Azure · ayush3797 · Nov 11, 2022 · Nov 7, 2022 · Nov 7, 2022 · Nov 10, 2022
@@ -234,16 +234,23 @@ public async Task EntityRoleOperationResourceTest()
         // Negative tests where authorization fails for Find requests with no $f filter query string parameter
         [DataRow(new string[] { "col1", "col2", "col3", "col4", "col5" }, DisplayName = "Find - Request all allowed + 1 disallowed column(s)")]
         [DataRow(new string[] { "col1", "col5", "col6", "col7", "col9" }, DisplayName = "Find - Request 1 allowed + > 1 disallowed column(s)")]
+        [DataRow(new string[] { }, false, false, DisplayName = "Find - Request on entity with no included columns. The request url contains no key,select,orderby,filter.")]
         #pragma warning restore format
         [TestMethod]
-        public async Task FindColumnPermissionsTests(string[] columnsRequestedInput)
+        public async Task FindColumnPermissionsTests(string[] columnsRequestedInput,
+            bool areAllowedExposedColumns = true,
+            bool expectedAuthorizationResult = true)
         {
             IEnumerable<string> columnsRequested = new List<string>(
                 columnsRequestedInput);
-            IEnumerable<string> allowedColumns = new List<string>(
-               new string[] { "col1", "col2", "col3", "col4" });
+            IEnumerable<string> allowedColumns = new List<string>();
+
+            if (areAllowedExposedColumns)
+            {
+                allowedColumns = new List<string>(new string[] { "col1", "col2", "col3", "col4" });
+            }
+
             bool areColumnsAllowed = true;
-            bool expectedAuthorizationResult = true;
 
             // Creates Mock AuthorizationResolver to return a preset result based on [TestMethod] input.
             Mock<IAuthorizationResolver> authorizationResolver = new();

@@ -190,6 +190,12 @@ public Task HandleAsync(AuthorizationHandlerContext context)
                             // - For other operation types, columnsToCheck is a result of identifying
                             // any reference to a column in all parts of a request (body, URL, querystring)
                             IEnumerable<string> fieldsReturnedForFind = _authorizationResolver.GetAllowedExposedColumns(entityName, roleName, operation);
+                            if (fieldsReturnedForFind.Count() == 0)
+                            {
+                                // READ operations with no accessible fields fail authorization.
+                                context.Fail();
+                            }
+
                             restContext.UpdateReturnFields(fieldsReturnedForFind);
                         }
                         else

@@ -146,19 +146,6 @@ public SqlQueryStructure(
             IsListQuery = context.IsMany;
             TableAlias = $"{DatabaseObject.SchemaName}_{DatabaseObject.Name}";
             AddFields(context, sqlMetadataProvider);
-            if (Columns.Count == 0)
-            {
-                SourceDefinition sourceDefinition = GetUnderlyingSourceDefinition();
-                foreach (KeyValuePair<string, ColumnDefinition> column in sourceDefinition.Columns)
-                {
-                    // We only include columns that are exposed for use in requests
-                    if (sqlMetadataProvider.TryGetExposedColumnName(EntityName, column.Key, out string? name))
-                    {
-                        AddColumn(column.Key, name!);
-                    }
-                }
-            }
-
             foreach (KeyValuePair<string, object> predicate in context.PrimaryKeyValuePairs)
             {
                 sqlMetadataProvider.TryGetBackingColumn(EntityName, predicate.Key, out string? backingColumn);