-
-
Notifications
You must be signed in to change notification settings - Fork 848
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(graphql): allow to disable the introspection query #5711
Conversation
What do you think of this feature ? If ok with such improvment, I will update the documentation and test. |
src/GraphQl/Executor.php
Outdated
/** | ||
* {@inheritdoc} | ||
*/ | ||
public function executeQuery(Schema $schema, $source, mixed $rootValue = null, mixed $context = null, array $variableValues = null, string $operationName = null, callable $fieldResolver = null, array $validationRules = null): ExecutionResult | ||
{ | ||
$validationRules[] = new DisableIntrospection( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to handle the case where $validationRules
is null
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated the code to instantiate the rule globally for both reasons:
- it will not create a new rule (
new DisableIntrospection()
) on each graphql query - the configuration yaml-file setup the bundle globally
... but the code is now in the constructor.
@alanpoulain are you ok with that or I keep the previous logic (create the rule in the executeQuery()
method) ?
I think it's a nice feature, thanks. I'm not sure you can write functional tests, but unit ones should be fine. |
Thank you @epourail! |
For security reason, the introspection query should be disabled to not expose the schema.
This PR allows to enable/disable the introspection query througth the bundle configuration:
By default, the introspection is enabled to avoid BC and keep the current behavior.
TODO: