- OperationStore supports a
redis:backend - OperationStore supports an arbitrary
backend_class:for persistence operations
- Use a loop when clearing Redis subscription state to avoid large stack traces #2701
- Handle empty subscription keys when publishing updates #2061
- Improve backwards compat with OperationStore (Improve adding
.tracer, use.graphql_namewhen indexing)
- Fix OperationStore on class-based schemas with query instrumenters that use the query string
GraphQL::Pro::Monitoringis deprecated; see Tracing for a replacement: https://graphql-ruby.org/queries/tracing.htmlGraphQL::Pro::Repositoryis deprecated; see OperationStore for a replacement: https://graphql-ruby.org/operation_store/overview.html
- New stable connection support based on GraphQL-Ruby 1.10's new pagination implementation. New classes provide better handling of
NULLvalues in order-by columns and they can be applied on a field-by-field basis(GraphQL::Pro::SqliteStableRelationConnection,GraphQL::Pro::MySQLStableRelationConnection,GraphQL::Pro::PostgresStableRelationConnection).
- Add the Access query analyzer to class-based schemas
- Forwards-compatibility for graphql 1.10.0
- Support 1.10.0.pre1's input object argument
loads:authorization
- Continue authorizing input object arguments
- Use millisecond-aware string format for datetimes in cursors
- Support multiple subscriptions in one document
- Support custom
#can_can_abilitymethods on query context for CanCanIntegration - Support custom
#pundit_usermethod on query context for PunditIntegration
- Fix off-by-one error when paginating backwards from the last item in a stable relation connection
- Include expected HMAC digest in OperationStore debug output
- Include content-length and content-type headers in OperationStore JSON responses
- Support stable connections ordered by Arel SQL literals
- Support stable connections on realized views (which don't have primary keys)
- Pundit integration: support
pundit_policy_classString names when scoping connections
- Add
GraphQL::Pro::Defer, implementing@deferfor streaming responses
- Pundit integration: correctly authorize fields when Query root is nil
- Pundit integration: use overriden
pundit_policy_classfor scoping and mutation authorization
- Pundit integration: Fields use the owner's configured
pundit_policy_classif there is one - Pundit integration: avoid conflicts with
#initializefor schema classes that don't need it
- Support inheritance with
pundit_policy_class(...)
- Support
pundit_policy_class(...)andpundit_policy_class:to manually specify a class or class name.
- Inject
contextinto policy lookup hooks instead of just the user
- Extract
pundit_policyandscope_by_pundit_policyhooks for user override
- Properly render subscription context in dashboard
- Don't pass arrays to Pundit scopes (fixes rmosolgo#2008)
- Prepare for future compat with graphql-ruby 1.9
- Include table name when adding a default order-by-id to ActiveRecord Relations
- Raise if a required cursor attribute is missing
- Improve
rake routesoutput for operation store endpoint - Support already-parsed queries in subscription RedisStorage
- Derp, remove the dummy app's
.logfiles from the gem bundle - Fix ordering bug when a SQL function call doesn't have an explicit order
- Fix Pusher reference in AblySubscriptions
- Add
GraphQL::Pro::AblySubscriptionsfor GraphQL subscriptions over Ably.io transport
- Support
NULLS LASTin stable cursors
- Improve operation store models to work when
config.active_record.primary_key_prefix_typeis set
- Support Rails 3.2 with OperationStore
- Use
.selectto filter items in CanCanIntegration
- Properly send an ability and the configured
can_can_actionto.accessible_by - Use a string (not integer) for
Content-Lengthheader in the dashboard
-
PunditIntegration: instead of raisingMutationAuthorizationFailedwhen an argument fails authorization, it will send aGraphQL::UnauthorizedErrorto yourSchema.unauthorized_objecthook. (This is what all other authorization failures do.) To retain the previous behavior, in your base mutation, add:def unauthorized_by_pundit(owner, value) # Raise a runtime error to halt query execution raise "#{value} failed #{owner}'s auth check" end
Otherwise, customize the handling of this behavior with
Schema.unauthorized_object.
- Auth: mutation arguments which have authorization constraints but don't load an object from the database will have mutation instance passed to the auth check, not the input value.
- Add
GraphQL::Pro::CanCanIntegrationwhich leverages GraphQL-Ruby's built-in auth
PunditIntegration: Don't try to authorize loaded objects when they'renil
- Update
PunditIntegrationfor arguments, unions, interfaces and mutations
- Add a new
PunditIntegrationwhich leverages the built-in authorization methods
- Authorization: fix scoping lists of abstract type when there's no
#scopemethod on the strategy
- Fix ordering of authorization field instrumenter (put it at the end, not the beginning of the list)
- Authorization: Add
view/access/authorizemethods toGraphQL::Schema::Mutation
- Authorization: when a
fallback:configuration is given, apply it to each field which doesn't have a configuration of its own or from its return type. Don't apply that configuration at schema level (it's applied to each otherwise uncovered field instead).
