Improve GraphQL content item authorization handling (#19098)

gvkries · web-flow · commit 6793dcde5031 · 2026-04-24T13:07:23.000+02:00
diff --git a/src/OrchardCore.Modules/OrchardCore.Apis.GraphQL/GraphQLMiddleware.cs b/src/OrchardCore.Modules/OrchardCore.Apis.GraphQL/GraphQLMiddleware.cs
@@ -158,6 +158,7 @@ private async Task ExecuteAsync(HttpContext context)
             options.OperationName = request.OperationName;
             options.Variables = request.Variables;
             options.UserContext = _settings.BuildUserContext?.Invoke(context);
+            options.User = context.User;
             options.ValidationRules = DocumentValidator.CoreRules
             .Concat(context.RequestServices.GetServices<IValidationRule>())
             .Append(new ComplexityValidationRule(new ComplexityOptions
diff --git a/src/OrchardCore/OrchardCore.ContentManagement.GraphQL/Queries/ContentItemQuery.cs b/src/OrchardCore/OrchardCore.ContentManagement.GraphQL/Queries/ContentItemQuery.cs
@@ -2,25 +2,19 @@
 using GraphQL.Resolvers;
 using GraphQL.Types;
 using Microsoft.AspNetCore.Authorization;
-using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Localization;
 using OrchardCore.Apis.GraphQL;
 using OrchardCore.ContentManagement.GraphQL.Queries.Types;
-using ContentsCommonPermissions = OrchardCore.Contents.CommonPermissions;
 
 namespace OrchardCore.ContentManagement.GraphQL.Queries;
 
 public sealed class ContentItemQuery : ISchemaBuilder
 {
-    private readonly IHttpContextAccessor _httpContextAccessor;
-
     internal readonly IStringLocalizer S;
 
-    public ContentItemQuery(IHttpContextAccessor httpContextAccessor,
-        IStringLocalizer<ContentItemQuery> localizer)
+    public ContentItemQuery(IStringLocalizer<ContentItemQuery> localizer)
     {
-        _httpContextAccessor = httpContextAccessor;
         S = localizer;
     }
 
@@ -53,10 +47,9 @@ public Task BuildAsync(ISchema schema)
 
     private async ValueTask<ContentItem> ResolveAsync(IResolveFieldContext context)
     {
-        var httpContext = _httpContextAccessor.HttpContext;
         var contentItemId = context.GetArgument<string>("contentItemId");
-        var contentManager = httpContext.RequestServices.GetRequiredService<IContentManager>();
-        var authorizationService = httpContext.RequestServices.GetRequiredService<IAuthorizationService>();
+        var contentManager = context.RequestServices.GetService<IContentManager>();
+        var authorizationService = context.RequestServices.GetService<IAuthorizationService>();
 
         var contentItem = await contentManager.GetAsync(contentItemId);
 
@@ -65,8 +58,9 @@ private async ValueTask<ContentItem> ResolveAsync(IResolveFieldContext context)
             return null;
         }
 
-        if (!await authorizationService.AuthorizeAsync(httpContext.User, ContentsCommonPermissions.ViewContent, contentItem))
+        if (!await authorizationService.AuthorizeAsync(context.User, Contents.CommonPermissions.ViewContent, contentItem))
         {
+            // Return null if the user doesn't have permission to view the content item, so that it doesn't appear in the GraphQL response.
             return null;
         }
 
