diff --git a/_config/_versioned/config.yml b/_config/_versioned/config.yml new file mode 100644 index 00000000..901da7ba --- /dev/null +++ b/_config/_versioned/config.yml @@ -0,0 +1,25 @@ +modelConfig: + DataObject: + plugins: + versioning: + before: inheritance + operations: + copyToStage: + class: SilverStripe\GraphQL\Modules\Versioned\Operations\CopyToStageCreator + publish: + class: SilverStripe\GraphQL\Modules\Versioned\Operations\PublishCreator + unpublish: + class: SilverStripe\GraphQL\Modules\Versioned\Operations\UnpublishCreator + rollback: + class: SilverStripe\GraphQL\Modules\Versioned\Operations\RollbackCreator + read: + plugins: + readVersion: + before: paginateList + readOne: + plugins: + readVersion: + before: firstResult + delete: + plugins: + unpublishOnDelete: true diff --git a/_config/_versioned/enums.yml b/_config/_versioned/enums.yml new file mode 100644 index 00000000..8ebcb72c --- /dev/null +++ b/_config/_versioned/enums.yml @@ -0,0 +1,50 @@ +VersionedStage: + description: The stage to read from or write to + values: + DRAFT: + value: Stage + description: The draft stage + LIVE: + value: Live + description: The live stage + +VersionedQueryMode: + description: The versioned mode to use + values: + ARCHIVE: + value: archive + description: Read from a specific date of the archive + LATEST: + value: latest_versions + description: Read the latest version + ALL_VERSIONS: + value: all_versions + description: Reads all versionse + DRAFT: + value: Stage + description: Read from the draft stage + LIVE: + value: Live + description: Read from the live stage + STATUS: + value: status + description: Read only records with a specific status + VERSION: + value: version + description: Read a specific version + +VersionedStatus: + description: The stage to read from or write to + values: + PUBLISHED: + value: published + description: Only published records + DRAFT: + value: draft + description: Only draft records + ARCHIVED: + value: archived + description: Only records that have been archived + MODIFIED: + value: modified + description: Only records that have unpublished changes diff --git a/_config/_versioned/types.yml b/_config/_versioned/types.yml new file mode 100644 index 00000000..dff0e8ae --- /dev/null +++ b/_config/_versioned/types.yml @@ -0,0 +1,27 @@ +CopyToStageInputType: + input: true + fields: + id: + type: ID! + description: The ID of the record to copy + fromVersion: + type: Int + description: The source version number to copy + fromStage: + type: VersionedStage + description: The source stage to copy + toStage: + type: VersionedStage + description: The destination state to copy to + +VersionedInputType: + input: true + fields: + mode: VersionedQueryMode = Stage + archiveDate: + type: String + description: The date to use for archive + status: + type: '[VersionedStatus]' + description: If mode is STATUS, specify which versioned statuses + version: Int diff --git a/_config/versioned.yml b/_config/versioned.yml new file mode 100644 index 00000000..f3bcb149 --- /dev/null +++ b/_config/versioned.yml @@ -0,0 +1,21 @@ +--- +Name: graphql-versioned-schema +Only: + moduleexists: 'silverstripe/versioned' +--- +SilverStripe\GraphQL\Schema\Schema: + schemas: + '*': + src: + versionedSrc: 'silverstripe/graphql: _config/_versioned' +--- +Name: graphql-versioned-plugins +Only: + moduleexists: 'silverstripe/versioned' +--- +SilverStripe\Core\Injector\Injector: + SilverStripe\GraphQL\Schema\Registry\PluginRegistry: + constructor: + - 'SilverStripe\GraphQL\Modules\Versioned\Plugins\VersionedDataObject' + - 'SilverStripe\GraphQL\Modules\Versioned\Plugins\UnpublishOnDelete' + - 'SilverStripe\GraphQL\Modules\Versioned\Plugins\VersionedRead' diff --git a/docs/en/01_getting_started/01_activating_the_server.md b/docs/en/01_getting_started/01_activating_the_server.md new file mode 100644 index 00000000..f233ecb0 --- /dev/null +++ b/docs/en/01_getting_started/01_activating_the_server.md @@ -0,0 +1,62 @@ +--- +title: Activating the default server +summary: Open up the default server that comes pre-configured with the module +icon: rocket +--- + +# Getting started + +[CHILDREN asList] + +## Activating the default GraphQL server + +GraphQL is used through a single route, typically `/graphql`. You need +to define *types* and *queries* to expose your data via this endpoint. + +These separate endpoints have their own identifiers. `default` refers to the GraphQL server +in the user space (e.g. `/graphql`) - i.e. your custom schema. You can also [set