Check item resource class in mutation (#2441)

lukasluecke · dunglas · commit ea4446da0255 · 2019-01-15T16:44:27.000+01:00
This prevents passing IRIs belonging to different resource classes
diff --git a/composer.json b/composer.json
@@ -66,7 +66,7 @@
         "symfony/twig-bundle": "^3.1 || ^4.0",
         "symfony/validator": "^3.3 || ^4.0",
         "symfony/yaml": "^3.3 || ^4.0",
-        "webonyx/graphql-php": ">=0.12 <1.0"
+        "webonyx/graphql-php": "^0.12"
     },
     "conflict": {
         "symfony/dependency-injection": "<3.3"
diff --git a/features/graphql/mutation.feature b/features/graphql/mutation.feature
@@ -122,6 +122,21 @@ Feature: GraphQL mutation support
     And the JSON node "data.deleteFoo.id" should be equal to "/foos/1"
     And the JSON node "data.deleteFoo.clientMutationId" should be equal to "anotherId"
 
+  Scenario: Trigger an error trying to delete item of different resource
+    When I send the following GraphQL request:
+    """
+    mutation {
+      deleteFoo(input: {id: "/dummies/1", clientMutationId: "myId"}) {
+        id
+        clientMutationId
+      }
+    }
+    """
+    Then the response status code should be 200
+    And the response should be in JSON
+    And the header "Content-Type" should be equal to "application/json"
+    And the JSON node "errors[0].message" should be equal to 'Item "/dummies/1" did not match expected type "ApiPlatform\Core\Tests\Fixtures\TestBundle\Entity\Foo".'
+
   @dropSchema
   Scenario: Delete an item with composite identifiers through a mutation
     Given there are Composite identifier objects
diff --git a/src/GraphQl/Resolver/Factory/ItemMutationResolverFactory.php b/src/GraphQl/Resolver/Factory/ItemMutationResolverFactory.php
@@ -22,6 +22,7 @@
 use ApiPlatform\Core\Metadata\Resource\Factory\ResourceMetadataFactoryInterface;
 use ApiPlatform\Core\Metadata\Resource\ResourceMetadata;
 use ApiPlatform\Core\Security\ResourceAccessCheckerInterface;
+use ApiPlatform\Core\Util\ClassInfoTrait;
 use ApiPlatform\Core\Validator\Exception\ValidationException;
 use ApiPlatform\Core\Validator\ValidatorInterface;
 use GraphQL\Error\Error;
@@ -38,6 +39,7 @@
  */
 final class ItemMutationResolverFactory implements ResolverFactoryInterface
 {
+    use ClassInfoTrait;
     use ResourceAccessCheckerTrait;
 
     private $iriConverter;
@@ -81,6 +83,10 @@ public function __invoke(string $resourceClass = null, string $rootClass = null,
                 } catch (ItemNotFoundException $e) {
                     throw Error::createLocatedError(sprintf('Item "%s" not found.', $args['input']['id']), $info->fieldNodes, $info->path);
                 }
+
+                if ($resourceClass !== $this->getObjectClass($item)) {
+                    throw Error::createLocatedError(sprintf('Item "%s" did not match expected type "%s".', $args['input']['id'], $resourceClass), $info->fieldNodes, $info->path);
+                }
             }
 
             $resourceMetadata = $this->resourceMetadataFactory->create($resourceClass);
