Add config option to disable introspection query #361
Conversation
There was a problem hiding this comment.
Hi first of all thank you for the contribution @BitEcodes . The branch 0.11 is normally freeze (don't allow no more feature) but since this is related to security I think we can keep it on this version. But this should not introduce no BC. Some minor changes but this look good to me otherwise 👍 .
| #app/config/config.yml | ||
| overblog_graphql: | ||
| security: | ||
| disable_introspection: '%kernel.debug%' |
There was a problem hiding this comment.
replace by disable_introspection: false since this example will disable introspection only in debug mode (dev environment by example)
There was a problem hiding this comment.
or just renaming the config entry enable_introspection will ease the usage of %kernel.debug% parameter. What do you think of that?
There was a problem hiding this comment.
Yes, i think that is probably the best solution. I will change this today or tomorrow and I will add the necessary change to have the introspection enabled by default to avoid any BC issues.
| @@ -6,5 +6,6 @@ Security | |||
| * [Fields public control](fields-public-control.md) | |||
| * [Limiting query depth](limiting-query-depth.md) | |||
| * [Query complexity analysis](query-complexity-analysis.md) | |||
| * [Disable introspection](disable_introspection.md) | |||
There was a problem hiding this comment.
please also add this entry to main readme file.
| Disable introspection | ||
| ===================== | ||
|
|
||
| This bundle supports [webonyx/graphql-php validation rule to disable introspection queries](webonyx/graphql-php). |
|
Great contribution! |
This PR adds a configuration setting to disable introspection queries. See http://webonyx.github.io/graphql-php/security/#disabling-introspection
I have added a test case, but 12 tests did already fail on branch 0.11.