up a new schema server](#setting-up-a-custom-graphql-server) +if you wish. + +> [!NOTE] +> The word "server" here refers to a route with its own isolated GraphQL schema. It does +> not refer to a web server. + +By default, `silverstripe/graphql` does not route any GraphQL servers. To activate the default, +public-facing GraphQL server that ships with the module, just add a rule to [`Director`](api:SilverStripe\Control\Director). + +```yml +SilverStripe\Control\Director: + rules: + 'graphql': '%$SilverStripe\GraphQL\Controller.default' +``` + +## Setting up a custom GraphQL server + +In addition to the default `/graphql` endpoint provided by this module by default, +you may want to set up another GraphQL server running on the same installation of Silverstripe CMS. + +Let's set up a new controller to handle the requests. + +```yml +SilverStripe\Core\Injector\Injector: + # ... + SilverStripe\GraphQL\Controller.myNewSchema: + class: SilverStripe\GraphQL\Controller + constructor: + schemaKey: myNewSchema +``` + +We'll now need to route the controller. + +```yml +SilverStripe\Control\Director: + rules: + 'my-graphql': '%$SilverStripe\GraphQL\Controller.myNewSchema' +``` + +Now, once you have [configured](configuring_your_schema) and [built](building_the_schema) your schema, you +can access it at `/my-graphql`. + +### Further reading + +[CHILDREN] diff --git a/docs/en/01_getting_started/02_configuring_your_schema.md b/docs/en/01_getting_started/02_configuring_your_schema.md new file mode 100644 index 00000000..7af140ce --- /dev/null +++ b/docs/en/01_getting_started/02_configuring_your_schema.md @@ -0,0 +1,309 @@ +--- +title: Configuring your schema +summary: Add a basic type to the schema configuration +icon: code +--- + +# Getting started + +[CHILDREN asList] + +## Configuring your schema + +GraphQL is a strongly-typed API layer, so having a schema behind it is essential. Simply put: + +- A schema consists of **[types](https://graphql.org/learn/schema/#type-system)** +- **Types** consist of **[fields](https://graphql.org/learn/queries/#fields)** +- **Fields** can have **[arguments](https://graphql.org/learn/queries/#arguments)**. +- **Fields** need to be **[resolved](https://graphql.org/learn/execution/#root-fields-resolvers)** + +**Queries** are just **fields** on a type called "query". They can take arguments, and they +must be resolved. + +There's a bit more to it than that, and if you want to learn more about GraphQL, you can read +the [full documentation](https://graphql.org/learn/), but for now, these three concepts will +serve almost all of your needs to get started. + +> [!TIP] +> It is strongly recommended that you install the [GraphQL devtools](https://github.com/silverstripe/silverstripe-graphql-devtools) module to help with testing your API. +> +> Included in that module is a `GraphQLSchemaInitTask` task to initialise a basic GraphQL schema to get you started. Instructions for using the task are included in the module's README.md. + +### Initial setup + +To start your first schema, open a new configuration file. Let's call it `graphql.yml`. + +```yml +# app/_config/graphql.yml +SilverStripe\GraphQL\Schema\Schema: + schemas: + # your schemas here +``` + +Let's populate a schema that is pre-configured for us out of the box called "default". + +```yml +# app/_config/graphql.yml +SilverStripe\GraphQL\Schema\Schema: + schemas: + default: + config: + # general schema config here + types: + # your generic types here + models: + # your DataObjects here + queries: + # your queries here + mutations: + # your mutations here + enums: + # your enums here +``` + +### Avoid config flushes + +Because the schema definition is only consumed at build time and never used at runtime, it doesn't +make much sense to store it in the configuration layer, because it just means you'll +have to `flush=1` every time you make a schema update, which will slow down your builds. + +It is recommended that you store your schema YAML **outside of the _config directory** to +increase performance and remove the need for flushing when you [build your schema](building_the_schema). + +> [!WARNING] +> This doesn't mean there is never a need to `flush=1` when building your schema. If you were to add a new +> schema, make a change to the value of this `src` attribute, or create new PHP classes, those are still +> standard config changes which won't take effect without a flush. + +We can do this by adding a `src` key to our `app/_config/graphql.yml` schema definition +that