This is not true, and I have auth rules and examples in use to backup my statement that this is not true. If you can provide a schema/rules/data/token to prove your point then you have found a security bug and it needs to be fixed. In my schema I have:
type Contact {
id: ID
access: [ACL]
notes: [Note]
}
type Note {
id: ID
access: [ACL]
content: String
forContact: Contact
}
I have auth rules on both Contact and Note that uses the (non-defined here) ACL type to process who has access to the data. I have users who have notes that they can access but not see the related contact and contacts that they can access but not see all of the nested notes.
Can you provide a small working setup that exemplifies the problem?
Example that this works as intended on v20.11.2-rc1-16-g4d041a3a
Schema
type A @auth(
query: { rule: "query { queryA(filter: {isPublic: true}) { id } }" }
) {
id: ID!
isPublic: Boolean! @search
name: String
children: [B] @hasInverse(field: "parents")
}
type B @auth(
query: { rule: "query { queryB(filter: {isPublic: true}) { id } }" }
) {
id: ID!
isPublic: Boolean! @search
name: String
parents: [A]
}
Mutation
mutation {
addA(input: [
{
name: "Foo",
isPublic: true,
children: [{
isPublic: true,
name: "Bar"
},{
isPublic: false,
name: "Baz"
}]
},
{
isPublic: false,
name: "Qux",
children: [{
isPublic: true,
name: "Corge"
}]
}
]) { numUids }
}
Results
{
"data": {
"addA": {
"numUids": 5
}
},
"extensions": {
"touched_uids": 28,
"tracing": {
"version": 1,
"startTime": "2021-05-28T19:31:42.914002332Z",
"endTime": "2021-05-28T19:31:42.917496912Z",
"duration": 3494580,
"execution": {
"resolvers": [
{
"path": [
"addA"
],
"parentType": "Mutation",
"fieldName": "addA",
"returnType": "AddAPayload",
"startOffset": 143838,
"duration": 3334336,
"dgraph": [
{
"label": "mutation",
"startOffset": 221981,
"duration": 1901138
},
{
"label": "query",
"startOffset": 2819439,
"duration": 642045
}
]
}
]
}
}
}
}
Query
query {
queryA {
id
name
children {
id
name
}
}
queryB {
id
name
parents {
id
name
}
}
}
Results
{
"data": {
"queryA": [
{
"id": "0x249f9",
"name": "Foo",
"children": [
{
"id": "0x249f8",
"name": "Bar"
}
]
}
],
"queryB": [
{
"id": "0x249f8",
"name": "Bar",
"parents": [
{
"id": "0x249f9",
"name": "Foo"
}
]
},
{
"id": "0x249fb",
"name": "Corge",
"parents": []
}
]
},
"extensions": {
"touched_uids": 43,
"tracing": {
"version": 1,
"startTime": "2021-05-28T19:33:10.622222559Z",
"endTime": "2021-05-28T19:33:10.624695245Z",
"duration": 2472707,
"execution": {
"resolvers": [
{
"path": [
"queryA"
],
"parentType": "Query",
"fieldName": "queryA",
"returnType": "[A]",
"startOffset": 168882,
"duration": 2241614,
"dgraph": [
{
"label": "query",
"startOffset": 258206,
"duration": 2109198
}
]
},
{
"path": [
"queryB"
],
"parentType": "Query",
"fieldName": "queryB",
"returnType": "[B]",
"startOffset": 151451,
"duration": 2075325,
"dgraph": [
{
"label": "query",
"startOffset": 229186,
"duration": 1952906
}
]
}
]
}
}
}
}