newReservedPredicateGuard builds the per-request reserved-value guard. The GraphQL admin path (IsGraphql) owns the dgraph.graphql.* predicates. A registered ReservedNamespace may additionally value-lock predicates to its own trusted writer (see x.RegisterReservedNamespace): such a predicate may be w
(ctx context.Context)
| 2289 | // written only when the request context carries the namespace's TrustMarker. |
| 2290 | // Every other caller is blocked. |
| 2291 | func newReservedPredicateGuard(ctx context.Context) reservedPredicateGuard { |
| 2292 | isGraphql, _ := ctx.Value(IsGraphql).(bool) |
| 2293 | return func(nq *api.NQuad) error { |
| 2294 | if !isGraphql && x.IsOtherReservedPredicate(nq.Predicate) { |
| 2295 | return errors.Errorf("Cannot mutate graphql reserved predicate %s", nq.Predicate) |
| 2296 | } |
| 2297 | if marker, locked := x.ReservedPredicateValueLock(nq.Predicate); locked { |
| 2298 | trusted := false |
| 2299 | if marker != nil { |
| 2300 | trusted, _ = ctx.Value(marker).(bool) |
| 2301 | } |
| 2302 | if !trusted { |
| 2303 | return errors.Errorf("Cannot mutate reserved predicate %s outside its "+ |
| 2304 | "owning service", nq.Predicate) |
| 2305 | } |
| 2306 | } |
| 2307 | return nil |
| 2308 | } |
| 2309 | } |
| 2310 | |
| 2311 | func validateNQuads(set, del []*api.NQuad, guardReserved reservedPredicateGuard) error { |
| 2312 | for _, nq := range set { |
no test coverage detected