permissions are not respected for aggregations in sql server #7773
Description
Version Information
Server Version: v2.1.0-beta.1 and main (as of this writing)
Environment
All
What is the expected behaviour?
Select permission's filter should be applied on aggregations.
Keywords
aggregation, mssql, sql-server
What is the current behaviour?
permission filter is not respected in aggregations.
How to reproduce the issue?
On a standard chinook dataset, import this metadata:
{
"metadata": {
"version": 3,
"sources": [
{
"name": "mssql",
"kind": "mssql",
"tables": [
{
"table": {
"schema": "dbo",
"name": "Artist"
},
"select_permissions": [
{
"role": "user",
"permission": {
"allow_aggregations": true,
"columns": [
"ArtistId",
"Name"
],
"filter": {
"ArtistId": {
"_eq": "x-hasura-user-id"
}
},
"limit": 10
}
}
]
}
],
"configuration": {
"connection_info": {
"connection_string": {
"from_env": "CHINOOK_CONNECTION_STRING"
},
"pool_settings": {
"idle_timeout": 5,
"max_connections": 50
}
}
}
}
]
}
}
Run the following query:
query MyQuery {
Artist {
ArtistId
Name
}
Artist_aggregate {
aggregate {
count
}
nodes {
ArtistId
Name
}
}
}with the role user and x-hasura-user-id set to 1. The response is as follows:
{
"data": {
"Artist": [
{
"ArtistId": 1,
"Name": "AC/DC"
}
],
"Artist_aggregate": {
"aggregate": {
"count": 275
},
"nodes": [
{
"ArtistId": 1,
"Name": "AC/DC"
}
]
}
}
}Note aggregate.count being 275, it should instead be 1 as the filter only allows reading only 1 row for the user role.
Can you identify the location in the source code where the problem exists?
Would in the SQL translation layer for MSSQL.