Comments (4)
Thanks for sharing that background info. What do you think of using .to_unsafe_h
?
Yes, ActionController::Parameters
mostly works for variables since the keys are referenced by name. But one_of
requires mass access (.size
), which ActionController::Parameters
doesn't allow. Maybe it'd be theoretically possible to call .permit(...)
and whitelist incoming keys, but that would require either significant ahead-of-time analysis (to know what keys the incoming query string expects to use) or additional runtime processing (eg, each argument and input object manually .permit
ing its keys). Since calling .to_unsafe_h
is much easier, and doesn't cause any security issues in this case, I'm happy recommending it. Do you think it's a good fit in your case?
from graphql-ruby.
Hey, sorry for the trouble and thanks for the detailed report. The gem's current suggestion is to use .to_unsafe_h
on incoming parameters:
graphql-ruby/lib/generators/graphql/templates/graphql_controller.erb
Lines 38 to 39 in adb80e8
Although it's not usually the right thing to do, I think it makes sense in GraphQL's case because the query itself will validate the variable values.
What do you think of that approach?
from graphql-ruby.
The gem's current suggestion is to use .to_unsafe_h on incoming parameters:
👋🏻 I should've mentioned in my report that I'd seen that recommended in another not-quite-the-same-but-similar issue and tried it out but it ended up creating some additional side-quests in my real-world use case. Some of those complications on my end are worth solving on their own, but I figured I'd reach out about the support story since it seems unexpected that ActionController::Parameters
are largely supported as variables, unless you happen to make use of one_of
.
from graphql-ruby.
Yup the reasoning makes sense to me and I think we'll be able to make that conversion. Appreciate the help!
from graphql-ruby.
Related Issues (20)
- Error paths and locations are duplicated with duplicate queries that error lazily
- Schema parsing fails when a union has a leading pipe HOT 1
- graphql_name does not take effect HOT 2
- Rationale for the "defaultValueInvalidOnNonNullVariable" validation HOT 2
- the GraphQL::Schema::Field initialize , ` type` is nil after upgrading GraphQL to the latest version? HOT 5
- Parser does not allow operation names that match the built in operation types HOT 1
- Audit `compare_by_identity` usage
- Query complexity check causes wrong GraphQL error response HOT 8
- Error with undefined method `types' for nil:NilClass when running rspec HOT 6
- Version 1.9.18 is not working in Ruby 3.3.3 HOT 3
- NoMethodError - `context.types` not populated in 2.3.8 HOT 4
- C Parser incompatibility with AST nodes HOT 6
- Multiple tracers in one schema are ignored HOT 15
- Multiplexed mutations fail to share dataloader results and result in a "circular dependency" error HOT 4
- Adding a resolver to a new type causes `Can't determine the return type` error HOT 3
- Fiber dependency is making all requests fail on Rails 7.0 HOT 4
- Feature request to add a flag to identify if a list was scoped
- undefined method 'using_ast_analysis?' HOT 3
- Test helper run_graphql_field does not autoload arguments with graphql-batch HOT 4
- Load order for interfaces implementing interfaces HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from graphql-ruby.