Admin Mode not working properly with GraphiQL
The Admin Mode feature enabled prevents an admin to use GraphiQL for administrative actions. This is caused by using the session for authentication in GraphiQL, but avoiding to initialize session storage on purpose. Since there's no session storage, and Admin Mode determines this is not sessionless access (such as API access), it finds nowhere to store the admin mode flag to activate superpowers.
The following discussion from !28454 (merged) should be addressed:
@mkozono I thought that would work, however, it looks like we avoid initializing a session in the API in !21922 (merged). The admin mode feature works by storing a flag in the session, so without a session, this won't work. Perhaps something like this would solve the problem:
diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb index 522d171b5bf..8b758fdce8a 100644 --- a/app/controllers/graphql_controller.rb +++ b/app/controllers/graphql_controller.rb @@ -3,7 +3,7 @@ class GraphqlController < ApplicationController # Unauthenticated users have access to the API for public data skip_before_action :authenticate_user! - skip_around_action :set_session_storage + skip_around_action :set_session_storage, if: :sessionless_user? # Allow missing CSRF tokens, this would mean that if a CSRF is invalid or missing, # the user won't be authenticated but can proceed as an anonymous user.
I think the tests in !21922 (diffs) cover all cases, so it's worth a try. Perhaps we'd need a test for admin-data using a session as well?
Bear in mind that this limitation is only the case for GraphiQL, which uses a session to authenticate, calling the API with an admin token should JustWork:registered:.