- Forwards-compatibility for graphql 1.10.0
- Support 1.10.0.pre1's input object argument
loads:
authorization
- Continue authorizing input object arguments
- Use millisecond-aware string format for datetimes in cursors
- Support multiple subscriptions in one document
- Support custom
#can_can_ability
methods on query context for CanCanIntegration - Support custom
#pundit_user
method on query context for PunditIntegration
- Fix off-by-one error when paginating backwards from the last item in a stable relation connection
- Include expected HMAC digest in OperationStore debug output
- Include content-length and content-type headers in OperationStore JSON responses
- Support stable connections ordered by Arel SQL literals
- Support stable connections on realized views (which don't have primary keys)
- Pundit integration: support
pundit_policy_class
String names when scoping connections
- Add
GraphQL::Pro::Defer
, implementing@defer
for streaming responses
- Pundit integration: correctly authorize fields when Query root is nil
- Pundit integration: use overriden
pundit_policy_class
for scoping and mutation authorization
- Pundit integration: Fields use the owner's configured
pundit_policy_class
if there is one - Pundit integration: avoid conflicts with
#initialize
for schema classes that don't need it
- Support inheritance with
pundit_policy_class(...)
- Support
pundit_policy_class(...)
andpundit_policy_class:
to manually specify a class or class name.
- Inject
context
into policy lookup hooks instead of just the user
- Extract
pundit_policy
andscope_by_pundit_policy
hooks for user override
- Properly render subscription context in dashboard
- Don't pass arrays to Pundit scopes (fixes rmosolgo#2008)
- Prepare for future compat with graphql-ruby 1.9
- Include table name when adding a default order-by-id to ActiveRecord Relations
- Raise if a required cursor attribute is missing
- Improve
rake routes
output for operation store endpoint - Support already-parsed queries in subscription RedisStorage
- Derp, remove the dummy app's
.log
files from the gem bundle - Fix ordering bug when a SQL function call doesn't have an explicit order
- Fix Pusher reference in AblySubscriptions
- Add
GraphQL::Pro::AblySubscriptions
for GraphQL subscriptions over Ably.io transport
- Support
NULLS LAST
in stable cursors
- Improve operation store models to work when
config.active_record.primary_key_prefix_type
is set
- Support Rails 3.2 with OperationStore
- Use
.select
to filter items in CanCanIntegration
- Properly send an ability and the configured
can_can_action
to.accessible_by
- Use a string (not integer) for
Content-Length
header in the dashboard
-
PunditIntegration
: instead of raisingMutationAuthorizationFailed
when an argument fails authorization, it will send aGraphQL::UnauthorizedError
to yourSchema.unauthorized_object
hook. (This is what all other authorization failures do.) To retain the previous behavior, in your base mutation, add:def unauthorized_by_pundit(owner, value) # Raise a runtime error to halt query execution raise "#{value} failed #{owner}'s auth check" end
Otherwise, customize the handling of this behavior with
Schema.unauthorized_object
.
- Auth: mutation arguments which have authorization constraints but don't load an object from the database will have mutation instance passed to the auth check, not the input value.
- Add
GraphQL::Pro::CanCanIntegration
which leverages GraphQL-Ruby's built-in auth
PunditIntegration
: Don't try to authorize loaded objects when they'renil
- Update
PunditIntegration
for arguments, unions, interfaces and mutations
- Add a new
PunditIntegration
which leverages the built-in authorization methods
- Authorization: fix scoping lists of abstract type when there's no
#scope
method on the strategy
- Fix ordering of authorization field instrumenter (put it at the end, not the beginning of the list)
- Authorization: Add
view
/access
/authorize
methods toGraphQL::Schema::Mutation
- Authorization: when a
fallback:
configuration is given, apply it to each field which doesn't have a configuration of its own or from its return type. Don't apply that configuration at schema level (it's applied to each otherwise uncovered field instead).
