MCPcopy
hub / github.com/dgraph-io/dgraph / authorizeMutation

Function authorizeMutation

edgraph/access.go:787–859  ·  view source on GitHub ↗

authorizeMutation authorizes the mutation using the worker.AclCachePtr. It will return permission denied error if any one of the predicates in mutation(set or delete) is unauthorized. At this stage, namespace is not attached in the predicates.

(ctx context.Context, gmu *dql.Mutation)

Source from the content-addressed store, hash-verified

785// denied error if any one of the predicates in mutation(set or delete) is unauthorized.
786// At this stage, namespace is not attached in the predicates.
787func authorizeMutation(ctx context.Context, gmu *dql.Mutation) error {
788 if worker.Config.AclSecretKey == nil {
789 // the user has not turned on the acl feature
790 return nil
791 }
792
793 preds := parsePredsFromMutation(gmu.Set)
794 // Del predicates weren't included before.
795 // A bug probably since f115de2eb6a40d882a86c64da68bf5c2a33ef69a
796 preds = append(preds, parsePredsFromMutation(gmu.Del)...)
797
798 var userId string
799 var groupIds []string
800 // doAuthorizeMutation checks if modification of all the predicates are allowed
801 // as a byproduct, it also sets the userId and groups
802 doAuthorizeMutation := func() error {
803 userData, err := extractUserAndGroups(ctx)
804 if err != nil {
805 // We don't follow fail open approach anymore.
806 return status.Error(codes.Unauthenticated, err.Error())
807 }
808
809 userId = userData.userId
810 groupIds = userData.groupIds
811
812 if x.IsSuperAdmin(groupIds) {
813 // Members of guardians group are allowed to mutate anything
814 // (including delete) except the permission of the acl predicates.
815 switch {
816 case isAclPredMutation(gmu.Set):
817 return errors.Errorf("the permission of ACL predicates can not be changed")
818 case isAclPredMutation(gmu.Del):
819 return errors.Errorf("ACL predicates can't be deleted")
820 }
821 if !shouldAllowAcls(userData.namespace) {
822 for _, pred := range preds {
823 if x.IsAclPredicate(pred) {
824 return status.Errorf(codes.PermissionDenied,
825 "unauthorized to mutate acl predicates: %s\n", pred)
826 }
827 }
828 }
829 return nil
830 }
831 result := authorizePreds(ctx, userData, preds, acl.Write)
832 if len(result.blocked) > 0 {
833 var msg strings.Builder
834 for key := range result.blocked {
835 x.Check2(msg.WriteString(key))
836 x.Check2(msg.WriteString(" "))
837 }
838 return status.Errorf(codes.PermissionDenied,
839 "unauthorized to mutate following predicates: %s\n", msg.String())
840 }
841 gmu.AllowedPreds = result.allowed
842 return nil
843 }
844

Callers 1

authorizeRequestFunction · 0.85

Calls 11

IsSuperAdminFunction · 0.92
IsAclPredicateFunction · 0.92
Check2Function · 0.92
parsePredsFromMutationFunction · 0.85
extractUserAndGroupsFunction · 0.85
isAclPredMutationFunction · 0.85
shouldAllowAclsFunction · 0.85
authorizePredsFunction · 0.85
ErrorMethod · 0.45
ErrorfMethod · 0.45
StringMethod · 0.45

Tested by

no test coverage detected