diff --git a/samples/webmvc-http-security/src/main/java/io/spring/sample/graphql/SalaryInput.java b/samples/webmvc-http-security/src/main/java/io/spring/sample/graphql/SalaryInput.java index 27869b03..c40652c9 100644 --- a/samples/webmvc-http-security/src/main/java/io/spring/sample/graphql/SalaryInput.java +++ b/samples/webmvc-http-security/src/main/java/io/spring/sample/graphql/SalaryInput.java @@ -23,6 +23,11 @@ public class SalaryInput { private BigDecimal newSalary; + public SalaryInput(String employeeId, BigDecimal newSalary) { + this.employeeId = employeeId; + this.newSalary = newSalary; + } + public String getEmployeeId() { return employeeId; } diff --git a/samples/webmvc-http-security/src/main/java/io/spring/sample/graphql/SecurityConfig.java b/samples/webmvc-http-security/src/main/java/io/spring/sample/graphql/SecurityConfig.java index 7a51dcc2..5dad854d 100644 --- a/samples/webmvc-http-security/src/main/java/io/spring/sample/graphql/SecurityConfig.java +++ b/samples/webmvc-http-security/src/main/java/io/spring/sample/graphql/SecurityConfig.java @@ -14,7 +14,7 @@ import static org.springframework.security.config.Customizer.withDefaults; @Configuration @EnableWebSecurity -@EnableGlobalMethodSecurity(prePostEnabled = true) +@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true) public class SecurityConfig { @Bean diff --git a/samples/webmvc-http-security/src/main/resources/graphql/schema.graphqls b/samples/webmvc-http-security/src/main/resources/graphql/schema.graphqls index 7687c854..af5236b6 100644 --- a/samples/webmvc-http-security/src/main/resources/graphql/schema.graphqls +++ b/samples/webmvc-http-security/src/main/resources/graphql/schema.graphqls @@ -14,7 +14,7 @@ type Employee { input UpdateSalaryInput { employeeId: ID! - salary: String! + newSalary: String! } type UpdateSalaryPayload { success: Boolean! diff --git a/samples/webmvc-http-security/src/test/java/io/spring/sample/graphql/WebMvcHttpSecuritySampleTests.java b/samples/webmvc-http-security/src/test/java/io/spring/sample/graphql/WebMvcHttpSecuritySampleTests.java index f7c3d609..8a17b5ef 100644 --- a/samples/webmvc-http-security/src/test/java/io/spring/sample/graphql/WebMvcHttpSecuritySampleTests.java +++ b/samples/webmvc-http-security/src/test/java/io/spring/sample/graphql/WebMvcHttpSecuritySampleTests.java @@ -8,6 +8,8 @@ import org.springframework.boot.test.context.SpringBootTest; import org.springframework.graphql.execution.ErrorType; import org.springframework.graphql.test.tester.WebGraphQlTester; +import java.math.BigDecimal; + import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatThrownBy; @@ -72,6 +74,21 @@ class WebMvcHttpSecuritySampleTests { }); } + @Test + void canNotMutationUpdateSalary() { + WebGraphQlTester tester = this.graphQlTester.mutate().build(); + SalaryInput salaryInput = new SalaryInput("1", BigDecimal.valueOf(44)); + + tester.documentName("updateSalary") + .variable("salaryInput", salaryInput) + .execute() + .errors() + .satisfy(errors -> { + assertThat(errors).hasSize(1); + assertThat(errors.get(0).getErrorType()).isEqualTo(ErrorType.UNAUTHORIZED); + }); + } + @Test void canQuerySalaryAsAdmin() { diff --git a/samples/webmvc-http-security/src/test/resources/graphql-test/updateSalary.graphql b/samples/webmvc-http-security/src/test/resources/graphql-test/updateSalary.graphql new file mode 100644 index 00000000..02eda7d7 --- /dev/null +++ b/samples/webmvc-http-security/src/test/resources/graphql-test/updateSalary.graphql @@ -0,0 +1,9 @@ +mutation updateSalary($salaryInput: UpdateSalaryInput!) { + updateSalary(input: $salaryInput) { + success + employee { + id + name + } + } +} \ No newline at end of file