Fix when a root type returns nil because unauthorized

rmosolgo · rmosolgo · commit a94b045cab26 · 2019-02-22T14:33:53.000-05:00
diff --git a/lib/graphql/execution/execute.rb b/lib/graphql/execution/execute.rb
@@ -50,12 +50,16 @@ def resolve_root_selection(query)
             operation = query.selected_operation
             op_type = operation.operation_type
             root_type = query.root_type_for_operation(op_type)
-            resolve_selection(
-              query.root_value,
-              root_type,
-              query.context,
-              mutation: query.mutation?
-            )
+            if query.context[:__root_unauthorized]
+              # This was set by member/instrumentation.rb so that we wouldn't continue.
+            else
+              resolve_selection(
+                query.root_value,
+                root_type,
+                query.context,
+                mutation: query.mutation?
+              )
+            end
           end
         end
 
diff --git a/lib/graphql/execution/interpreter/runtime.rb b/lib/graphql/execution/interpreter/runtime.rb
@@ -49,9 +49,15 @@ def run_eager
           root_type = legacy_root_type.metadata[:type_class] || raise("Invariant: type must be class-based: #{legacy_root_type}")
           object_proxy = root_type.authorized_new(query.root_value, context)
           object_proxy = schema.sync_lazy(object_proxy)
-          path = []
-          evaluate_selections(path, object_proxy, root_type, root_operation.selections, root_operation_type: root_op_type)
-          nil
+          if object_proxy.nil?
+            # Root .authorized? returned false.
+            write_in_response([], nil)
+            nil
+          else
+            path = []
+            evaluate_selections(path, object_proxy, root_type, root_operation.selections, root_operation_type: root_op_type)
+            nil
+          end
         end
 
         def gather_selections(owner_object, owner_type, selections, selections_by_name)
diff --git a/lib/graphql/schema/member/instrumentation.rb b/lib/graphql/schema/member/instrumentation.rb
@@ -28,6 +28,12 @@ def before_query(query)
             wrapper_class = root_type.metadata[:type_class]
             if wrapper_class
               new_root_value = wrapper_class.authorized_new(query.root_value, query.context)
+              new_root_value = query.schema.sync_lazy(new_root_value)
+              if new_root_value.nil?
+                # This is definitely a hack,
+                # but we need some way to tell execute.rb not to run.
+                query.context[:__root_unauthorized] = true
+              end
               query.root_value = new_root_value
             end
           end
diff --git a/spec/graphql/authorization_spec.rb b/spec/graphql/authorization_spec.rb
@@ -912,4 +912,30 @@ def auth_execute(*args)
       assert_equal [{"message"=>"Unauthorized Query: nil"}], unauth_res["errors"]
     end
   end
+
+  describe "returning false" do
+    class FalseSchema < GraphQL::Schema
+      class Query < GraphQL::Schema::Object
+        def self.authorized?(obj, ctx)
+          false
+        end
+
+        field :int, Integer, null: false
+
+        def int
+          1
+        end
+      end
+      query(Query)
+      if TESTING_INTERPRETER
+        use GraphQL::Execution::Interpreter
+      end
+    end
+
+    it "works out-of-the-box" do
+      res = FalseSchema.execute("{ int }")
+      assert_nil res.fetch("data")
+      refute res.key?("errors")
+    end
+  end
 end
