Skip to content

Commit 05dbbcc

Browse files
pyramationpyramation
committed
fix: use quoteIdent() for all hardcoded identifier quotes in sql-generator
1 parent 438d50c commit 05dbbcc

1 file changed

Lines changed: 16 additions & 16 deletions

File tree

graphile/graphile-authz/src/evaluators/sql-generator.ts

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -281,23 +281,23 @@ function generatePermissionConditions(
281281
// Single permission - would need to resolve to bit position
282282
// For now, use a placeholder that can be resolved at runtime
283283
conditions.push(
284-
`(${sprtAlias}."permissions" & get_permission_mask('${payload.permission}')) = get_permission_mask('${payload.permission}')`
284+
`(${sprtAlias}.${quoteIdent('permissions')} & get_permission_mask('${payload.permission}')) = get_permission_mask('${payload.permission}')`
285285
);
286286
} else if (payload.permissions && payload.permissions.length > 0) {
287287
// Multiple permissions (ORed together)
288288
const permList = payload.permissions.map((p) => `'${p}'`).join(', ');
289289
conditions.push(
290-
`(${sprtAlias}."permissions" & get_permission_mask(ARRAY[${permList}])) = get_permission_mask(ARRAY[${permList}])`
290+
`(${sprtAlias}.${quoteIdent('permissions')} & get_permission_mask(ARRAY[${permList}])) = get_permission_mask(ARRAY[${permList}])`
291291
);
292292
}
293293

294294
// Admin/owner checks
295295
const adminOwnerConditions: string[] = [];
296296
if (payload.is_admin) {
297-
adminOwnerConditions.push(`${sprtAlias}."is_admin" = TRUE`);
297+
adminOwnerConditions.push(`${sprtAlias}.${quoteIdent('is_admin')} = TRUE`);
298298
}
299299
if (payload.is_owner) {
300-
adminOwnerConditions.push(`${sprtAlias}."is_owner" = TRUE`);
300+
adminOwnerConditions.push(`${sprtAlias}.${quoteIdent('is_owner')} = TRUE`);
301301
}
302302

303303
if (adminOwnerConditions.length > 0) {
@@ -323,7 +323,7 @@ function generateMembership(
323323
const sprtAlias = 'sprt';
324324

325325
const conditions = [
326-
`${sprtAlias}."actor_id" = ${opts.currentUserIdFunc}`,
326+
`${sprtAlias}.${quoteIdent('actor_id')} = ${opts.currentUserIdFunc}`,
327327
...generatePermissionConditions(payload, sprtAlias),
328328
];
329329

@@ -344,11 +344,11 @@ function generateMembershipByField(
344344
const sprtAlias = 'sprt';
345345

346346
const conditions = [
347-
`${sprtAlias}."actor_id" = ${opts.currentUserIdFunc}`,
347+
`${sprtAlias}.${quoteIdent('actor_id')} = ${opts.currentUserIdFunc}`,
348348
...generatePermissionConditions(payload, sprtAlias),
349349
];
350350

351-
const sql = `${colRef(payload.entity_field, opts)} = ANY (SELECT ${sprtAlias}."entity_id" FROM ${sprtTable} AS ${sprtAlias} WHERE ${conditions.join(' AND ')})`;
351+
const sql = `${colRef(payload.entity_field, opts)} = ANY (SELECT ${sprtAlias}.${quoteIdent('entity_id')} FROM ${sprtTable} AS ${sprtAlias} WHERE ${conditions.join(' AND ')})`;
352352
return { sql };
353353
}
354354

@@ -391,14 +391,14 @@ function generateMembershipByJoin(
391391
}
392392

393393
const conditions = [
394-
`${sprtAlias}."actor_id" = ${opts.currentUserIdFunc}`,
394+
`${sprtAlias}.${quoteIdent('actor_id')} = ${opts.currentUserIdFunc}`,
395395
...generatePermissionConditions(payload, sprtAlias),
396396
];
397397

398398
const sql = `${colRef(payload.entity_field, opts)} = ANY (
399399
SELECT ${joinAlias}.${quoteIdent(payload.entity_field)}
400400
FROM ${sprtTable} AS ${sprtAlias}
401-
JOIN ${joinTable} AS ${joinAlias} ON ${sprtAlias}."entity_id" = ${joinAlias}.${joinField}
401+
JOIN ${joinTable} AS ${joinAlias} ON ${sprtAlias}.${quoteIdent('entity_id')} = ${joinAlias}.${joinField}
402402
WHERE ${conditions.join(' AND ')}
403403
)`;
404404

@@ -421,21 +421,21 @@ function generateOrgHierarchy(
421421
if (payload.direction === 'down') {
422422
// Manager sees subordinates: current user is ancestor, row's anchor is descendant
423423
conditions = [
424-
`${hAlias}."entity_id" = ${colRef(entityField, opts)}`,
425-
`${hAlias}."ancestor_id" = ${opts.currentUserIdFunc}`,
426-
`${hAlias}."descendant_id" = ${colRef(payload.anchor_field, opts)}`,
424+
`${hAlias}.${quoteIdent('entity_id')} = ${colRef(entityField, opts)}`,
425+
`${hAlias}.${quoteIdent('ancestor_id')} = ${opts.currentUserIdFunc}`,
426+
`${hAlias}.${quoteIdent('descendant_id')} = ${colRef(payload.anchor_field, opts)}`,
427427
];
428428
} else {
429429
// Subordinate sees managers: current user is descendant, row's anchor is ancestor
430430
conditions = [
431-
`${hAlias}."entity_id" = ${colRef(entityField, opts)}`,
432-
`${hAlias}."descendant_id" = ${opts.currentUserIdFunc}`,
433-
`${hAlias}."ancestor_id" = ${colRef(payload.anchor_field, opts)}`,
431+
`${hAlias}.${quoteIdent('entity_id')} = ${colRef(entityField, opts)}`,
432+
`${hAlias}.${quoteIdent('descendant_id')} = ${opts.currentUserIdFunc}`,
433+
`${hAlias}.${quoteIdent('ancestor_id')} = ${colRef(payload.anchor_field, opts)}`,
434434
];
435435
}
436436

437437
if (payload.max_depth !== undefined) {
438-
conditions.push(`${hAlias}."depth" <= ${payload.max_depth}`);
438+
conditions.push(`${hAlias}.${quoteIdent('depth')} <= ${payload.max_depth}`);
439439
}
440440

441441
const sql = `EXISTS (SELECT 1 FROM ${hierarchyTable} AS ${hAlias} WHERE ${conditions.join(' AND ')})`;

0 commit comments

Comments
 (0)