Handle unauthorized fields in aggregation #2790
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vadeveka
requested review from
Alekhya-Polavarapu,
Aniruddh25,
RubenCerna2079,
aaronburtle,
anushakolan,
neeraj-sharma2592,
rusamant,
sourabh1007 and
souvikghosh04
as code owners
Contributor
Author
|
/azp run |
Contributor
There was a problem hiding this comment.
Pull Request Overview
This change implements authorization checks for GraphQL aggregation operations to ensure users can only group by and aggregate on fields they have permission to access. When unauthorized fields are used in groupBy arguments or aggregation functions, the system now throws an appropriate authorization error.
- Added authorization validation for fields in
groupByarguments - Added authorization validation for fields in aggregation functions
- Added new error message constants for aggregation authorization failures
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| GraphQLAuthorizationHandlerTests.cs | Added integration tests for unauthorized groupBy and aggregation field access scenarios |
| SqlQueryStructure.cs | Implemented authorization checks in ProcessGroupByField and ProcessAggregations methods |
| DataApiBuilderException.cs | Added new error message constants for groupBy and aggregation authorization failures |
| mssql-commands.txt | Added test role configuration with excluded publisher_id field for aggregation tests |
|
Azure Pipelines successfully started running 6 pipeline(s). |
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 6 pipeline(s). |
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 6 pipeline(s). |
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 6 pipeline(s). |
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 6 pipeline(s). |
lingxiao-microsoft
approved these changes
Jul 31, 2025
rusamant
approved these changes
Jul 31, 2025
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 6 pipeline(s). |
rusamant
approved these changes
Jul 31, 2025
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 6 pipeline(s). |
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 6 pipeline(s). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why make this change?
Closes #2776
Ensure authorization error thrown if fields in the groupBy argument or in the aggregation function are not allowed for the current role.
What is this change?
During groupBy argument parsing, check if the field is allowed access for current role.
During aggregation function argument parsing, check if the field is allowed access for current role
If no access, then throw authorization error
How was this tested?
Sample Request(s)
Samples from development mode (stack traces will not be show in production mode)
