debian-mirror-gitlab/app/controllers/graphql_controller.rb

99 lines
2.7 KiB
Ruby
Raw Normal View History

2018-12-05 23:21:45 +05:30
# frozen_string_literal: true
2018-11-08 19:23:39 +05:30
class GraphqlController < ApplicationController
# Unauthenticated users have access to the API for public data
skip_before_action :authenticate_user!
2020-03-09 13:42:32 +05:30
skip_around_action :set_session_storage
2019-07-07 11:18:12 +05:30
# Allow missing CSRF tokens, this would mean that if a CSRF is invalid or missing,
# the user won't be authenticated but can proceed as an anonymous user.
#
# If a CSRF is valid, the user is authenticated. This makes it easier to play
# around in GraphiQL.
protect_from_forgery with: :null_session, only: :execute
2018-11-08 19:23:39 +05:30
2019-07-07 11:18:12 +05:30
before_action :authorize_access_api!
before_action(only: [:execute]) { authenticate_sessionless_user!(:api) }
2018-11-08 19:23:39 +05:30
2020-04-08 14:13:33 +05:30
# Since we deactivate authentication from the main ApplicationController and
# defer it to :authorize_access_api!, we need to override the bypass session
# callback execution order here
around_action :sessionless_bypass_admin_mode!, if: :sessionless_user?
2018-11-08 19:23:39 +05:30
def execute
2019-09-04 21:01:54 +05:30
result = multiplex? ? execute_multiplex : execute_query
2018-11-08 19:23:39 +05:30
render json: result
end
rescue_from StandardError do |exception|
log_exception(exception)
render_error("Internal server error")
end
rescue_from Gitlab::Graphql::Variables::Invalid do |exception|
render_error(exception.message, status: :unprocessable_entity)
end
2019-10-12 21:52:04 +05:30
rescue_from Gitlab::Graphql::Errors::ArgumentError do |exception|
render_error(exception.message, status: :unprocessable_entity)
end
2018-11-08 19:23:39 +05:30
private
2019-09-04 21:01:54 +05:30
def execute_multiplex
GitlabSchema.multiplex(multiplex_queries, context: context)
end
def execute_query
variables = build_variables(params[:variables])
operation_name = params[:operationName]
GitlabSchema.execute(query, variables: variables, context: context, operation_name: operation_name)
end
def query
params[:query]
end
def multiplex_queries
params[:_json].map do |single_query_info|
{
query: single_query_info[:query],
variables: build_variables(single_query_info[:variables]),
operation_name: single_query_info[:operationName],
context: context
}
end
end
def context
@context ||= { current_user: current_user }
end
def build_variables(variable_info)
Gitlab::Graphql::Variables.new(variable_info).to_h
end
def multiplex?
params[:_json].present?
end
2019-07-07 11:18:12 +05:30
def authorize_access_api!
access_denied!("API not accessible for user.") unless can?(current_user, :access_api)
end
2018-11-08 19:23:39 +05:30
# Overridden from the ApplicationController to make the response look like
# a GraphQL response. That is nicely picked up in Graphiql.
def render_404
render_error("Not found!", status: :not_found)
end
def render_error(message, status: 500)
error = { errors: [message: message] }
render json: error, status: status
end
end