Refuse to execute query if it contains unexpected definitions. Closes #…

…62
sangria-graphql · May 23, 2016 · 620934b · 620934b
1 parent 4973614
commit 620934b
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/src/main/scala/sangria/execution/Executor.scala b/src/main/scala/sangria/execution/Executor.scala
@@ -112,9 +112,16 @@ case class Executor[Ctx, Root](
     if (document.operations.size != 1 && operationName.isEmpty)
       Failure(OperationSelectionError("Must provide operation name if query contains multiple operations", exceptionHandler))
     else {
-      val operation = operationName flatMap (opName ⇒ document.operations get Some(opName)) orElse document.operations.values.headOption
+      val unexpectedDefinition = document.definitions.find(d ⇒ !(d.isInstanceOf[ast.OperationDefinition] || d.isInstanceOf[ast.FragmentDefinition]))
 
-      operation map (Success(_)) getOrElse Failure(OperationSelectionError(s"Unknown operation name: ${operationName.get}", exceptionHandler))
+      unexpectedDefinition match {
+        case Some(unexpected) ⇒
+          Failure(new ExecutionError(s"GraphQL cannot execute a request containing a ${unexpected.getClass.getSimpleName}.", exceptionHandler))
+        case None ⇒
+          val operation = operationName flatMap (opName ⇒ document.operations get Some(opName)) orElse document.operations.values.headOption
+
+          operation map (Success(_)) getOrElse Failure(OperationSelectionError(s"Unknown operation name: ${operationName.get}", exceptionHandler))
+      }
     }
 
   def executeOperation[Input](

diff --git a/src/test/scala/sangria/execution/ExecutorSpec.scala b/src/test/scala/sangria/execution/ExecutorSpec.scala
@@ -635,5 +635,22 @@ class ExecutorSpec extends WordSpec with Matchers with FutureResultSupport {
                 "field" → "defFutFail",
                 "locations" → List(Map("line" → 4, "column" → 11))))))
     }
+
+    "fails to execute a query containing a type definition" in {
+      val Success(doc) = QueryParser.parse(
+        """
+          { a }
+
+          type Query { foo: String }
+        """)
+
+      val schema = Schema(DataType)
+
+      val error = intercept[ExecutionError] {
+        Executor.execute(schema, doc, root = new TestSubject,userContext = Ctx()).await
+      }
+
+      error.getMessage should be ("GraphQL cannot execute a request containing a ObjectTypeDefinition.")
+    }
   }
 }