maps to a directory relative to the project root. + +```yml +# app/_config/graphql.yml +SilverStripe\GraphQL\Schema\Schema: + schemas: + default: + src: + - app/_graphql +``` + +Your `src` must be an array. This allows further source files to be merged into your schema. +This feature can be use to extend the schema of third party modules. + +> [!NOTE] +> Your directory can also be relative to a module reference, e.g. `somevendor/somemodule: _graphql`: +> +> ```yml +> # app/_config/graphql.yml +> SilverStripe\GraphQL\Schema\Schema: +> schemas: +> default: +> src: +> - app/_graphql +> - module/_graphql +> # The next line would map to `vendor/somevendor/somemodule/_graphql` +> - 'somevendor/somemodule: _graphql' +> ``` + +Now, in the new `app/_graphql` folder, we can create YAML file definitions. + +```yml +# app/_graphql/schema.yml + +# no schema key needed. it's implied! +config: + # your schema config here +types: + # your generic types here +models: + # your DataObjects here +bulkLoad: + # your bulk loader directives here +queries: + # your queries here +mutations: + # your mutations here +enums: + # your enums here +``` + +#### Namespacing your schema files + +Your schema YAML file will get quite bloated if it's just used as a monolithic source of truth +like this. We can tidy this up quite a bit by simply placing the files in directories that map +to the keys they populate -- e.g. `config/`, `types/`, `models/`, `queries/`, `mutations/`, etc. + +There are two approaches to namespacing: + +- By filename +- By directory name + +##### Namespacing by filename + +If the filename is named one of the seven keywords used in the `app/_graphql/schema.yml` example above, it will be implicitly placed +in the corresponding section of the schema - e.g. any configuration +added to `app/_graphql/config.yml` will be implicitly added to +`SilverStripe\GraphQL\Schema\Schema.schemas.default.config`. + +**This only works in the root source directory** (i.e. `app/_graphql/some-directory/config.yml` +will not work). + +```yml +# app/_graphql/config.yml + +# my config here +``` + +```yml +# app/_graphql/types.yml + +# my types here +``` + +```yml +# app/_graphql/models.yml + +# my models here +``` + +```yml +# app/_graphql/enums.yml + +# my enums here +``` + +```yml +# app/_graphql/bulkLoad.yml + +# my bulk loader directives here +``` + +##### Namespacing by directory name + +If you use a parent directory name (at any depth) of one of the seven keywords, it will +be implicitly placed in the corresponding section of the schema - e.g. any configuration +added to a `.yml` file in `app/_graphql/config/` will be implicitly added to +`SilverStripe\GraphQL\Schema\Schema.schemas.default.config`. + +> [!TIP] +> The names of the actual files here do not matter. You could for example have a separate file +> for each of your types, e.g. `app/_graphql/types/my-first-type.yml`. + +```yml +# app/_graphql/config/config.yml + +# my config here +``` + +```yml +# app/_graphql/types/types.yml + +# my types here +``` + +```yml +# app/_graphql/models/models.yml + +# my models here +``` + +```yml +# app/_graphql/enums/enums.yml + +# my enums here +``` + +```yml +# app/_graphql/bulkLoad/bulkLoad.yml + +# my bulk loader directives here +``` + +##### Going even more granular + +These special directories can contain multiple files that will all merge together, so you can even +create one file per type, or some other convention. All that matters is that the parent directory name +*or* the filename matches one of the schema keys. + +The following are perfectly valid: + +- `app/_graphql/config/config.yml` maps to `SilverStripe\GraphQL\Schema\Schema.schemas.default.config` +- `app/_graphql/types/allElementalBlocks.yml` maps to `SilverStripe\GraphQL\Schema\Schema.schemas.default.types` +- `app/_graphql/news-and-blog/models/blog.yml` maps to `SilverStripe\GraphQL\Schema\Schema.schemas.default.models` +- `app/_graphql/mySchema.yml` maps to `SilverStripe\GraphQL\Schema\Schema.schemas.default` + +### Schema config + +Each schema can declare a generic configuration section, `config`. This is mostly used for assigning +or removing plugins and resolvers. + +An important subsection of `config` is `modelConfig`, where you can configure settings for specific +models, e.g. `DataObject`. + +Like the other sections, it can have its own `config.yml`, or just be added as a `config:` +mapping to a generic schema YAML document. + +```yml +# app/_graphql/config.yml +modelConfig: + DataObject: + plugins: + inheritance: true + operations: + read: + plugins: + readVersion: false + paginateList: false +``` + +You can learn more about plugins and resolvers in the [query plugins](../working_with_dataobjects/query_plugins), +[plugins](../plugins), [building a custom query](../working_with_generic_types/building_a_custom_query#building-a-custom-query), +and [resolver discovery](../working_with_generic_types/resolver_discovery) sections. + +### Defining a basic type + +Let's define a generic type for our GraphQL schema. + +> [!NOTE] +> Generic types don't map to `DataObject` classes - they're useful for querying more 'generic' data (hence the name). +> You'll learn more about adding DataObjects in [working with DataObjects](../working_with_DataObjects). + +```yml +# app/_graphql/types.yml + +Country: + fields: + name: String + code: String + population: Int + languages: '[String]' +``` + +If you're familiar with [GraphQL type language](https://graphql.org/learn/schema/#type-language), +this should look pretty familiar. + +There are only a handful of [scalar types](https://graphql.org/learn/schema/#scalar-types) +available in GraphQL by default. They are: + +- String +- Int +- Float +- Boolean + +To define a type as a list, you wrap it in brackets: `[String]`, `[Int]` + +To define a type as required (non-null), you add an exclamation mark: `String!` + +Often times, you may want to do both: `[String!]!` + +> [!WARNING] +> Look out for the footgun, here. Make sure your bracketed type is in quotes +> (i.e. `'[String]'`, not `[String]`), otherwise it's valid YAML that will get parsed as an array! + +That's all there is to it! To learn how we can take this further, check out the +[working with generic types](../working_with_generic_types) documentation. Otherwise, +let's get started on [**adding some DataObjects**](../working_with_DataObjects). + +### Further reading + +[CHILDREN] diff --git a/docs/en/01_getting_started/03_building_the_schema.md b/docs/en/01_getting_started/03_building_the_schema.md new file mode 100644 index 00000000..bd48f462 --- /dev/null +++ b/docs/en/01_getting_started/03_building_the_schema.md @@ -0,0 +1,112 @@ +--- +title: Building the schema +summary: Turn your schema configuration into executable code +icon: hammer +--- + +# Getting started + +[CHILDREN asList] + +## Building the schema + +The primary API surface of the `silverstripe/graphql` module is the YAML configuration, along +with some [procedural configuration](using_procedural_code). It is important to understand +that **none of this configuration gets interpreted at runtime**. Loading the schema configuration +(which we refer to as the "schema definition") at runtime and converting it to executable code +has dire effects on performance, making API requests slower and slower as the schema grows larger. + +To mitigate this problem, the schema that gets executed at runtime is **generated PHP code**. +This code generation happens during a build step, and it is critical to run this build step +whenever the schema definition changes, or a new schema definition is added. + +### What triggers a GraphQL code build? + +- Any time you run the `dev/graphql/build` command to explicitly build your GraphQL schemas. +- Any time you run the `dev/build` command on your project. +- `silverstripe/graphql` will attempt to generate your schema "on-demand" on the first GraphQL request *only* if it wasn’t already generated. + +> [!WARNING] +> Relying on the "on-demand" schema generation on the first GraphQL request requires some additional consideration. +> See [deploying the schema](deploying_the_schema#on-demand). + +#### Running `dev/graphql/build` + +The main command for generating the schema code is `dev/graphql/build`. + +`vendor/bin/sake dev/graphql/build` + +This command takes an optional `schema` parameter. If you only want to generate a specific schema +(e.g. generate your custom schema, but not the CMS schema), you should pass in the name of the +schema you want to build. + +> [!NOTE] +> If you do not provide a `schema` parameter, the command will build all schemas. + +`vendor/bin/sake dev/graphql/build schema=default` + +> [!NOTE] +> Most of the time, the name of your custom schema is `default`. + +Keep in mind that some of your changes will be in YAML in the `_config/` directory, which also +requires a flush. + +`vendor/bin/sake dev/graphql/build schema=default flush=1` + +#### Building on dev/build + +By default, all schemas will be built during `dev/build`. To disable this, change