[Bug] Auth rules of parent not respected when child with `hasInverse` is added

Found on v20.11.2

Schema:

type Foo
  @auth(
    add: { rule: "{$ROLE: { eq: \"ADMIN\" }}" }
    delete: { rule: "{$ROLE: { eq: \"ADMIN\" }}" }
    update: { rule: "{$ROLE: { eq: \"ADMIN\" }}" }
  ) {
  id: String! @id
  blas: [Bla!]! @hasInverse(field: foo)
}

type Bla {
  foo: Foo
}

# Dgraph.Authorization {"VerificationKey":"totallysecret","Header":"Auth","Namespace":"lol","Algo":"HS256"}

Add Foo using Admin-Token:

mutation {
  addFoo(input: [
    {
      id: "1234"
      blas: []
    }
  ]) {
    numUids
  }
}

Add Bla using User-Token:

mutation {
  addBla(input: [
    {
      foo: {id: "1234"}
    }
  ]) {
    numUids
  }
}

Query Foo and see that foo was updated with new data:

query {
  queryFoo {
    blas {
      __typename
    }
  }
}

Admin-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2wiOnsiUk9MRSI6IkFETUlOIiwiVVNFUk5BTUUiOiJhZG1pbiJ9LCJpYXQiOjE1MTYyMzkwMjJ9.9KgpRXR-OhOBiw7Ay-VTqhitIjtHKW_Fj6cmjIO3dAo

User-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2wiOnsiUk9MRSI6IlVTRVIiLCJVU0VSTkFNRSI6InVzZXIifSwiaWF0IjoxNTE2MjM5MDIyfQ._3dQECNABiKoE3lptCDaw5xCKMTxSeewak1Mzc2wUCE

Expected Behaviour:

Update-Rules of parent should be respected when an inverse connection exists.

Could anyone reproduce this?

It’s a security issue!

Hi @maaft , I reproduced it. looks like a bug to me. Accepting it.

Hi! How is the progress?

Hi @maaft, we will work on this in the next sprint. Thanks.

Did this ever get added to this list of bugs? I can’t seem to find that it was every fixed in neither 21.03 nor 21.12. I just wanted to make sure it is in the backlog somewhere…

That being said, this should not be fixed until field-level-auth is fixed, as it can work as a work-around for some situations.

I do feel it is a bug, as it can be a security hole for people that don’t use the hack.

J

I would say this “bug” should not be fixed until field level auth is developed or else it will break normal operation for many many users!