Skip to content

Improve GraphQL content item authorization handling #19098

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gvkries merged 5 commits into from
Apr 24, 2026
+6 −11
Merged

Improve GraphQL content item authorization handling #19098

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b333da9
Improve GraphQL content item authorization handling
gvkries Apr 1, 2026
9ae5ecf
Require ExecuteGraphQL for contentItem query; add tests
gvkries Apr 2, 2026
ddc92c7
Merge branch 'main' into gvkries/fix-graphql-authorization
gvkries Apr 2, 2026
4390468
Merge remote-tracking branch 'origin/main' into gvkries/fix-graphql-a…
Copilot Apr 24, 2026
058ec65
Fix ambiguous ISession reference in ContentItemQueryTests
Copilot Apr 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/OrchardCore.Modules/OrchardCore.Apis.GraphQL/GraphQLMiddleware.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,7 @@ private async Task ExecuteAsync(HttpContext context)
options.OperationName = request.OperationName;
options.Variables = request.Variables;
options.UserContext = _settings.BuildUserContext?.Invoke(context);
options.User = context.User;
options.ValidationRules = DocumentValidator.CoreRules
.Concat(context.RequestServices.GetServices<IValidationRule>())
.Append(new ComplexityValidationRule(new ComplexityOptions
Expand Down
16 changes: 5 additions & 11 deletions src/OrchardCore/OrchardCore.ContentManagement.GraphQL/Queries/ContentItemQuery.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,25 +2,19 @@
using GraphQL.Resolvers;
using GraphQL.Types;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Localization;
using OrchardCore.Apis.GraphQL;
using OrchardCore.ContentManagement.GraphQL.Queries.Types;
using ContentsCommonPermissions = OrchardCore.Contents.CommonPermissions;

namespace OrchardCore.ContentManagement.GraphQL.Queries;

public sealed class ContentItemQuery : ISchemaBuilder
{
private readonly IHttpContextAccessor _httpContextAccessor;

internal readonly IStringLocalizer S;

public ContentItemQuery(IHttpContextAccessor httpContextAccessor,
IStringLocalizer<ContentItemQuery> localizer)
public ContentItemQuery(IStringLocalizer<ContentItemQuery> localizer)
{
_httpContextAccessor = httpContextAccessor;
S = localizer;
}

Expand Down Expand Up @@ -53,10 +47,9 @@ public Task BuildAsync(ISchema schema)

private async ValueTask<ContentItem> ResolveAsync(IResolveFieldContext context)
{
var httpContext = _httpContextAccessor.HttpContext;
var contentItemId = context.GetArgument<string>("contentItemId");
var contentManager = httpContext.RequestServices.GetRequiredService<IContentManager>();
var authorizationService = httpContext.RequestServices.GetRequiredService<IAuthorizationService>();
var contentManager = context.RequestServices.GetService<IContentManager>();
var authorizationService = context.RequestServices.GetService<IAuthorizationService>();

var contentItem = await contentManager.GetAsync(contentItemId);

Expand All @@ -65,8 +58,9 @@ private async ValueTask<ContentItem> ResolveAsync(IResolveFieldContext context)
return null;
}

if (!await authorizationService.AuthorizeAsync(httpContext.User, ContentsCommonPermissions.ViewContent, contentItem))
if (!await authorizationService.AuthorizeAsync(context.User, Contents.CommonPermissions.ViewContent, contentItem))
{
// Return null if the user doesn't have permission to view the content item, so that it doesn't appear in the GraphQL response.
return null;
}

Expand Down
Loading