From 77dedb6b8ca7d405d7c8b5fc75fbf47239df0e23 Mon Sep 17 00:00:00 2001
From: Markus Fischer <markus@fischer.name>
Date: Sat, 20 Jul 2019 01:00:06 +0200
Subject: [PATCH] Validate arguments before passing to authorize

Fixes https://github.com/rebing/graphql-laravel/issues/407
---
 CHANGELOG.md                                         |  1 +
 src/Support/Field.php                                | 10 +++++-----
 .../ValidationAuthorizationTest.php                  | 12 +++++++++++-
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c0a9788ae..e8c496db9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -43,6 +43,7 @@ CHANGELOG
 - Replace global helper `is_lumen` with static class call `\Rebing\GraphQL\Helpers::isLumen`
 
 ### Fixed
+- Arguments are now validation before they're passed to `authorize()`
 - File uploads now correctly work with batched requests [\#397](https://github.com/rebing/graphql-laravel/pull/397)
 - Path multi-level support for Schemas works again [\#358](https://github.com/rebing/graphql-laravel/pull/358)
 - SelectFields correctly passes field arguments to the custom query [\#327](https://github.com/rebing/graphql-laravel/pull/327)
diff --git a/src/Support/Field.php b/src/Support/Field.php
index ea4872f6e..4d8792f74 100644
--- a/src/Support/Field.php
+++ b/src/Support/Field.php
@@ -167,11 +167,6 @@ protected function getResolver(): ?Closure
                 $arguments[1] = array_merge($arguments[1], $arguments[2]);
             }
 
-            // Authorize
-            if (call_user_func($authorize, $arguments[1]) != true) {
-                throw new AuthorizationError('Unauthorized');
-            }
-
             // Validate mutation arguments
             if (method_exists($this, 'getRules')) {
                 $args = Arr::get($arguments, 1, []);
@@ -188,6 +183,11 @@ protected function getResolver(): ?Closure
                 }
             }
 
+            // Authorize
+            if (call_user_func($authorize, $arguments[1]) != true) {
+                throw new AuthorizationError('Unauthorized');
+            }
+
             // Add the 'selects and relations' feature as 5th arg
             if (isset($arguments[3])) {
                 $arguments[] = function () use ($arguments): SelectFields {
diff --git a/tests/Unit/ValidationAuthorizationTests/ValidationAuthorizationTest.php b/tests/Unit/ValidationAuthorizationTests/ValidationAuthorizationTest.php
index f463ca2dd..779024b06 100644
--- a/tests/Unit/ValidationAuthorizationTests/ValidationAuthorizationTest.php
+++ b/tests/Unit/ValidationAuthorizationTests/ValidationAuthorizationTest.php
@@ -5,6 +5,7 @@
 namespace Rebing\GraphQL\Tests\Unit\ValidationAuthorizationTests;
 
 use Rebing\GraphQL\Tests\TestCase;
+use Illuminate\Support\MessageBag;
 
 class ValidationAuthorizationTest extends TestCase
 {
@@ -23,7 +24,16 @@ public function testAuthorizeArgumentsInvalid(): void
             ],
         ]);
 
-        $this->assertSame('Unauthorized', $result['errors'][0]['message']);
+        $this->assertSame('validation', $result['errors'][0]['message']);
+
+        /** @var MessageBag $messageBag */
+        $messageBag = $result['errors'][0]['extensions']['validation'];
+        $expectedErrors = [
+            'arg1' => [
+                'The selected arg1 is invalid.',
+            ],
+        ];
+        $this->assertSame($expectedErrors, $messageBag->messages());
     }
 
     public function testAuthorizeArgumentsValid(): void