Skip to content

Unprotected BatchPatchMutations

This is a follow-up issue to AlekSIS/onboarding/AlekSIS-App-Kolego#41 (closed).

Use the following and adjust VALID_SESSION_ID_FOR_STUDENT and id for reproduction:

curl -X POST http://localhost:8000/graphql/ -H "Content-Type: application/json" -H "Cookie: sessionid=VALID_SESSION_ID_FOR_STUDENT" -d '{"variables":{"input":[{"id":"3","shortName":"update","name":"update with authorization","colour":"#000000"}]},"query":"mutation updateAbsenceReasons($input: [BatchPatchAbsenceReasonInput]!) {updateAbsenceReasons(input: $input) {items: absenceReasons {id shortName name colour countAsAbsent default canEdit canDelete tags {id name shortName}}}}"}'

The implementation in Kolego seems solid and the next step should be to check if other similar BatchPatchMutation have the same issue.

It might then be possible that this issue belongs in Core.