API 平台 GraphQL 安全性
[英]API Platform GraphQL security
问题描述
So I'm using API platform in my Symfony 4 project, and I've read that it supports graphQl, so I set up an access control in security.yml to allow users to access graphQl API:
所以我在我的 Symfony 4 项目中使用 API 平台,并且我读到它支持 graphQl,所以我在 security.yml 中设置了一个访问控制以允许用户访问 graphQl API:
- { path: ^/api/graphql, roles: IS_AUTHENTICATED_ANONYMOUSLY }
And in each entity I have access controls for itemOperations and collectinOperations.在每个实体中,我都有对 itemOperations 和 collectinOperations 的访问控制。 Example:例子:
* @ApiResource(
* itemOperations={
* "get"={
* "access_control"="is_granted('ROLE_ADMIN')"
* }
* },
* collectionOperations={
* "get"={
* "access_control"="is_granted('ROLE_ADMIN')"
* }
* }
* )
But issue is, any user can access this entity through graphQL, because graphQL ignores the access controls for these operations.但问题是,任何用户都可以通过 graphQL 访问该实体,因为 graphQL 会忽略这些操作的访问控制。 Is there a way to force graphQL to follow these rules?有没有办法强制 graphQL 遵循这些规则?
1 个解决方案
解决方案1
1 已采纳 2020-01-14 10:00:56
itemOperations and collectionOperations are not related to GraphQL but only to REST. itemOperations和collectionOperations与 GraphQL 无关,而仅与 REST 相关。
You need to add access controls in GraphQL operations or, if you want to target REST and GraphQL (without distinguishing operations though), you can add it as an attribute .您需要在 GraphQL 操作中添加访问控制,或者,如果您想针对 REST和GraphQL(尽管不区分操作),您可以将其添加为attribute 。
Also, access_control is deprecated.此外,不推荐使用access_control 。 You should use security instead.您应该改用security 。
You can also read this documentation: https://api-platform.com/docs/core/graphql/#security您还可以阅读此文档: https : //api-platform.com/docs/core/graphql/#security
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.