- Support Mongoid::Criteria in authorization scoping
- Fix authorization code for when
ActiveRecordis not defined
- Use a more permissive regexp (
/^\s*((?:[a-z._]+)\(.*\))\s*(asc|desc)?\s*$/im) to parse SQL functions
- Fix route helpers to support class-based schemas
- Support
1.8-preversions of GraphQL-Ruby
- Fix OperationStore when other query instrumenters need
.query_string
- Support
LEAST(...)in stable cursors
- Support
CASE ... ENDin stable cursors
- Support
FIELD(...)in stable cursors
- Improve detection of
OperationStorefor the dashboard - Serve
Content-TypeandContent-Lengthheaders with dashboard pages - Better
Dashboard#inspectfor Rails routes output - Use a string to apply order-by-primary-key for better Rails 3 support
- Support
composite_primary_keysgem
GraphQL::Pro::UIrenamed toGraphQL::Pro::Dashboard
- Routing method
.uiwas renamed to.dashboard
- Added
GraphQL::Pro::Subscriptions - Added subscriptions component to Dashboard
- Don't crash when scoping lists of abstract types with Pundit
- Use
authorize(:pundit, namespace: )to lookup policies in a namespace instead of the global namespace.
- Introspection data is allowed through
fallback:authorize:andaccess:filters. (It can be hidden with aview:filter.)
- Properly return
nilwhen a list of authorized objects returnsnil
- Add
authorization(..., operation_store:)option for authorizing operation store requests
- Support
ConnectionType.bidrectional_pagination?in stable RelationConnection
- Fix load issue when Rails is not present
-
Fix OperationStore views on PostgresQL
-
Fix stable cursors when joined tables have the same column names
Note: This is implemented by adding extra fields to the
SELECTclause with aliases likecursor_#{idx}, so you'll notice this in your SQL logs.
- Bump
graphqldependency to1.6
- Routing extensions moved to
using GraphQL::Pro::Routes
- Deprecate
using GraphQL::Pro, move extensions toGraphQL::Pro::Routes
- Add
GraphQL::Pro::OperationStorefor persisted queries with Rails
- Update
authorizationto use type-levelresolve_typehooks
- Update authorization instrumentation for
graphql >= 1.6.5
- Fix typo in RelationConnection source
- Correctly fall back to offset-based cursors with
before:argument
- Add
Schema#unauthorized_object(obj, ctx)hook for failed runtime checks
- Prevent usage of
parent_role:withview:oraccess:(since parent role requires a runtime check) - Fix versioned, encrypted cursors with 16-byte legacy cursors
OrderedRelationConnectionsupports ordering by joined fields
- Update auth plugin for new Relay instrumenters
Pro::Encodersupportsencoder(...)as documented
- Fix compatibility of
RelationConnectionandRangeAddhelper
- Add
:datadogmonitoring
ActiveRecord::Relations can be scoped by PunditScopes, CanCanaccessible_by, or custom strategy's#scope(gate, relation)methods- Default authorization configuration can be provided with
authorization(..., fallback: { ... }) - Authorization's
:current_userkey can be customized withauthorization(..., current_user: ...)
- Serve static, persisted queries with
GraphQL::Pro::Repository
- Fix compatibility of
RelationConnectionandRangeAddhelper
- Raise
GraphQL::Pro::RelationConnection::InvalidRelationErrorwhen a grouped, unordered relation is returned from a field. (This relation can't be stably paginated.)
- Formally support ActiveRecord
>= 4.1.0
- Support grouped relations in
GraphQL::Pro::RelationConnection
-
Authorize fields based on their parent object, for example:
AccountType = GraphQL::ObjectType.define do name "Account" # This field is visible to all users: field :name, types.String # This is only visible when the current user is an `:owner` # of this account field :account_balance, types.Int, authorize: { parent_role: :owner } end
- Fix monitoring when
Query#selected_operationis nil
- Add AppSignal monitoring platform
- Add type- and field-level opting in and opting out of monitoring
- Add
monitor_scalars: falseto skip monitoring on scalars
- Fix
OrderedRelationConnectionwhen neitherfirstnorlastare provided (usemax_page_sizeor don't limit)
OrderedRelationConnectionexposes more metadata methods:parent,field,arguments,max_page_size,first,after,last,before
- When an authorization check fails on a non-null field, propagate the null and add a response to the errors key (as if the field had returned null). It previously leaked the internal symbol
__graphql_pro_access_not_allowed__. - Apply a custom Pundit policy even when the value isn't
nil. (It previously fell back toPundit.policy, skipping apundit_policy_nameconfiguration.)
OrderedRelationConnectionexposes the underlying relation as#nodes(likeRelationConnectiondoes), supporting custom connection fields.
-
CanCan integration now supports a custom
Abilityclass with theability_class:option:authorize :cancan, ability_class: CustomAbility
GraphQL::Proreleased