Allow users to only see themselves (@auth)

Say I have the following schema:

type User
    query: {
      rule: """
      query ($USER: ID!) {
        queryUser(filter: {id: [$USER]}) {
  ) {
  id: ID!
  name: String!

# Dgraph.Authorization {...}

I would assume that this would allow users to only see their own user nodes. However when I run:

  queryUser {

I get back all the users in my system. Am I doing something wrong here? I’m new to Dgraph’s auth system so I could have just missed something.


What version of Dgraph are you running? This may be related to this fix in the recent 21.03.0 release.

  • Fix(GraphQL): Fix @auth rules evaluation in case of null variables in custom claims. (#7380)

I’m using Slash GraphQL, so v20.11.2.
I don’t think it’s because of a null variable in my custom claims though, as that same user variable works elsewhere.

I had the exact same problem. The weird thing is: if i encode the username in the token instead of the id and use that in the auth query, it works.

Once 21.03 is released, I would be curious to see if the problem exists. Should be before May 1st.


Hi @alaister, I have reproduced this locally. Accepting this as a bug. Will try to prioritize this bug fix.


This issue has been fixed in the master. See this PR for more details.

1 Like

Thanks! Any idea when this will be in Slash GraphQL?

Update, I just tested this and it seems like this fix isn’t available in the v21.03 release, or am I wrong? Is there a way around this? IMO this is a serious security issue… authorizing to see only your account should be the default expected behaviour, or not?

@minhaj This does not seem to be fixed. I’m using v21.03. When I add this as a rule, it grants access to any User.