Ignore current impersonation for sensitive operations (#1479)

SeedCompany · Sep 21, 2023 · 5bb01f1 · 5bb01f1
1 parent fd45a71
commit 5bb01f1
Showing 1 changed file with 18 additions and 10 deletions.
diff --git a/src/api/client/links/impersonation.link.ts b/src/api/client/links/impersonation.link.ts
@@ -1,18 +1,26 @@
 import { setContext } from '@apollo/client/link/context';
 import { pickBy } from 'lodash';
 import { RefObject } from 'react';
+import { GqlSensitiveOperations } from '../../operationsList';
 import { Impersonation } from '../ImpersonationContext';
 
 export const createImpersonationLink = (
   ref?: RefObject<Impersonation | undefined>
 ) =>
-  setContext((req, prev) => ({
-    ...prev,
-    headers: {
-      ...prev.headers,
-      ...pickBy({
-        'x-cord-impersonate-user': ref?.current?.user,
-        'x-cord-impersonate-role': ref?.current?.roles?.join(','),
-      }),
-    },
-  }));
+  setContext((req, prev) => {
+    const isSensitiveOp = req.operationName
+      ? GqlSensitiveOperations.has(req.operationName)
+      : false;
+    const impersonation =
+      ref?.current && !isSensitiveOp ? ref.current : undefined;
+    return {
+      ...prev,
+      headers: {
+        ...prev.headers,
+        ...pickBy({
+          'x-cord-impersonate-user': impersonation?.user,
+          'x-cord-impersonate-role': impersonation?.roles?.join(','),
+        }),
+      },
+    };
+  });