Global filtering rules for specific types

[liam-russell]

I'm using the EF Core integration. I'm trying to figure out how to add specific filtering (not permissions) rules for specific types, based on the model, nested properties and the current ClaimsPrincipal. It seems like this should be possible with custom middleware, but when I've tried that, I'm unable to figure out how adjust the query which executes. I see similar discussions such as this one:
#5508

The conclusion on that issue was that it's not in Hot Chocolate's scope, however I don't see how I can filter this in the resolver or in EF natively as the GraphQL could potentially requests relationships multiple levels deep, and those inner levels are then not filtered.

Say I have a User type:

type Team {
  id: UUID!
  preferredName: String!
  fullName: String!
  teams: [Team!]!
}

Where a normal user should only have access to see themselves, and members of their teams

And a Team type:

type Team {
  id: UUID!
  name: String!
  members: [User!]!
}

Where for a normal user a team should only be visible if you are a member

While you wouldn't likely do this in a real world situation, with this schema you could potentially run a query like:

{
  teams {
    nodes {
      members {
        teams {
          name
        }
      }
    }
  }
}

Which if done maliciously could reveal the teams names of teams that you're not in. To me the solution to this would to be to define filtering rules for each type so that no matter how deep in the graph they're retrieved, the rules are always filtered.

Is anyone able to point me in the right direction here? I've tried writing middleware, also using AutoMapper to filter on relationship projection (which seems pretty hacky) but that lead to a stack overflow as it followed the relationships in an infinite loop.

Thanks in advance 🙂

[liam-russell]

I have now got this working with Automapper, but it's a bit of a hack. You need to map each relationship to filter the items by a consistent query.

CreateMap<Database.Models.User, User>()
    .ForMember(
        m => m.Teams,
        m => m.MapFrom(x => x.Teams.Where(t =>
            db!.TeamsBaseQuery(user!).Any(x => x.Id == t.TeamId)
        ).Select(t => t.Team))
    );

This means that you have to remember to map every navigation property in your schema or you end up with a security hole.

It'd be much better to do this at the type level.