62 replies

Postgres Queries have wrong where clause

Recently we some read actions do not return the correct data, the Queries that are logged have an obviously wrong where clause

SELECT c0."id", c0."first_name", c0."last_name", c0."title", c0."legal_entity_name", c0."is_legal_entity" FROM "contact" AS c0 WHERE (false) []

SELECT c0."id", c0."first_name", c0."last_name", c0."title", c0."legal_entity_name", c0."is_legal_entity" FROM "contact" AS c0 WHERE (false) []

The clause should be

c0."id" = ?

c0."id" = ?

with the id in the parameter list

This is the resource and we query the current_user graphql query

defmodule Demo.Auth.Resources.User do
  @moduledoc """
  The Logged in User
  """
  use Demo.AuditedResource,
    data_layer: AshPostgres.DataLayer,
    extensions: [AshGraphql.Resource]

  attributes do
    uuid_primary_key :id, generated?: false

    attribute :email, :string
    attribute :email_confirmed_at, :utc_datetime

    attribute :contact_id, :uuid

    attribute :features, Demo.Auth.Resources.User.Features

    #  attribute :roles, {:array, :atom}

    create_timestamp :inserted_at
    update_timestamp :updated_at
  end

  rbac do
    bypass(:admin)
    role(:user, [:id, :email, :email_confirmed_at, :contact, :contact_id, :features])
  end

  audit do
    actors?(false)
    timestamps?(false)
  end

  graphql do
    type :user

    queries do
      read_one :user, :current_user
    end
  end

  relationships do
    belongs_to :contact, Demo.CustomerService.Resources.Contact do
      filterable? false
      api Demo.CustomerService.Api
    end
  end

  actions do
    defaults [:read, :create, :update]

    read :current_user do
      get? true
    end
  end

  policies do
    policy always() do
      forbid_unless(actor_present())

      authorize_if(expr(id == type(^actor(:id), Ash.Type.UUID)))

      forbid_if(always())
    end
  end

  postgres do
    repo Demo.Repo
    table "user"
  end
end

defmodule Demo.Auth.Resources.User do
  @moduledoc """
  The Logged in User
  """
  use Demo.AuditedResource,
    data_layer: AshPostgres.DataLayer,
    extensions: [AshGraphql.Resource]

  attributes do
    uuid_primary_key :id, generated?: false

    attribute :email, :string
    attribute :email_confirmed_at, :utc_datetime

    attribute :contact_id, :uuid

    attribute :features, Demo.Auth.Resources.User.Features

    #  attribute :roles, {:array, :atom}

    create_timestamp :inserted_at
    update_timestamp :updated_at
  end

  rbac do
    bypass(:admin)
    role(:user, [:id, :email, :email_confirmed_at, :contact, :contact_id, :features])
  end

  audit do
    actors?(false)
    timestamps?(false)
  end

  graphql do
    type :user

    queries do
      read_one :user, :current_user
    end
  end

  relationships do
    belongs_to :contact, Demo.CustomerService.Resources.Contact do
      filterable? false
      api Demo.CustomerService.Api
    end
  end

  actions do
    defaults [:read, :create, :update]

    read :current_user do
      get? true
    end
  end

  policies do
    policy always() do
      forbid_unless(actor_present())

      authorize_if(expr(id == type(^actor(:id), Ash.Type.UUID)))

      forbid_if(always())
    end
  end

  postgres do
    repo Demo.Repo
    table "user"
  end
end

We could also observe this behaviour when loading a has_one relationship

Versions:

ash: 06329b97cf531b6b585630638028233a48a7fa0b
ash_graphql: c70e7dec7dac1aac7fd40a67b51a6d61d67f9d41
ash_postgres: 9e31f905861c8f97bb2b54fd8604eb362391e675

Ash Framework•3y ago•

62 replies

barnabasj

Postgres Queries have wrong where clause

Recently we some read actions do not return the correct data, the Queries that are logged have an obviously wrong where clause

SELECT c0."id", c0."first_name", c0."last_name", c0."title", c0."legal_entity_name", c0."is_legal_entity" FROM "contact" AS c0 WHERE (false) []

SELECT c0."id", c0."first_name", c0."last_name", c0."title", c0."legal_entity_name", c0."is_legal_entity" FROM "contact" AS c0 WHERE (false) []

The clause should be

c0."id" = ?

c0."id" = ?

with the id in the parameter list

This is the resource and we query the current_user graphql query

defmodule Demo.Auth.Resources.User do
  @moduledoc """
  The Logged in User
  """
  use Demo.AuditedResource,
    data_layer: AshPostgres.DataLayer,
    extensions: [AshGraphql.Resource]

  attributes do
    uuid_primary_key :id, generated?: false

    attribute :email, :string
    attribute :email_confirmed_at, :utc_datetime

    attribute :contact_id, :uuid

    attribute :features, Demo.Auth.Resources.User.Features

    #  attribute :roles, {:array, :atom}

    create_timestamp :inserted_at
    update_timestamp :updated_at
  end

  rbac do
    bypass(:admin)
    role(:user, [:id, :email, :email_confirmed_at, :contact, :contact_id, :features])
  end

  audit do
    actors?(false)
    timestamps?(false)
  end

  graphql do
    type :user

    queries do
      read_one :user, :current_user
    end
  end

  relationships do
    belongs_to :contact, Demo.CustomerService.Resources.Contact do
      filterable? false
      api Demo.CustomerService.Api
    end
  end

  actions do
    defaults [:read, :create, :update]

    read :current_user do
      get? true
    end
  end

  policies do
    policy always() do
      forbid_unless(actor_present())

      authorize_if(expr(id == type(^actor(:id), Ash.Type.UUID)))

      forbid_if(always())
    end
  end

  postgres do
    repo Demo.Repo
    table "user"
  end
end

defmodule Demo.Auth.Resources.User do
  @moduledoc """
  The Logged in User
  """
  use Demo.AuditedResource,
    data_layer: AshPostgres.DataLayer,
    extensions: [AshGraphql.Resource]

  attributes do
    uuid_primary_key :id, generated?: false

    attribute :email, :string
    attribute :email_confirmed_at, :utc_datetime

    attribute :contact_id, :uuid

    attribute :features, Demo.Auth.Resources.User.Features

    #  attribute :roles, {:array, :atom}

    create_timestamp :inserted_at
    update_timestamp :updated_at
  end

  rbac do
    bypass(:admin)
    role(:user, [:id, :email, :email_confirmed_at, :contact, :contact_id, :features])
  end

  audit do
    actors?(false)
    timestamps?(false)
  end

  graphql do
    type :user

    queries do
      read_one :user, :current_user
    end
  end

  relationships do
    belongs_to :contact, Demo.CustomerService.Resources.Contact do
      filterable? false
      api Demo.CustomerService.Api
    end
  end

  actions do
    defaults [:read, :create, :update]

    read :current_user do
      get? true
    end
  end

  policies do
    policy always() do
      forbid_unless(actor_present())

      authorize_if(expr(id == type(^actor(:id), Ash.Type.UUID)))

      forbid_if(always())
    end
  end

  postgres do
    repo Demo.Repo
    table "user"
  end
end

Postgres Queries have wrong where clause

Postgres Queries have wrong where clause

Similar Threads

Similar Threads

Similar Threads