@auth rules filtering on id allows access to any resourse

When I create an auth rule using an extremely basic traversal filtering on the id of the entity itself, the result is that all resources of that entity type are allowed.

type Thing @auth(query: { rule: """
  query ($THING_ID) {
    queryThing (filter: { id: [$THING_ID] }) { id }
  }
"""}) {
  id: String!
  property: String
}

Expected behavior:
This should mean that as long as THING_ID is one of the auth claims in the token, this should grant access to only the Thing which has the id with the value of THING_ID.

Actual behavior:
All Thing resources are able to be accessed. When the rule is combined using or with other (functioning) restrictive rules, it removes all restrictions, granting access to all Things.

Other notes:
I noticed that this was supposedly fixed for v21.03, but that is the version I’m using, and it doesn’t seem to be fixed.

EDIT: I mistyped above earlier. I did, in fact, specify the rule for query, add, update, and delete. It does not work. I should mention that I have created other complicated sets of @auth rules which work well. This particular one, which is much simpler than most of my rules, does not work.

You have to set the type of rule, query, i.e.

https://dgraph.io/docs/graphql/authorization/directive

J

Thank you. I actually had that in my code, I just forgot it here, as I didn’t copy-paste. I’ve got lots of more complicated auth traversals which function as expected. It’s this particular one, which should be incredibly straightforward, that does not work. There was some other issue which mentions a similar problem. Dgraph knew about it and claimed to have fixed it in v21.03, but this doesn’t work as expected for me.