Remove global filters for disabled/deleted

I think there is no use case for it and it looks to me like sth. you shouldn't be able to query for.
2025-12-13 07:46:06 +00:00 · 2019-11-14 22:57:09 +01:00 · 2019-11-14 22:57:09 +01:00 · 0e3ace36fb
commit 0e3ace36fb
parent 034a353367
3 changed files with 3 additions and 89 deletions
--- a/backend/src/middleware/permissionsMiddleware.js
+++ b/backend/src/middleware/permissionsMiddleware.js
@ -41,20 +41,6 @@ const isMySocialMedia = rule({
  return socialMedia.ownedBy.node.id === user.id
 })
 /* TODO: decide if we want to remove this check: the check
 * `onlyEnabledContent` throws authorization errors only if you have
 * arguments for `disabled` or `deleted` assuming these are filter
 * parameters. Soft-delete middleware obfuscates data on its way out
 * anyways. Furthermore, `neo4j-graphql-js` offers many ways to filter for
 * data so I believe, this is not a good check anyways.
 */
 const onlyEnabledContent = rule({
  cache: 'strict',
 })(async (parent, args, ctx, info) => {
  const { disabled, deleted } = args
  return !(disabled || deleted)
 })
 const invitationLimitReached = rule({
  cache: 'no_cache',
 })(async (parent, args, { user, driver }) => {
@ -125,7 +111,8 @@ const permissions = shield(
      reports: isModerator,
      statistics: allow,
      currentUser: allow,
-      Post: or(onlyEnabledContent, isModerator),
+      Post: allow,
      profilePagePosts: allow,
      Comment: allow,
      User: or(noEmailFilter, isAdmin),
      isLoggedIn: allow,
@ -134,7 +121,6 @@ const permissions = shield(
      PostsEmotionsByCurrentUser: isAuthenticated,
      blockedUsers: isAuthenticated,
      notifications: isAuthenticated,
      profilePagePosts: or(onlyEnabledContent, isModerator),
      Donations: isAuthenticated,
    },
    Mutation: {
--- a/backend/src/middleware/softDelete/softDeleteMiddleware.js
+++ b/backend/src/middleware/softDelete/softDeleteMiddleware.js
@ -3,9 +3,7 @@ const isModerator = ({ user }) => {
 }
 const setDefaultFilters = (resolve, root, args, context, info) => {
-  if (typeof args.deleted !== 'boolean') {
+  args.deleted = false
    args.deleted = false
  }
  if (!isModerator(context)) {
    args.disabled = false
--- a/backend/src/middleware/softDelete/softDeleteMiddleware.spec.js
+++ b/backend/src/middleware/softDelete/softDeleteMiddleware.spec.js
@ -341,76 +341,6 @@ describe('softDeleteMiddleware', () => {
          })
        })
      })
      describe('filter (deleted: true)', () => {
        beforeEach(() => {
          graphqlQuery = gql`
            {
              Post(deleted: true) {
                title
              }
            }
          `
        })
        describe('as user', () => {
          beforeEach(async () => {
            authenticatedUser = await user.toJson()
          })
          it('throws authorisation error', async () => {
            const { data, errors } = await action()
            expect(data).toEqual({ Post: null })
            expect(errors[0]).toHaveProperty('message', 'Not Authorised!')
          })
        })
        describe('as moderator', () => {
          beforeEach(async () => {
            authenticatedUser = await moderator.toJson()
          })
          it('does not show deleted posts', async () => {
            const expected = { data: { Post: [{ title: 'UNAVAILABLE' }] } }
            await expect(action()).resolves.toMatchObject(expected)
          })
        })
      })
      describe('filter (disabled: true)', () => {
        beforeEach(() => {
          graphqlQuery = gql`
            {
              Post(disabled: true) {
                title
              }
            }
          `
        })
        describe('as user', () => {
          beforeEach(async () => {
            authenticatedUser = await user.toJson()
          })
          it('throws authorisation error', async () => {
            const { data, errors } = await action()
            expect(data).toEqual({ Post: null })
            expect(errors[0]).toHaveProperty('message', 'Not Authorised!')
          })
        })
        describe('as moderator', () => {
          beforeEach(async () => {
            authenticatedUser = await moderator.toJson()
          })
          it('shows disabled posts', async () => {
            const expected = { data: { Post: [{ title: 'Disabled post' }] } }
            await expect(action()).resolves.toMatchObject(expected)
          })
        })
      })
    })
  })
 })