the config: + +```yml +SilverStripe\GraphQL\Extensions\DevBuildExtension: + enabled: false +``` + +### Caching + +Generating code is a pretty expensive process. A large schema with 50 `DataObject` classes exposing +all their operations can take up to **20 seconds** to generate. This may be acceptable +for initial builds and deployments, but during incremental development this can really +slow things down. + +To mitigate this, the generated code for each type is cached against a signature. +If the type hasn't changed, it doesn't get re-built. This reduces build times to **under one second** for incremental changes. + +#### Clearing the schema cache + +If you want to completely re-generate your schema from scratch, you can add `clear=1` to the `dev/graphql/build` command. + +`vendor/bin/sake dev/graphql/build schema=default clear=1` + +If your schema is producing unexpected results, try using `clear=1` to eliminate the possibility +of a caching issue. If the issue is resolved, record exactly what you changed and [create an issue](https://github.com/silverstripe/silverstripe-graphql/issues/new). + +### Build gotchas + +Keep in mind that it's not always explicit schema definition changes that require a build. +Anything influencing the output of the schema will require a build. This could include +tangential changes such as: + +- Updating the `$db` array (or relationships) of a `DataObject` class that has `fields: '*'` (i.e. include all fields on that class in the schema). +- Adding a new resolver for a type that uses [resolver discovery](../working_with_generic_types/resolver_discovery) +- Adding an extension to a `DataObject` class +- Adding a new subclass of a `DataObject` class that is already exposed + +### Viewing the generated code + +By default, the generated PHP code is placed in the `.graphql-generated/` directory in the root of your project. +It is not meant to be accessible through your webserver, Which is ensured by keeping it outside of the +`public/` webroot and the inclusion of a `.htaccess` file in each schema folder. + +Additional files are generated for CMS operation in `public/_graphql/`, and +those *are* meant to be accessible through your webserver. +See [Tips and Tricks: Schema Introspection](tips_and_tricks#schema-introspection) +to find out how to generate these files for your own schema. + +> [!CAUTION] +> While it is safe for you to view these files, you should not manually alter them. If you need to make a change +> to your GraphQL schema, you should [update the schema definition](configuring_your_schema) and rebuild your schema. + +### Further reading + +[CHILDREN] diff --git a/docs/en/01_getting_started/04_using_procedural_code.md b/docs/en/01_getting_started/04_using_procedural_code.md new file mode 100644 index 00000000..1e356f25 --- /dev/null +++ b/docs/en/01_getting_started/04_using_procedural_code.md @@ -0,0 +1,127 @@ +--- +title: Building a schema with procedural code +summary: Use PHP code to build your schema +icon: tools +--- + +# Getting started + +[CHILDREN asList] + +## Building a schema with procedural code + +Sometimes you need access to dynamic information to populate your schema. For instance, you +may have an enum containing a list of all the languages that are configured for the website. It +wouldn't make sense to build this statically. It makes more sense to have a single source +of truth. + +Internally, model-driven types that conform to the shapes of their models must use procedural +code to add fields, create operations, and more, because the entire premise of model-driven +types is that they're dynamic. So the procedural API for schemas has to be pretty robust. + +Lastly, if you just prefer writing PHP to writing YAML, this is a good option, too. + +> [!WARNING] +> One thing you cannot do with the procedural API, though it may be tempting, is define resolvers +> on the fly as closures. Resolvers must be static methods on a class, and are evaluated during +> the schema build. + +### Adding executable code + +We can use the `execute` section of the config to add an implementation of [`SchemaUpdater`](api:SilverStripe\GraphQL\Schema\Interfaces\SchemaUpdater). + +```yml +SilverStripe\GraphQL\Schema\Schema: + schemas: + default: + config: + execute: + - 'App\GraphQL\MySchema' +``` + +Now just implement the [`SchemaUpdater`](api:SilverStripe\GraphQL\Schema\Interfaces\SchemaUpdater) interface. + +```php +// app/src/GraphQL/MySchema.php +namespace App\GraphQL; + +use SilverStripe\GraphQL\Schema\Interfaces\SchemaUpdater; +use