 2 additions & 3 deletions packages/keystone/src/admin-ui/system/getAdminMetaSchema.ts
Original file line number Diff line number Diff line change
@@ -28,9 +28,8 @@ export function getAdminMetaSchema({
lists: Record<string, InitialisedList>;
}) {
const isAccessAllowed =
config.session === undefined
? undefined
: config.ui?.isAccessAllowed ?? (({ session }) => session !== undefined);
config.ui?.isAccessAllowed ??
(config.session === undefined ? undefined : ({ session }) => session !== undefined);
const jsonScalar = graphqlBoundToKeystoneContext.JSON;

const KeystoneAdminUIFieldMeta = graphql.object<FieldMetaRootVal>()({
4 changes: 4 additions & 0 deletions packages/keystone/src/lib/createSystem.ts
Original file line number Diff line number Diff line change
@@ -20,6 +20,10 @@ function getSudoGraphQLSchema(config: KeystoneConfig, provider: DatabaseProvider
// The resulting schema is used as the GraphQL schema when calling `context.sudo()`.
const transformedConfig: KeystoneConfig = {
...config,
ui: {
...config.ui,
isAccessAllowed: () => true,
},
lists: Object.fromEntries(
Object.entries(config.lists).map(([listKey, list]) => {
return [
104 changes: 104 additions & 0 deletions tests/api-tests/admin-meta.test.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
import { list } from '@keystone-next/keystone';
import { text } from '@keystone-next/keystone/fields';
import { staticAdminMetaQuery } from '@keystone-next/keystone/src/admin-ui/admin-meta-graphql';
import { setupTestRunner } from '@keystone-next/keystone/testing';
import { apiTestConfig, dbProvider } from './utils';

const runner = setupTestRunner({
config: apiTestConfig({
ui: {
isAccessAllowed: () => false,
},
lists: { User: list({ fields: { name: text() } }) },
}),
});

test(
'non-sudo context does not bypass isAccessAllowed for admin meta',
runner(async ({ context }) => {
const res = await context.exitSudo().graphql.raw({ query: staticAdminMetaQuery });
expect(res).toMatchInlineSnapshot(`
Object {
"data": null,
"errors": Array [
[GraphQLError: Access denied],
],
}
`);
})
);

test(
'sudo context bypasses isAccessAllowed for admin meta',
runner(async ({ context }) => {
const data = await context.sudo().graphql.run({ query: staticAdminMetaQuery });
expect(data).toEqual({
keystone: {
__typename: 'KeystoneMeta',
adminMeta: {
__typename: 'KeystoneAdminMeta',
enableSessionItem: false,
enableSignout: false,
lists: [
{
__typename: 'KeystoneAdminUIListMeta',
description: null,
fields: [
{
__typename: 'KeystoneAdminUIFieldMeta',
customViewsIndex: null,
fieldMeta: {
kind: 'cuid',
},
itemView: {
fieldMode: 'hidden',
},
label: 'Id',
path: 'id',
search: null,
viewsIndex: 0,
},
{
__typename: 'KeystoneAdminUIFieldMeta',
customViewsIndex: null,
fieldMeta: {
defaultValue: '',
displayMode: 'input',
isNullable: false,
shouldUseModeInsensitive: dbProvider === 'postgresql',
validation: {
isRequired: false,
length: {
max: null,
min: null,
},
match: null,
},
},
itemView: {
fieldMode: 'edit',
},
label: 'Name',
path: 'name',
search: dbProvider === 'postgresql' ? 'insensitive' : 'default',
viewsIndex: 1,
},
],
initialColumns: ['name'],
initialSort: null,
itemQueryName: 'User',
key: 'User',
label: 'Users',
labelField: 'name',
listQueryName: 'Users',
pageSize: 50,
path: 'users',
plural: 'Users',
singular: 'User',
},
],
},
},
});
})
);

0 comments on commit 760ae82

Please sign in to comment.