Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
34d436b7
Commit
34d436b7
authored
Dec 16, 2020
by
Alex Kalderimis
Committed by
Marcia Ramos
Dec 16, 2020
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[DOCS] Explain that resolvers return null for unresolved resources
parent
548ba5c2
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
26 additions
and
0 deletions
+26
-0
doc/development/api_graphql_styleguide.md
doc/development/api_graphql_styleguide.md
+26
-0
No files found.
doc/development/api_graphql_styleguide.md
View file @
34d436b7
...
...
@@ -803,6 +803,32 @@ overhead. If you are writing:
-
A
`Mutation`
, feel free to lookup objects directly.
-
A
`Resolver`
or methods on a
`BaseObject`
, then you want to allow for batching.
### Error handling
Resolvers may raise errors, which will be converted to top-level errors as
appropriate. All anticipated errors should be caught and transformed to an
appropriate GraphQL error (see
[
`Gitlab::Graphql::Errors`
](
https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/graphql/errors.rb
)
).
Any uncaught errors will be suppressed and the client will receive the message
`Internal service error`
.
The one special case is permission errors. In the REST API we return
`404 Not Found`
for any resources that the user does not have permission to
access. The equivalent behavior in GraphQL is for us to return
`null`
for
all absent or unauthorized resources.
Query resolvers
**should not raise errors for unauthorized resources**
.
The rationale for this is that clients must not be able to distinguish between
the absence of a record and the presence of one they do not have access to. To
do so is a security vulnerability, since it leaks information we want to keep
hidden.
In most cases you don't need to worry about this - this is handled correctly by
the resolver field authorization we declare with the
`authorize`
DSL calls. If
you need to do something more custom however, remember, if you encounter an
object the
`current_user`
does not have access to when resolving a field, then
the entire field should resolve to
`null`
.
### Deriving resolvers (`BaseResolver.single` and `BaseResolver.last`)
For some simple use cases, we can derive resolvers from others.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment