Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IBX-5094: Added try-catch block for UnauthorizedException #136

Merged
merged 2 commits into from
Aug 4, 2023

Conversation

mateuszdebinski
Copy link
Contributor

@mateuszdebinski mateuszdebinski added Bug Something isn't working Ready for review labels Jul 26, 2023
@mateuszdebinski mateuszdebinski requested a review from a team July 26, 2023 08:10
@mateuszdebinski mateuszdebinski self-assigned this Jul 26, 2023
Copy link
Member

@konradoboza konradoboza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think throwing GraphQL\Error\UserError might be more informative than no data returned. POV ping @bdunogier.

src/GraphQL/Resolver/SectionResolver.php Outdated Show resolved Hide resolved
@konradoboza konradoboza requested review from a team and bdunogier July 26, 2023 08:16
Copy link
Member

@alongosz alongosz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think throwing GraphQL\Error\UserError might be more informative than no data returned. POV ping @bdunogier.

return null, will allow you to display the sub-items list but without the section and without the error that is currently going to the logs

Looks like this is a "dangling" class tied to GraphQL only by DI, which makes it difficult to understand what exactly calls it and what is the data flow.

@mateuszdebinski the issue only mentions logs. Does this mean that the output is correct and the issue occurs only in logs?

If we throw GraphQL\Error\UserError instead of our exception, how does that change the output and logs? There's very little information to go on, so it's hard to review this one without spending some time on reverse-engineering.

@konradoboza
Copy link
Member

konradoboza commented Jul 26, 2023

If we throw GraphQL\Error\UserError instead of our exception, how does that change the output and logs? There's very little information to go on, so it's hard to review this one without spending some time on reverse-engineering.

My idea was to inform (UserError will be displayed in GraphiQL client while performing query) the user that they are not authorized to see specific data. However, filtered results (skipping content user doesn't have access to) and properly logged error seems to be the best way to handle this bug in my opinion.

@mateuszdebinski
Copy link
Contributor Author

mateuszdebinski commented Jul 26, 2023

@alongosz Yes, this issue did not cause any other issues, apart from the entry in the logs, still, the user could see sub-items.
@konradoboza In other places like trash, we have verification whether the user can see the section and if not, it is not displayed.

If the user does not have access to the selected section, should we put information into the logs if it does not stop the operation and allows you to still display the information?

@alongosz
Copy link
Member

My idea was to inform (UserError will be displayed in GraphiQL client while performing query) the user that they are not authorized to see specific data. However, filtered results (skipping content user doesn't have access to) and properly logged error seems to be the best way to handle this bug in my opinion.

(...) the issue only mentions logs. Does this mean that the output is correct and the issue occurs only in logs?

@alongosz Yes, this issue did not cause any other issues, apart from the entry in the logs, still, the user could see sub-items. @konradoboza In other places like trash, we have verification whether the user can see the section and if not, it is not displayed.

If the user does not have access to the selected section, should we put information into the logs if it does not stop the operation and allows you to still display the information?

IMHO it's a good idea to show it in logs and GraphiQL client because that might not be expected result, but permission "misconfiguration". The question is how does UserError look in logs? I'd avoid app.Critical as this seems to cause panic ;-)

@mateuszdebinski
Copy link
Contributor Author

mateuszdebinski commented Jul 26, 2023

@alongosz I tested it, and, UserError doesn't throw any error into the log but in graphQL, you get something like this:
"errors": [ { "message": "error", "extensions": { "category": "user" }, "locations": [ { "line": 47, "column": 37 } ], "path": [ "_repository", "location", "children", "edges", 0, "node", "content", "_info", "section" ] } ],

where "message": "error", "extensions": { "category": "user" }, it's configurable

@alongosz
Copy link
Member

@alongosz I tested it, and, UserError doesn't throw any error into the log but in graphQL, you get something like this: "errors": [ { "message": "error", "extensions": { "category": "user" }, "locations": [ { "line": 47, "column": 37 } ], "path": [ "_repository", "location", "children", "edges", 0, "node", "content", "_info", "section" ] } ],

where "message": "error", "extensions": { "category": "user" }, it's configurable

It seems that it provides value because someone might expect a section, but not get it and wonder why.

@alongosz alongosz requested a review from a team July 26, 2023 14:55
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

Copy link
Member

@micszo micszo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem no longer occurs.

QA Approved on Ibexa Commerce 3.3.34-dev
(diff ok on gql v2.3.16)

@micszo micszo removed their assignment Aug 4, 2023
@konradoboza konradoboza merged commit d4a9610 into 2.3 Aug 4, 2023
@konradoboza konradoboza deleted the IBX-5094_section_permission branch August 4, 2023 10:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Something isn't working QA approved
Development

Successfully merging this pull request may close these issues.

5 participants