Handle unauthorized fields in aggregation (#2790)

vadeveka · Copilot · web-flow · commit 37343c0b92ec · 2025-08-01T01:07:59.000Z
## Why make this change? Closes #2776 Ensure authorization error thrown if fields in the groupBy argument or in the aggregation function are not allowed for the current role. ## What is this change? During groupBy argument parsing, check if the field is allowed access for current role. During aggregation function argument parsing, check if the field is allowed access for current role If no access, then throw authorization error ## How was this tested? - [x] Integration Tests ## Sample Request(s) Samples from development mode (stack traces will not be show in production mode) <img width="1385" height="463" alt="image" src="https://github.com/user-attachments/assets/f412e127-74bb-4ca9-8d58-36c8a08281c3" /> <img width="1479" height="452" alt="image" src="https://github.com/user-attachments/assets/14763f97-93ea-4ed0-85b9-8b001859d508" /> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
diff --git a/config-generators/mssql-commands.txt b/config-generators/mssql-commands.txt
@@ -207,6 +207,7 @@ update BookNF --config "dab-config.MsSql.json" --permissions "TestNestedFilter_E
 update BookNF --config "dab-config.MsSql.json" --permissions "TestNestedFilter_ColumnForbidden:read"
 update BookNF --config "dab-config.MsSql.json" --permissions "TestNestedFilterChained_EntityReadForbidden:read"
 update BookNF --config "dab-config.MsSql.json" --permissions "TestNestedFilterChained_ColumnForbidden:read"
+update BookNF --config "dab-config.MsSql.json" --permissions "TestFieldExcludedForAggregation:read" --fields.exclude "publisher_id"
 update BookNF --config "dab-config.MsSql.json" --relationship publishers --target.entity PublisherNF --cardinality one
 update BookNF --config "dab-config.MsSql.json" --relationship websiteplacement --target.entity BookWebsitePlacement --cardinality one
 update BookNF --config "dab-config.MsSql.json" --relationship reviews --target.entity Review --cardinality many
diff --git a/src/Config/DataApiBuilderException.cs b/src/Config/DataApiBuilderException.cs
@@ -18,6 +18,8 @@ public class DataApiBuilderException : Exception
     public const string GRAPHQL_FILTER_FIELD_AUTHZ_FAILURE = "Access forbidden to a field referenced in the filter.";
     public const string AUTHORIZATION_FAILURE = "Authorization Failure: Access Not Allowed.";
     public const string GRAPHQL_MUTATION_FIELD_AUTHZ_FAILURE = "Unauthorized due to one or more fields in this mutation.";
+    public const string GRAPHQL_GROUPBY_FIELD_AUTHZ_FAILURE = "Access forbidden to field '{0}' referenced in the groupBy argument.";
+    public const string GRAPHQL_AGGREGATION_FIELD_AUTHZ_FAILURE = "Access forbidden to field '{0}' referenced in the aggregation function '{1}'.";
 
     public enum SubStatusCodes
     {
diff --git a/src/Core/Resolvers/Sql Query Structures/SqlQueryStructure.cs b/src/Core/Resolvers/Sql Query Structures/SqlQueryStructure.cs
@@ -459,7 +459,7 @@ private SqlQueryStructure(
             {
                 if (isGroupByQuery)
                 {
-                    ProcessGroupByField(queryField, ctx);
+                    ProcessGroupByField(queryField, ctx, authorizationResolver);
                 }
                 else
                 {
@@ -877,19 +877,33 @@ private void AddGraphQLFields(IReadOnlyList<ISelectionNode> selections, RuntimeC
         ///   }
         /// }
         /// </summary>
-        private void ProcessGroupByField(FieldNode groupByField, IMiddlewareContext ctx)
+        private void ProcessGroupByField(FieldNode groupByField, IMiddlewareContext ctx, IAuthorizationResolver authorizationResolver)
         {
             // Extract 'fields' argument
             ArgumentNode? fieldsArg = groupByField.Arguments.FirstOrDefault(a => a.Name.Value == QueryBuilder.GROUP_BY_FIELDS_FIELD_NAME);
             HashSet<string> fieldsInArgument = new();
 
