Do not serve templates & fields without Access Control enabled.

Author: dadish

src/Config.php

@@ -24,25 +24,27 @@ public function __construct(ProcessGraphQL $module)
 
   public function get($key)
   {
+    $super = Utils::user()->isSuperuser();
     switch ($key) {
       case 'maxLimit':
       case 'fullWidthGraphiQL':
       case 'legalPageFields':
       case 'legalPageFileFields':
         return $this->module->$key;
-      case 'legalTemplates':
-        return $this->getLegalTemplates();
       case 'legalViewTemplates':
+        if ($super) return $this->getLegalTemplates();
         return $this->getLegalTemplatesForPermission('page-view');
       case 'legalCreateTemplates':
+        if ($super) return $this->getLegalTemplates();
         return $this->getLegalTemplatesForPermission('page-create');
       case 'legalEditTemplates':
+        if ($super) return $this->getLegalTemplates();
         return $this->getLegalTemplatesForPermission('page-edit');
-      case 'legalFields':
-        return $this->getLegalFields();
       case 'legalViewFields':
+        if ($super) return $this->getLegalFields();
         return $this->getLegalFieldsForPermission('view');
       case 'legalEditFields':
+        if ($super) return $this->getLegalFields();
         return $this->getLegalFieldsForPermission('edit');
       default:
         return parent::get($key);
@@ -52,13 +54,12 @@ public function get($key)
   protected function getLegalTemplates()
   {
     $legalTemplates = $this->module->legalTemplates;
-    $templates = Utils::templates()->find("name=" . implode('|', $legalTemplates));
-    return $templates;
+    return Utils::templates()->find("name=" . implode('|', $legalTemplates));
   }
 
   protected function getLegalTemplatesForPermission($permission = 'page-view')
   {
-    $templates = $this->getLegalTemplates();
+    $templates = $this->getLegalTemplates()->find("useRoles=1");
     foreach ($templates as $template) {
       if (!Utils::user()->hasTemplatePermission($permission, $template)) {
         $templates->remove($template);
@@ -70,14 +71,12 @@ protected function getLegalTemplatesForPermission($permission = 'page-view')
   protected function getLegalFields()
   {
     $legalFields = $this->module->legalFields;
-    $fields = Utils::fields()->find("name=" . implode('|', $legalFields));
-    if (Utils::user()->isSuperuser()) return $fields;
-    return $fields->find("useRoles=1");
+    return Utils::fields()->find("name=" . implode('|', $legalFields));
   }
 
   protected function getLegalFieldsForPermission($permission = 'view')
   {
-    $fields = $this->getLegalFields();
+    $fields = $this->getLegalFields()->find("useRoles=1");
     $rolesType = $permission . "Roles";
     foreach ($fields as $field) {
       if (!$this->userHasPermission($field->$rolesType)) {

src/Type/InterfaceType/PageInterfaceType.php

@@ -23,15 +23,15 @@ public function build($config)
   {
     $fields = self::getPageFields();
     $legalPageFields = Utils::moduleConfig()->legalPageFields;
-    
+
     foreach ($fields as $fieldName => $fieldClassName) {
       if (!in_array($fieldName, $legalPageFields)) continue;
       $className = "ProcessWire\\GraphQL\\Field\\Page\\$fieldClassName";
       $config->addField(new $className());
     }
 
     // add global fields too
-    $legalFields = Utils::moduleConfig()->legalFields;
+    $legalFields = Utils::moduleConfig()->legalViewFields;
     foreach ($legalFields as $field) {
       if ($field->flags & Field::flagGlobal) {
         $className = "\\ProcessWire\\GraphQL\\Field\\Page\\Fieldtype\\" . $field->type->className();
@@ -72,4 +72,4 @@ public static function getPageFields()
     ];
   }
 
-}
+}

src/Type/Object/TemplatedPageType.php

@@ -37,7 +37,7 @@ public function getDescription()
 
   public function build($config)
   {
-    $legalFields = Utils::moduleConfig()->legalFields;
+    $legalFields = Utils::moduleConfig()->legalViewFields;
     $config->applyInterface(new PageInterfaceType());
     foreach ($this->template->fields as $field) {
       if (!$legalFields->has($field)) continue;
@@ -53,4 +53,4 @@ public function getInterfaces()
       return [new PageInterfaceType()];
   }
 
-}
+}