Validate arguments before passing to authorize

Fixes #407
rebing · Jul 19, 2019 · 77dedb6 · 77dedb6
1 parent 850a701
commit 77dedb6
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -43,6 +43,7 @@ CHANGELOG
 - Replace global helper `is_lumen` with static class call `\Rebing\GraphQL\Helpers::isLumen`
 
 ### Fixed
+- Arguments are now validation before they're passed to `authorize()`
 - File uploads now correctly work with batched requests [\#397](https://github.com/rebing/graphql-laravel/pull/397)
 - Path multi-level support for Schemas works again [\#358](https://github.com/rebing/graphql-laravel/pull/358)
 - SelectFields correctly passes field arguments to the custom query [\#327](https://github.com/rebing/graphql-laravel/pull/327)

diff --git a/src/Support/Field.php b/src/Support/Field.php
@@ -167,11 +167,6 @@ protected function getResolver(): ?Closure
                 $arguments[1] = array_merge($arguments[1], $arguments[2]);
             }
 
-            // Authorize
-            if (call_user_func($authorize, $arguments[1]) != true) {
-                throw new AuthorizationError('Unauthorized');
-            }
-
             // Validate mutation arguments
             if (method_exists($this, 'getRules')) {
                 $args = Arr::get($arguments, 1, []);
@@ -188,6 +183,11 @@ protected function getResolver(): ?Closure
                 }
             }
 
+            // Authorize
+            if (call_user_func($authorize, $arguments[1]) != true) {
+                throw new AuthorizationError('Unauthorized');
+            }
+
             // Add the 'selects and relations' feature as 5th arg
             if (isset($arguments[3])) {
                 $arguments[] = function () use ($arguments): SelectFields {

diff --git a/tests/Unit/ValidationAuthorizationTests/ValidationAuthorizationTest.php b/tests/Unit/ValidationAuthorizationTests/ValidationAuthorizationTest.php
@@ -5,6 +5,7 @@
 namespace Rebing\GraphQL\Tests\Unit\ValidationAuthorizationTests;
 
 use Rebing\GraphQL\Tests\TestCase;
+use Illuminate\Support\MessageBag;
 
 class ValidationAuthorizationTest extends TestCase
 {
@@ -23,7 +24,16 @@ public function testAuthorizeArgumentsInvalid(): void
             ],
         ]);
 
-        $this->assertSame('Unauthorized', $result['errors'][0]['message']);
+        $this->assertSame('validation', $result['errors'][0]['message']);
+
+        /** @var MessageBag $messageBag */
+        $messageBag = $result['errors'][0]['extensions']['validation'];
+        $expectedErrors = [
+            'arg1' => [
+                'The selected arg1 is invalid.',
+            ],
+        ];
+        $this->assertSame($expectedErrors, $messageBag->messages());
     }
 
     public function testAuthorizeArgumentsValid(): void