+            string roleOfGraphQLRequest = Authorization.AuthorizationResolver.GetRoleOfGraphQLRequest(ctx);
+
             if (fieldsArg is { Value: ListValueNode fieldsList })
             {
                 foreach (EnumValueNode value in fieldsList.Items)
                 {
                     string fieldName = value.Value;
                     string columnName = MetadataProvider.TryGetBackingColumn(EntityName, fieldName, out string? backingColumn) ? backingColumn : fieldName;
 
+                    // Validate that the current role has access to groupBy argument fields
+                    IEnumerable<string> roles = authorizationResolver.GetRolesForField(EntityName, field: columnName, operation: EntityActionOperation.Read);
+                    if (roles != null && !roles.Contains(roleOfGraphQLRequest, StringComparer.OrdinalIgnoreCase))
+                    {
+                        // raising exception for the first unauthorized groupBy field found
+                        throw new DataApiBuilderException(
+                            message: string.Format(DataApiBuilderException.GRAPHQL_GROUPBY_FIELD_AUTHZ_FAILURE, fieldName),
+                            statusCode: HttpStatusCode.Forbidden,
+                            subStatusCode: DataApiBuilderException.SubStatusCodes.AuthorizationCheckFailed
+                        );
+                    }
+
                     GroupByMetadata.Fields[columnName] = new Column(DatabaseObject.SchemaName, DatabaseObject.Name, columnName, SourceAlias);
                     AddColumn(fieldName, backingColumn ?? fieldName);
                     fieldsInArgument.Add(fieldName);
@@ -913,7 +927,7 @@ private void ProcessGroupByField(FieldNode groupByField, IMiddlewareContext ctx)
 
                     case QueryBuilder.GROUP_BY_AGGREGATE_FIELD_NAME:
                         GroupByMetadata.RequestedAggregations = true;
-                        ProcessAggregations(field, ctx);
+                        ProcessAggregations(field, ctx, authorizationResolver, roleOfGraphQLRequest);
                         break;
                 }
             }
@@ -963,7 +977,7 @@ private void ProcessGroupByFieldSelections(FieldNode groupByFieldSelection, Hash
         /// </summary>
         /// <param name="aggregationsField">The FieldNode representing the aggregations field in the GraphQL query.</param>
         /// <param name="ctx"> middleware context.</param>
-        private void ProcessAggregations(FieldNode aggregationsField, IMiddlewareContext ctx)
+        private void ProcessAggregations(FieldNode aggregationsField, IMiddlewareContext ctx, IAuthorizationResolver authorizationResolver, string roleOfGraphQLRequest)
         {
             // If there are no selections in the aggregation field, exit early
             if (aggregationsField.SelectionSet == null)
@@ -1010,7 +1024,18 @@ private void ProcessAggregations(FieldNode aggregationsField, IMiddlewareContext
                     if (MetadataProvider.TryGetBackingColumn(EntityName, fieldName, out string? backingColumn))
                     {
                         columnName = backingColumn;
-                        fieldName = backingColumn;
+                    }
+
+                    // Validate that the current role has access to field in the aggregation function argument
+                    IEnumerable<string> roles = authorizationResolver.GetRolesForField(EntityName, field: columnName, operation: EntityActionOperation.Read);
+                    if (roles != null && !roles.Contains(roleOfGraphQLRequest, StringComparer.OrdinalIgnoreCase))
+                    {
+                        // raising exception for the first unauthorized field found
+                        throw new DataApiBuilderException(
+                            message: string.Format(DataApiBuilderException.GRAPHQL_AGGREGATION_FIELD_AUTHZ_FAILURE, fieldName, operation),
+                            statusCode: HttpStatusCode.Forbidden,
+                            subStatusCode: DataApiBuilderException.SubStatusCodes.AuthorizationCheckFailed
+                        );
                     }
 
