Merge branch 'master' into defer-docs

Author: rmosolgo

CHANGELOG-pro.md

@@ -8,6 +8,10 @@
 
 ### Bug Fix
 
+## 1.9.13 (4 Mar 2019)
+
+- Pundit integration: correctly authorize fields when Query root is nil
+
 ## 1.9.12 (22 Feb 2019)
 
 - Pundit integration: use overriden `pundit_policy_class` for scoping and mutation authorization

graphql.gemspec

@@ -15,6 +15,13 @@ Gem::Specification.new do |s|
   s.email       = ["[email protected]"]
   s.license     = "MIT"
   s.required_ruby_version = ">= 2.2.0" # bc `.to_sym` used on user input
+  s.metadata    = {
+    "homepage_uri" => "https://graphql-ruby.org",
+    "changelog_uri" => "https://github.com/rmosolgo/graphql-ruby/blob/master/CHANGELOG.md",
+    "source_code_uri" => "https://github.com/rmosolgo/graphql-ruby",
+    "bug_tracker_uri" => "https://github.com/rmosolgo/graphql-ruby/issues",
+    "mailing_list_uri"  => "https://tinyletter.com/graphql-ruby",
+  }
 
   s.files = Dir["{lib}/**/*", "MIT-LICENSE", "readme.md", ".yardopts"]
   s.test_files = Dir["spec/**/*"]

guides/index.html

@@ -31,7 +31,7 @@ <h2>Define Your Schema</h2>
       <div class="teaser">
         <p>
           Describe your application with the
-          <a href="{{ site.baseurl }}/schema/definition">GraphQL type system</a>
+          <a href="{{ site.baseurl }}/schema/definition">GraphQL schema</a>
           to create a self-documenting, strongly-typed API.
         </p>
       </div>

guides/pro/checksums/graphql-pro-1.9.13.txt

@@ -0,0 +1 @@
+074391c2bdc294a1ec027d043a6bf172f70bf5ff75f0062821cabd5ce7469c88a3b60a0ed644e8bae178fdd9db26acef20b0721fcc708c1825da256ec5f2b4fb

lib/graphql/execution/interpreter/runtime.rb

@@ -200,10 +200,10 @@ def evaluate_selections(path, owner_object, owner_type, selections, root_operati
 
             field_result = resolve_with_directives(object, ast_node) do
               # Actually call the field resolver and capture the result
-              app_result = query.trace("execute_field", {field: field_defn, path: next_path}) do
+              app_result = query.trace("execute_field", {owner: owner_type, field: field_defn, path: next_path}) do
                 field_defn.resolve(object, kwarg_arguments, context)
               end
-              after_lazy(app_result, field: field_defn, path: next_path) do |inner_result|
+              after_lazy(app_result, owner: owner_type, field: field_defn, path: next_path) do |inner_result|
                 continue_value = continue_value(next_path, inner_result, field_defn, return_type.non_null?, ast_node)
                 if HALT != continue_value
                   continue_field(next_path, continue_value, field_defn, return_type, ast_node, next_selections, false)
@@ -277,7 +277,7 @@ def continue_field(path, value, field, type, ast_node, next_selections, is_non_n
             r
           when "UNION", "INTERFACE"
             resolved_type_or_lazy = query.resolve_type(type, value)
-            after_lazy(resolved_type_or_lazy, path: path, field: field) do |resolved_type|
+            after_lazy(resolved_type_or_lazy, owner: type, path: path, field: field) do |resolved_type|
               possible_types = query.possible_types(type)
 
               if !possible_types.include?(resolved_type)
@@ -297,7 +297,7 @@ def continue_field(path, value, field, type, ast_node, next_selections, is_non_n
             rescue GraphQL::ExecutionError => err
               err
             end
-            after_lazy(object_proxy, path: path, field: field) do |inner_object|
+            after_lazy(object_proxy, owner: type, path: path, field: field) do |inner_object|
               continue_value = continue_value(path, inner_object, field, is_non_null, ast_node)
               if HALT != continue_value
                 response_hash = {}
@@ -318,7 +318,7 @@ def continue_field(path, value, field, type, ast_node, next_selections, is_non_n
               idx += 1
               set_type_at_path(next_path, inner_type)
               # This will update `response_list` with the lazy
-              after_lazy(inner_value, path: next_path, field: field) do |inner_inner_value|
+              after_lazy(inner_value, owner: inner_type, path: next_path, field: field) do |inner_inner_value|
                 # reset `is_non_null` here and below, because the inner type will have its own nullability constraint
                 continue_value = continue_value(next_path, inner_inner_value, field, false, ast_node)
                 if HALT != continue_value
@@ -384,7 +384,7 @@ def resolve_if_late_bound_type(type)
         # @param field [GraphQL::Schema::Field]
         # @param eager [Boolean] Set to `true` for mutation root fields only
         # @return [GraphQL::Execution::Lazy, Object] If loading `object` will be deferred, it's a wrapper over it.
-        def after_lazy(obj, field:, path:, eager: false)
+        def after_lazy(obj, owner:, field:, path:, eager: false)
           @interpreter_context[:current_path] = path
           @interpreter_context[:current_field] = field
           if schema.lazy?(obj)
@@ -393,14 +393,14 @@ def after_lazy(obj, field:, path:, eager: false)
               @interpreter_context[:current_field] = field
               # Wrap the execution of _this_ method with tracing,
               # but don't wrap the continuation below
-              inner_obj = query.trace("execute_field_lazy", {field: field, path: path}) do
+              inner_obj = query.trace("execute_field_lazy", {owner: owner, field: field, path: path}) do
                 begin
                   schema.sync_lazy(obj)
                 rescue GraphQL::ExecutionError, GraphQL::UnauthorizedError => err
                   yield(err)
                 end
               end
-              after_lazy(inner_obj, field: field, path: path, eager: eager) do |really_inner_obj|
+              after_lazy(inner_obj, owner: owner, field: field, path: path, eager: eager) do |really_inner_obj|
                 yield(really_inner_obj)
               end
             end

