fix: Don't show detailed errors for anonymous users

codecov · Nov 4, 2024 · b35b678 · b35b678
1 parent f0fcbcc
commit b35b678
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/graphql_api/tests/test_views.py b/graphql_api/tests/test_views.py
@@ -113,7 +113,7 @@ async def test_when_debug_is_false_and_exception_we_know(self):
         assert data["errors"][0]["type"] == "Unauthorized"
         assert data["errors"][0].get("extensions") is None
 
-    @override_settings(DEBUG=False)
+    @override_settings(DEBUG=True)
     async def test_when_bad_query(self):
         schema = generate_schema_that_raise_with(Unauthorized())
         data = await self.do_query(schema, " { fieldThatDoesntExist }")
@@ -123,6 +123,13 @@ async def test_when_bad_query(self):
             == "Cannot query field 'fieldThatDoesntExist' on type 'Query'."
         )
 
+    @override_settings(DEBUG=False)
+    async def test_when_bad_query_and_anonymous(self):
+        schema = generate_schema_that_raise_with(Unauthorized())
+        data = await self.do_query(schema, " { fieldThatDoesntExist }")
+        assert data["errors"] is not None
+        assert data["errors"][0]["message"] == "INTERNAL SERVER ERROR"
+
     @override_settings(DEBUG=False, GRAPHQL_QUERY_COST_THRESHOLD=1000)
     @patch("logging.Logger.error")
     async def test_when_costly_query(self, mock_error_logger):

diff --git a/graphql_api/views.py b/graphql_api/views.py
@@ -292,6 +292,8 @@ async def post(self, request, *args, **kwargs):
 
     def context_value(self, request, *_):
         request_body = json.loads(request.body.decode("utf-8")) if request.body else {}
+        self.request = request
+
         return {
             "request": request,
             "service": request.resolver_match.kwargs["service"],
@@ -300,9 +302,11 @@ def context_value(self, request, *_):
         }
 
     def error_formatter(self, error, debug=False):
+        user = self.request.user
+        is_anonymous = user.is_anonymous if user else True
         # the only way to check for a malformed query
         is_bad_query = "Cannot query field" in error.formatted["message"]
-        if debug or is_bad_query:
+        if debug or (not is_anonymous and is_bad_query):
             return format_error(error, debug)
         formatted = error.formatted
         formatted["message"] = "INTERNAL SERVER ERROR"