GraphQL doesn't respect restricted paths

[RSoeborg]

Issue description

If you restrict public access to a certain user group, then GraphQL still returns the result regardless of you providing "Authorization" header.

This seems to be a huge security loophole?

An example of this can be seen here:

Trying to access same resource from the REST api correctly gives me a permission denied unless a bearer token is provided:

[RyuLindow]

Hi there.

This feature only works for the Content Delivery API as per - https://our.umbraco.com/documentation/Umbraco-Heartcore/API-Documentation/#member-authentication since the member auth only works with that endpoint, so what you're seeing is intended.

Just to make sure, you've mentioned "If you restrict public access to a certain user group"

This feature only restricts access to members, not users.

If you want to restrict backoffice users from accessing certain nodes in the backoffice then I recommend looking into the permissions each user group has :)

If you would like this as a feature then please raise a feature request instead 👍

[RSoeborg]

@RyuLindow So unless you protect the API, the "Restrict public access" feature is pointless? Since anyone could just query the graphql api instead of the rest api and get the results out

[RyuLindow]

That's not entirely correct.

The public access feature is only for members and Content Delivery API.

The best use case for it would be an intranet where different members have access to different content pages etc.

Since anyone could just query the graphql api instead of the rest api and get the results out
I'm not sure how that would be possible without knowing the necessary headers and names of the content properties 🤔

Just to clarify the public access feature is only for members and for requesting content using member auth.