lib/graphql/tracing.rb

@@ -42,8 +42,8 @@ module GraphQL
   # execute_multiplex | `{ multiplex: GraphQL::Execution::Multiplex }`
   # execute_query | `{ query: GraphQL::Query }`
   # execute_query_lazy | `{ query: GraphQL::Query?, multiplex: GraphQL::Execution::Multiplex? }`
-  # execute_field | `{ context: GraphQL::Query::Context::FieldResolutionContext?, field: GraphQL::Schema::Field?, path: Array<String, Integer>?}`
-  # execute_field_lazy | `{ context: GraphQL::Query::Context::FieldResolutionContext?, field: GraphQL::Schema::Field?, path: Array<String, Integer>?}`
+  # execute_field | `{ context: GraphQL::Query::Context::FieldResolutionContext?, owner: Class?, field: GraphQL::Schema::Field?, path: Array<String, Integer>?}`
+  # execute_field_lazy | `{ context: GraphQL::Query::Context::FieldResolutionContext?, owner: Class?, field: GraphQL::Schema::Field?, path: Array<String, Integer>?}`
   #
   # Note that `execute_field` and `execute_field_lazy` receive different data in different settings:
   #

lib/graphql/tracing/platform_tracing.rb

@@ -32,8 +32,9 @@ def trace(key, data)
             trace_field = true # implemented with instrumenter
           else
             field = data[:field]
+            owner = data[:owner]
             # Lots of duplicated work here, can this be done ahead of time?
-            platform_key = platform_field_key(field.owner, field)
+            platform_key = platform_field_key(owner, field)
             return_type = field.type.unwrap
             # Handle LateBoundTypes, which don't have `#kind`
             trace_field = if return_type.respond_to?(:kind) && (return_type.kind.scalar? || return_type.kind.enum?)

spec/graphql/schema/introspection_system_spec.rb

@@ -18,6 +18,15 @@
       assert_equal "Set", res["data"]["__classname"]
     end
 
+    it "calls authorization methods of those types" do
+      res = Jazz::Schema.execute(%|{ __type(name: "Ensemble") { name } }|)
+      assert_equal "ENSEMBLE", res["data"]["__type"]["name"]
+
+      unauth_res = Jazz::Schema.execute(%|{ __type(name: "Ensemble") { name } }|, context: { cant_introspect: true })
+      assert_nil unauth_res["data"].fetch("__type")
+      assert_equal ["You're not allowed to introspect here"], unauth_res["errors"].map { |e| e["message"] }
+    end
+
     it "serves custom dynamic fields" do
       res = Jazz::Schema.execute("{ nowPlaying { __typename __typenameLength __astNodeClass } }")
       assert_equal "Ensemble", res["data"]["nowPlaying"]["__typename"]

spec/graphql/tracing/new_relic_tracing_spec.rb

@@ -3,7 +3,13 @@
 
 describe GraphQL::Tracing::NewRelicTracing do
   module NewRelicTest
+    class Thing < GraphQL::Schema::Object
+      implements GraphQL::Types::Relay::Node
+    end
+
     class Query < GraphQL::Schema::Object
+      add_field GraphQL::Types::Relay::NodeField
+
       field :int, Integer, null: false
 
       def int
@@ -14,6 +20,16 @@ def int
     class SchemaWithoutTransactionName < GraphQL::Schema
       query(Query)
       use(GraphQL::Tracing::NewRelicTracing)
+      orphan_types(Thing)
+
+      def self.object_from_id(_id, _ctx)
+        :thing
+      end
+
+      def self.resolve_type(_type, _obj, _ctx)
+        Thing
+      end
+
       if TESTING_INTERPRETER
         use GraphQL::Execution::Interpreter
       end
@@ -37,6 +53,11 @@ class SchemaWithScalarTrace < GraphQL::Schema
     NewRelic.clear_all
   end
 
+  it "works with the built-in node field, even though it doesn't have an @owner" do
+    res = NewRelicTest::SchemaWithoutTransactionName.execute '{ node(id: "1") { __typename } }'
+    assert_equal "Thing", res["data"]["node"]["__typename"]
+  end
+
   it "can leave the transaction name in place" do
     NewRelicTest::SchemaWithoutTransactionName.execute "query X { int }"
     assert_equal [], NewRelic::TRANSACTION_NAMES

spec/support/jazz.rb

@@ -682,6 +682,14 @@ def custom_method
 
   module Introspection
     class TypeType < GraphQL::Introspection::TypeType
+      def self.authorized?(_obj, ctx)
+        if ctx[:cant_introspect]
+          raise GraphQL::ExecutionError, "You're not allowed to introspect here"
+        else
+          super
+        end
+      end
+
       def name
         n = object.graphql_name
         n && n.upcase