- Support Mongoid::Criteria in authorization scoping
- Fix authorization code for when
ActiveRecord
is not defined
- Use a more permissive regexp (
/^\s*((?:[a-z._]+)\(.*\))\s*(asc|desc)?\s*$/im
) to parse SQL functions
- Fix route helpers to support class-based schemas
- Support
1.8-pre
versions of GraphQL-Ruby
- Fix OperationStore when other query instrumenters need
.query_string
- Support
LEAST(...)
in stable cursors
- Support
CASE ... END
in stable cursors
- Support
FIELD(...)
in stable cursors
- Improve detection of
OperationStore
for the dashboard - Serve
Content-Type
andContent-Length
headers with dashboard pages - Better
Dashboard#inspect
for Rails routes output - Use a string to apply order-by-primary-key for better Rails 3 support
- Support
composite_primary_keys
gem
GraphQL::Pro::UI
renamed toGraphQL::Pro::Dashboard
- Routing method
.ui
was renamed to.dashboard
- Added
GraphQL::Pro::Subscriptions
- Added subscriptions component to Dashboard
- Don't crash when scoping lists of abstract types with Pundit
- Use
authorize(:pundit, namespace: )
to lookup policies in a namespace instead of the global namespace.
- Introspection data is allowed through
fallback:
authorize:
andaccess:
filters. (It can be hidden with aview:
filter.)
- Properly return
nil
when a list of authorized objects returnsnil
- Add
authorization(..., operation_store:)
option for authorizing operation store requests
- Support
ConnectionType.bidrectional_pagination?
in stable RelationConnection
- Fix load issue when Rails is not present
-
Fix OperationStore views on PostgresQL
-
Fix stable cursors when joined tables have the same column names
Note: This is implemented by adding extra fields to the
SELECT
clause with aliases likecursor_#{idx}
, so you'll notice this in your SQL logs.
- Bump
graphql
dependency to1.6
- Routing extensions moved to
using GraphQL::Pro::Routes
- Deprecate
using GraphQL::Pro
, move extensions toGraphQL::Pro::Routes
- Add
GraphQL::Pro::OperationStore
for persisted queries with Rails
- Update
authorization
to use type-levelresolve_type
hooks
- Update authorization instrumentation for
graphql >= 1.6.5
- Fix typo in RelationConnection source
- Correctly fall back to offset-based cursors with
before:
argument
- Add
Schema#unauthorized_object(obj, ctx)
hook for failed runtime checks
- Prevent usage of
parent_role:
withview:
oraccess:
(since parent role requires a runtime check) - Fix versioned, encrypted cursors with 16-byte legacy cursors
OrderedRelationConnection
supports ordering by joined fields
- Update auth plugin for new Relay instrumenters
Pro::Encoder
supportsencoder(...)
as documented
- Fix compatibility of
RelationConnection
andRangeAdd
helper
- Add
:datadog
monitoring
ActiveRecord::Relation
s can be scoped by PunditScope
s, CanCanaccessible_by
, or custom strategy's#scope(gate, relation)
methods- Default authorization configuration can be provided with
authorization(..., fallback: { ... })
- Authorization's
:current_user
key can be customized withauthorization(..., current_user: ...)
- Serve static, persisted queries with
GraphQL::Pro::Repository
- Fix compatibility of
RelationConnection
andRangeAdd
helper
- Raise
GraphQL::Pro::RelationConnection::InvalidRelationError
when a grouped, unordered relation is returned from a field. (This relation can't be stably paginated.)
- Formally support ActiveRecord
>= 4.1.0
- Support grouped relations in
GraphQL::Pro::RelationConnection
-
Authorize fields based on their parent object, for example:
AccountType = GraphQL::ObjectType.define do name "Account" # This field is visible to all users: field :name, types.String # This is only visible when the current user is an `:owner` # of this account field :account_balance, types.Int, authorize: { parent_role: :owner } end
- Fix monitoring when
Query#selected_operation
is nil
- Add AppSignal monitoring platform
- Add type- and field-level opting in and opting out of monitoring
- Add
monitor_scalars: false
to skip monitoring on scalars
- Fix
OrderedRelationConnection
when neitherfirst
norlast
are provided (usemax_page_size
or don't limit)
OrderedRelationConnection
exposes more metadata methods:parent
,field
,arguments
,max_page_size
,first
,after
,last
,before
- When an authorization check fails on a non-null field, propagate the null and add a response to the errors key (as if the field had returned null). It previously leaked the internal symbol
__graphql_pro_access_not_allowed__
. - Apply a custom Pundit policy even when the value isn't
nil
. (It previously fell back toPundit.policy
, skipping apundit_policy_name
configuration.)
OrderedRelationConnection
exposes the underlying relation as#nodes
(likeRelationConnection
does), supporting custom connection fields.
-
CanCan integration now supports a custom
Ability
class with theability_class:
option:authorize :cancan, ability_class: CustomAbility
GraphQL::Pro
released