MCPcopy
hub / github.com/dgraph-io/dgraph / authorizeSchemaQuery

Function authorizeSchemaQuery

edgraph/access.go:1049–1116  ·  view source on GitHub ↗
(ctx context.Context, er *query.ExecutionResult)

Source from the content-addressed store, hash-verified

1047}
1048
1049func authorizeSchemaQuery(ctx context.Context, er *query.ExecutionResult) error {
1050 if worker.Config.AclSecretKey == nil {
1051 // the user has not turned on the acl feature
1052 return nil
1053 }
1054
1055 // find the predicates being sent in response
1056 preds := make([]string, 0)
1057 predsMap := make(map[string]struct{})
1058 for _, predNode := range er.SchemaNode {
1059 preds = append(preds, predNode.Predicate)
1060 predsMap[predNode.Predicate] = struct{}{}
1061 }
1062 for _, typeNode := range er.Types {
1063 for _, field := range typeNode.Fields {
1064 if _, ok := predsMap[field.Predicate]; !ok {
1065 preds = append(preds, field.Predicate)
1066 }
1067 }
1068 }
1069
1070 doAuthorizeSchemaQuery := func() (map[string]struct{}, error) {
1071 userData, err := extractUserAndGroups(ctx)
1072 if err != nil {
1073 return nil, status.Error(codes.Unauthenticated, err.Error())
1074 }
1075
1076 groupIds := userData.groupIds
1077 if x.IsSuperAdmin(groupIds) {
1078 if shouldAllowAcls(userData.namespace) {
1079 // Members of guardian groups are allowed to query anything.
1080 return nil, nil
1081 }
1082 return blockedPreds(preds), nil
1083 }
1084 result := authorizePreds(ctx, userData, preds, acl.Read)
1085 return result.blocked, nil
1086 }
1087
1088 // find the predicates which are blocked for the schema query
1089 blockedPreds, err := doAuthorizeSchemaQuery()
1090 if err != nil {
1091 return err
1092 }
1093
1094 // remove those predicates from response
1095 if len(blockedPreds) > 0 {
1096 respPreds := make([]*pb.SchemaNode, 0)
1097 for _, predNode := range er.SchemaNode {
1098 if _, ok := blockedPreds[predNode.Predicate]; !ok {
1099 respPreds = append(respPreds, predNode)
1100 }
1101 }
1102 er.SchemaNode = respPreds
1103
1104 for _, typeNode := range er.Types {
1105 respFields := make([]*pb.SchemaUpdate, 0)
1106 for _, field := range typeNode.Fields {

Callers 1

processQueryFunction · 0.85

Calls 6

IsSuperAdminFunction · 0.92
extractUserAndGroupsFunction · 0.85
shouldAllowAclsFunction · 0.85
blockedPredsFunction · 0.85
authorizePredsFunction · 0.85
ErrorMethod · 0.45

Tested by

no test coverage detected