System Information
- Strapi Version: v4.4.3
- Operating System: Ubuntu 22.04
- Database: Postgresql
- Node Version: v16.13.1
- NPM Version: -
- Yarn Version: 1.22.17
Hi, I have a security problem with Graphql and role permissions:
I have to models, Event and Travel, linked to each other (an event can have many travels) and I want to do the following query with Graphql (simplified). I have enabled permission api::event.event.findOne.
query event {
event(id: 11) {
data {
id
attributes {
travels {
data {
id
}
}
}
}
}
}
But Strapi responds with an error:
{
"errors": [
{
"message": "Forbidden access",
"extensions": {
"error": {
"name": "ForbiddenError",
"message": "Forbidden access",
"details": {}
},
"code": "FORBIDDEN"
}
}
],
"data": {
"event": {
"data": {
"id": "11",
"attributes": {
"travels": null
}
}
}
}
}
If I enable permission api::travel.travel.find, it works ! For security reason, I can disable travels graphql method (with extService.shadowCRUD("api::travel.travel").disableActions(["find"]) but all travels are still exposed through the REST API endpoint /api/travels…
I don’t want to anybody fetch all travels, only through an event scoped payload. How can I handle this with security ?
Thank for your help!