Validate arguments before passing to authorize

mfn · mfn · commit 2d9ea7305acf · 2019-07-20T01:06:24.000+02:00
Fixes #407
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -43,6 +43,7 @@ CHANGELOG
 - Replace global helper `is_lumen` with static class call `\Rebing\GraphQL\Helpers::isLumen`
 
 ### Fixed
+- Arguments are now validation before they're passed to `authorize()` [\#413](https://github.com/rebing/graphql-laravel/pull/413)
 - File uploads now correctly work with batched requests [\#397](https://github.com/rebing/graphql-laravel/pull/397)
 - Path multi-level support for Schemas works again [\#358](https://github.com/rebing/graphql-laravel/pull/358)
 - SelectFields correctly passes field arguments to the custom query [\#327](https://github.com/rebing/graphql-laravel/pull/327)
diff --git a/src/Support/Field.php b/src/Support/Field.php
@@ -167,11 +167,6 @@ protected function getResolver(): ?Closure
                 $arguments[1] = array_merge($arguments[1], $arguments[2]);
             }
 
-            // Authorize
-            if (call_user_func($authorize, $arguments[1]) != true) {
-                throw new AuthorizationError('Unauthorized');
-            }
-
             // Validate mutation arguments
             if (method_exists($this, 'getRules')) {
                 $args = Arr::get($arguments, 1, []);
@@ -188,6 +183,11 @@ protected function getResolver(): ?Closure
                 }
             }
 
+            // Authorize
+            if (call_user_func($authorize, $arguments[1]) != true) {
+                throw new AuthorizationError('Unauthorized');
+            }
+
             // Add the 'selects and relations' feature as 5th arg
             if (isset($arguments[3])) {
                 $arguments[] = function () use ($arguments): SelectFields {
diff --git a/tests/Unit/ValidationAuthorizationTests/ValidationAuthorizationTest.php b/tests/Unit/ValidationAuthorizationTests/ValidationAuthorizationTest.php
@@ -4,6 +4,7 @@
 
 namespace Rebing\GraphQL\Tests\Unit\ValidationAuthorizationTests;
 
+use Illuminate\Support\MessageBag;
 use Rebing\GraphQL\Tests\TestCase;
 
 class ValidationAuthorizationTest extends TestCase
@@ -23,7 +24,16 @@ public function testAuthorizeArgumentsInvalid(): void
             ],
         ]);
 
-        $this->assertSame('Unauthorized', $result['errors'][0]['message']);
+        $this->assertSame('validation', $result['errors'][0]['message']);
+
+        /** @var MessageBag $messageBag */
+        $messageBag = $result['errors'][0]['extensions']['validation'];
+        $expectedErrors = [
+            'arg1' => [
+                'The selected arg1 is invalid.',
+            ],
+        ];
+        $this->assertSame($expectedErrors, $messageBag->messages());
     }
 
     public function testAuthorizeArgumentsValid(): void
