fix: :lock: Filter private user fields in graphql responses #242
Tim Izzo tim@octree.ch
Wed, 31 Aug 2022 11:26:59 +0200
2 files changed,
55 insertions(+),
0 deletions(-)
M
backend/src/graphql/index.ts
→
backend/src/graphql/index.ts
@@ -3,6 +3,7 @@ import eventExtensions from "./event";
import userExtensions from "./user"; import travelExtensions from "./travel"; import vehicleExtensions from "./vehicle"; +import passengerExtensions from "./passenger"; export default ({ strapi }) => { const extService = strapi.plugin("graphql").service("extension");@@ -11,6 +12,7 @@ eventExtensions.forEach(extService.use);
userExtensions.forEach(extService.use); travelExtensions.forEach(extService.use); vehicleExtensions.forEach(extService.use); + passengerExtensions.forEach(extService.use); // Disable shadow CRUD /// Fields
A
backend/src/graphql/passenger/index.ts
@@ -0,0 +1,53 @@
+export default [ + ({ nexus, strapi }) => ({ + resolvers: { + Passenger: { + // Filter user private fields in passenger lists + user: { + async resolve(parent) { + const passenger = await strapi.entityService.findOne( + "api::passenger.passenger", + parent.id, + { populate: ["user"] } + ); + const user = passenger?.user; + if (!user) return null; + + return { + value: { + id: user.id, + firstName: user.firstName, + lastName: user.lastName, + lang: user.lang, + }, + }; + }, + }, + }, + UsersPermissionsUser: { + // Filter user vehicles if not for profile fetching + vehicles: { + async resolve(queriedUser, args, _context, query) { + if (query.path.prev.key !== "profile") return null; + + const user = await strapi.entityService.findOne( + "plugin::users-permissions.user", + queriedUser.id, + { populate: ["vehicles"] } + ); + if (!user?.vehicles) return null; + + const { toEntityResponseCollection } = strapi + .plugin("graphql") + .service("format").returnTypes; + + return toEntityResponseCollection(user.vehicles, { + args, + resourceUID: "api::vehicle.vehicle", + }); + }, + }, + }, + }, + }), +];