Table of Contents generated with DocToc
Simply working code, real examples
Wishlist
- Standard Rails setup (followed https://github.com/rubynor/rails-setup)
- Simple queries
- Complex relation with habtm models
- Example Data Leak
- Example No Leak
- Example DB-Optimized nested queries
bundle
cp config/database.yml.sample config/database.yml
rails db:setup
foreman s
#localhost:3000
# sign in with ole@example.com pwd dummy123
Implementation with query leaking data
query {
companyLeak(id: "1") {
id
name
transactionLogs {
id
companyId
activityAt
}
accountants {
id
name
transactionLogs {
id
companyId
activityAt
}
}
}
}
response
{
"data": {
"companyLeak": {
"id": "1",
"name": "AwesomeCo",
"transactionLogs": [
{
"id": "1",
"companyId": "1",
"activityAt": "2019-10-12 14:44:21 UTC"
}
],
"accountants": [
{
"id": "1",
"name": "Mr. Smith",
"transactionLogs": [
{
"id": "1",
"companyId": "1",
"activityAt": "2019-10-12 14:44:21 UTC"
},
{
"id": "2",
"companyId": "2",
"activityAt": "2019-10-11 14:44:21 UTC"
}
]
}
]
}
}
}
THE LEAK. "companyId": "2"
Transaction log of company 2 shouldn't show in the item of company 1...
The problem is that it's not doing the db query with company_id = 1.
The same happens if you do companies
, one company listed will show transaction_log of other company
TO DO. https://stackoverflow.com/questions/58363666/graphql-ruby-scoping-in-habtm-data-leak-in-nested-query
Solution provided by Ahmadali https://github.com/ahmadali1/graphql-ruby-training-ground
See code under graphql/types/example_no_leak_v1
query:
query {
companiesNoLeakV1 {
id
name
transactionLogs {
id
companyId
activityAt
}
accountants {
id
name
transactionLogs {
id
companyId
activityAt
}
}
}
}
response
{
"data": {
"companiesNoLeakV1": [
{
"id": "1",
"name": "AwesomeCo",
"transactionLogs": [
{
"id": "1",
"companyId": "1",
"activityAt": "2019-10-12 16:40:13 UTC"
}
],
"accountants": [
{
"id": "1",
"name": "Mr. Smith",
"transactionLogs": [
{
"id": "1",
"companyId": "1",
"activityAt": "2019-10-12 16:40:13 UTC"
}
]
}
]
},
{
"id": "2",
"name": "BoringCo",
"transactionLogs": [
{
"id": "2",
"companyId": "2",
"activityAt": "2019-10-11 16:40:13 UTC"
}
],
"accountants": [
{
"id": "1",
"name": "Mr. Smith",
"transactionLogs": [
{
"id": "2",
"companyId": "2",
"activityAt": "2019-10-11 16:40:13 UTC"
}
]
}
]
}
]
}
}
TO DO. Need some good skillz here
Create PR :-)
MIT license, not that you should be using this repo for anything beyond training :D
We do startups. Ruby, Norway. http://rubynor.com Yep :-)