`one_of` directive doesn't work in `InputObject`s with `ActionController::Parameters` about graphql-ruby HOT 4 CLOSED

Thanks for sharing that background info. What do you think of using .to_unsafe_h?

Yes, ActionController::Parameters mostly works for variables since the keys are referenced by name. But one_of requires mass access (.size), which ActionController::Parameters doesn't allow. Maybe it'd be theoretically possible to call .permit(...) and whitelist incoming keys, but that would require either significant ahead-of-time analysis (to know what keys the incoming query string expects to use) or additional runtime processing (eg, each argument and input object manually .permiting its keys). Since calling .to_unsafe_h is much easier, and doesn't cause any security issues in this case, I'm happy recommending it. Do you think it's a good fit in your case?

from graphql-ruby.

Hey, sorry for the trouble and thanks for the detailed report. The gem's current suggestion is to use .to_unsafe_h on incoming parameters:

Although it's not usually the right thing to do, I think it makes sense in GraphQL's case because the query itself will validate the variable values.

What do you think of that approach?

from graphql-ruby.

The gem's current suggestion is to use .to_unsafe_h on incoming parameters:

👋🏻 I should've mentioned in my report that I'd seen that recommended in another not-quite-the-same-but-similar issue and tried it out but it ended up creating some additional side-quests in my real-world use case. Some of those complications on my end are worth solving on their own, but I figured I'd reach out about the support story since it seems unexpected that ActionController::Parameters are largely supported as variables, unless you happen to make use of one_of.

from graphql-ruby.

Yup the reasoning makes sense to me and I think we'll be able to make that conversion. Appreciate the help!

from graphql-ruby.