                     // Use the field alias if provided, otherwise default to the operation name
diff --git a/src/Service.Tests/Authorization/GraphQL/GraphQLAuthorizationHandlerTests.cs b/src/Service.Tests/Authorization/GraphQL/GraphQLAuthorizationHandlerTests.cs
@@ -71,5 +71,73 @@ public async Task FieldAuthorizationProcessing(bool isAuthenticated, string clie
                 SqlTestHelper.PerformTestEqualJsonStrings(expectedResult, actual.ToString());
             }
         }
+
+        /// <summary>
+        /// Tests that a GraphQL query with a groupBy operation on fields not allowed for aggregation results in an
+        /// appropriate error message.
+        /// </summary>
+        /// <returns></returns>
+        [TestMethod]
+        public async Task Query_GroupBy_FieldNotAllowed()
+        {
+            string graphQLQueryName = "booksNF";
+            string graphQLQuery = @"{
+                  booksNF {
+                    groupBy (fields: [id, publisher_id]) {
+                      fields {
+                        id
+                        publisher_id
+                      }
+                    }
+                  }
+                }
+                ";
+
+            JsonElement actual = await ExecuteGraphQLRequestAsync(
+                graphQLQuery,
+                graphQLQueryName,
+                isAuthenticated: true,
+                clientRoleHeader: "TestFieldExcludedForAggregation");
+
+            SqlTestHelper.TestForErrorInGraphQLResponse(
+                actual.ToString(),
+                message: "Access forbidden to field 'publisher_id' referenced in the groupBy argument.",
+                path: @"[""booksNF""]"
+            );
+        }
+
+        /// <summary>
+        /// Tests that a GraphQL query with a group by aggregation on a field not allowed for aggregation results in an
+        /// appropriate error message.
+        /// </summary>
+        /// <returns></returns>
+        [TestMethod]
+        public async Task Query_GroupBy_Aggregation_FieldNotAllowed()
+        {
+            string graphQLQueryName = "booksNF";
+            string graphQLQuery = @"{
+                  booksNF {
+                    groupBy {
+                      aggregations {
+                        max (field: id)
+                        min (field: publisher_id)
+                      }
+                    }
+                  }
+                }
+                ";
+
+            JsonElement actual = await ExecuteGraphQLRequestAsync(
+                graphQLQuery,
+                graphQLQueryName,
+                isAuthenticated: true,
+                clientRoleHeader: "TestFieldExcludedForAggregation");
+
+            SqlTestHelper.TestForErrorInGraphQLResponse(
+                actual.ToString(),
+                message: "Access forbidden to field 'publisher_id' referenced in the aggregation function 'min'.",
+                path: @"[""booksNF""]"
+            );
+        }
     }
 }
diff --git a/src/Service.Tests/Snapshots/ConfigurationTests.TestReadingRuntimeConfigForMsSql.verified.txt b/src/Service.Tests/Snapshots/ConfigurationTests.TestReadingRuntimeConfigForMsSql.verified.txt
@@ -3442,6 +3442,19 @@
                 Action: Read
               }
             ]
+          },
+          {
+            Role: TestFieldExcludedForAggregation,
+            Actions: [
+              {
+                Action: Read,
+                Fields: {
+                  Exclude: [
+                    publisher_id
+                  ]
+                }
+              }
+            ]
           }
         ],
         Mappings: {

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,8 @@ public class DataApiBuilderException : Exception`
`18`	`18`	`public const string GRAPHQL_FILTER_FIELD_AUTHZ_FAILURE = "Access forbidden to a field referenced in the filter.";`
`19`	`19`	`public const string AUTHORIZATION_FAILURE = "Authorization Failure: Access Not Allowed.";`
`20`	`20`	`public const string GRAPHQL_MUTATION_FIELD_AUTHZ_FAILURE = "Unauthorized due to one or more fields in this mutation.";`
	`21`	`+ public const string GRAPHQL_GROUPBY_FIELD_AUTHZ_FAILURE = "Access forbidden to field '{0}' referenced in the groupBy argument.";`
	`22`	`+ public const string GRAPHQL_AGGREGATION_FIELD_AUTHZ_FAILURE = "Access forbidden to field '{0}' referenced in the aggregation function '{1}'.";`
`21`	`23`
`22`	`24`	`public enum SubStatusCodes`
`23`	`25`	`{`