From 5c1c949c3b04045d53565a93208025781207efa7 Mon Sep 17 00:00:00 2001 From: Vyacheslav Matyukhin Date: Fri, 8 Nov 2024 13:56:35 -0300 Subject: [PATCH] fix #3414 - 404 on access to private models --- .../hub/src/app/models/[owner]/[slug]/EditModelPage.tsx | 1 + packages/hub/src/app/not-found.tsx | 2 -- packages/hub/src/graphql/queries/model.ts | 6 ++++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/packages/hub/src/app/models/[owner]/[slug]/EditModelPage.tsx b/packages/hub/src/app/models/[owner]/[slug]/EditModelPage.tsx index fe32384345..d6155c74e7 100644 --- a/packages/hub/src/app/models/[owner]/[slug]/EditModelPage.tsx +++ b/packages/hub/src/app/models/[owner]/[slug]/EditModelPage.tsx @@ -36,6 +36,7 @@ export const EditModelPage: FC<{ `, query ); + const model = extractFromGraphqlErrorUnion(result, "Model"); const typename = model.currentRevision.content.__typename; diff --git a/packages/hub/src/app/not-found.tsx b/packages/hub/src/app/not-found.tsx index e365c82e47..a1efa51424 100644 --- a/packages/hub/src/app/not-found.tsx +++ b/packages/hub/src/app/not-found.tsx @@ -1,6 +1,4 @@ export default function NotFound() { - // Note: Next.js (13.4.9) in dev mode doesn't reload this page correctly. - // Restart `next dev` process if you edit this component. return (
diff --git a/packages/hub/src/graphql/queries/model.ts b/packages/hub/src/graphql/queries/model.ts index 8899988f05..534c32d39f 100644 --- a/packages/hub/src/graphql/queries/model.ts +++ b/packages/hub/src/graphql/queries/model.ts @@ -2,6 +2,7 @@ import { builder } from "@/graphql/builder"; import { prisma } from "@/prisma"; import { NotFoundError } from "../errors/NotFoundError"; +import { modelWhereHasAccess } from "../helpers/modelHelpers"; builder.queryField("model", (t) => t.prismaFieldWithInput({ @@ -13,13 +14,14 @@ builder.queryField("model", (t) => errors: { types: [NotFoundError], }, - async resolve(query, _, { input }) { + async resolve(query, _, { input }, { session }) { const model = await prisma.model.findFirst({ ...query, where: { slug: input.slug, owner: { slug: input.owner }, - // no need to check access - will be checked by Model authScopes + // intentionally checking access - see https://github.com/quantified-uncertainty/squiggle/issues/3414 + ...modelWhereHasAccess(session), }, }); if (!model) {