SilverStripe\GraphQL\Schema\Schema; + +class MySchema implements SchemaUpdater +{ + public static function updateSchema(Schema $schema): void + { + // update here + } +} +``` + +### Example code + +Most of the API should be self-documenting, and a good IDE should autocomplete everything you +need, but the key methods map directly to their configuration counterparts: + +- types (`$schema->addType(Type $type)`) +- models (`$schema->addModel(ModelType $type)`) +- queries (`$schema->addQuery(Query $query)`) +- mutations (`$schema->addMutation(Mutation $mutation)`) +- enums (`$schema->addEnum(Enum $type)`) +- interfaces (`$schema->addInterface(InterfaceType $type)`) +- unions (`$schema->addUnion(UnionType $type)`) + +```php +namespace App\GraphQL; + +use App\Model\MyDataObject; +use SilverStripe\GraphQL\Schema\Field\Query; +use SilverStripe\GraphQL\Schema\Interfaces\SchemaUpdater; +use SilverStripe\GraphQL\Schema\Schema; +use SilverStripe\GraphQL\Schema\Type\Type; + +class MySchema implements SchemaUpdater +{ + public static function updateSchema(Schema $schema): void + { + $countryType = Type::create('Country') + ->addField('name', 'String') + ->addField('code', 'String'); + $schema->addType($countryType); + + $countriesQuery = Query::create('readCountries', '[Country]!') + ->addArg('limit', 'Int'); + $schema->addQuery($countriesQuery); + + $myModel = $schema->createModel(MyDataObject::class) + ->addAllFields() + ->addAllOperations(); + $schema->addModel($myModel); + } +} +``` + +#### Chainable setters + +To make your code chainable, when adding fields and arguments, you can invoke a callback +to update it on the fly. + +```php +$countryType = Type::create('Country') + ->addField('name', 'String', function (Field $field) { + // Must be a callable. No inline closures allowed! + $field->setResolver([MyResolverClass::class, 'countryResolver']) + ->addArg('myArg', 'String!'); + }) + ->addField('code', 'String'); +$schema->addType($countryType); + +$countriesQuery = Query::create('readCountries', '[Country]!') + ->addArg('limit', 'Int', function (Argument $arg) { + $arg->setDefaultValue(20); + }); +$schema->addQuery($countriesQuery); +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/01_getting_started/05_deploying_the_schema.md b/docs/en/01_getting_started/05_deploying_the_schema.md new file mode 100644 index 00000000..e25b11f4 --- /dev/null +++ b/docs/en/01_getting_started/05_deploying_the_schema.md @@ -0,0 +1,88 @@ +--- +title: Deploying the schema +summary: Deploy your GraphQL schema to a test or production environment +icon: rocket +--- + +# Getting started + +[CHILDREN asList] + +## Deploying the schema + +One way or another, you must get the `.graphql-generated/` and `public/_graphql/` folders into your test and production environments for Silverstripe CMS (and your own custom queries) to work as expected. There are many ways to do so. The options below are listed in order of complexity. + +### Single-server hosting solutions with simple deployments {#simple-single-server} + +If you host your site on a single server and you always run `dev/build` during the deployment, then assuming you have set up permissions to allow the webserver to write to the `.graphql-generated/` and `public/_graphql/` folders, your GraphQL schema will be built for you as a side-effect of running `dev/build`. You don't need to do anything further. Note that if your schema is exceptionally large you may still want to read through the rest of the options below. + +### Options for any hosting solution + +#### Commit the schema to version control {#commit-to-vcs} + +A simplistic approach is to build the schema in your local development environment and add the `.graphql-generated/` and `public/_graphql/` folders to your version control system. With this approach you would most likely want to disable schema generation at `dev/build`. + +This approach has the advantage of being very simple, but it will pollute your commits with massive diffs for the generated code. + +> [!WARNING] +> Make sure you set your site to `live` mode and remove any `DEBUG_SCHEMA=1` from your `.env` file if it is there before generating the schema to be committed. + +#### Explicitly build the schema during each deployment {#build-during-deployment} + +Many projects will automatically run a `dev/build` whenever they deploy a site to their production environment. If that’s your case, then you can just let this process run normally and generate the `.graphql-generated/` and `public/_graphql/` folders for you. This will allow you to add these folders to your `.gitignore` file and avoid tracking the folder in your version control system. + +Be aware that for this approach to work, the process executing the `dev/build` must have write access to create the folders (or you must create those folders yourself, and give write access for those folders specifically), and for multi-server environments a `dev/build` or `dev/graphql/build` must be executed on each server hosting your site after each deployment. + +#### Use a CI/CD pipeline to build your schema {#using-ci-cd} + +Projects with more sophisticated requirements or bigger schemas exposing more than 100 `DataObject` classes may want to consider using a continuous-integration/continuous-deployment (CI/CD) pipeline to build their GraphQL schema. + +In this kind of setup, you would need to update your deployment script to run the `dev/graphql/build` command which builds the `.graphql-generated/` and `public/_graphql/` folders. In multi-server environments this must be executed on each server hosting your site. + +### Multi-server hosting solutions {#multi-server} + +If your site is hosted in an environment with multiple servers or configured to auto-scale with demand, there are some additional considerations. For example if you only generate the schema on one single server (i.e. via `dev/build` or `dev/graphql/build`), then the other servers won’t have a `.graphql-generated/` or `public/_graphql/` folder (or those folders will be empty if you manually created them). + +#### Rely on "on-demand" schema generation on the first GraphQL request {#on-demand} + +When the first GraphQL schema request occurs, `silverstripe/graphql` will attempt to build the `.graphql-generated/` and `public/_graphql/` folders "on-demand" if they're not already present on the server. Similarly, if the folders are present but empty, it will build the schema "on-demand". This will impose a one-time performance hit on the first GraphQL request. If your project defines multiple schemas, only the schema that is being accessed will be generated. + +For most common use cases, this process is relatively fast. For example, the GraphQL schema that is used to power the CMS can be built in about a quarter of a second. + +While benchmarking schema generation performance, we measured that a schema exposing 180 DataObjects with 1600 relations could be built on-demand in less than 6 seconds on a small AWS instance. + +Our expectation is that on-demand schema generation will be performant for most projects with small or medium schemas. + +> [!WARNING] +> Note that with this approach you will need to remove or empty the `.graphql-generated/` and `public/_graphql/` folders on each server for each deployment that includes a change to the schema definition, or you risk having an outdated GraphQL schema. The "on-demand" schema generation does not detect changes to the schema definition. + +#### Build the schema during/before deployment and share it across your servers {#multi-server-shared-dirs} + +If you have a particularly large schema, you may want to ensure it is always built before the first GraphQL request. It might make sense for you to sync your `.graphql-generated/` and `public/_graphql/` folders across all your servers using an EFS or similar mechanism. In that case you only need to run `dev/build` or `dev/graphql/build` on the server with the original folder - but bear in mind that this may have a performance impact. + +### Performance considerations when building the GraphQL schema {#performance-considerations} + +The main driver in the resources it takes to build a GraphQL schema is the number DataObjects and the number of exposed relations in that schema. In most cases, not all DataObjects in your database will be included in your schema - best practice is to only add classes to your schema definition if you will need to query them. DataObjects not included in your schema will not impact the time or memory needed to build it. + +As an indication, benchmarks were run on a t3.micro AWS instance. The results are in the table below. These numbers may not be representative of the performance in your own environment. If you intend to build large GraphQL schemas, you should take the time to run your own benchmarks and adjust your deployment strategy accordingly. + +DataObjects in schema | Build time (ms) | Memory use (MB) +-- | -- | -- +5 | 290 | 26 +10 | 310 | 26 +40 | 1060 | 38 +100 | 2160 | 58 +250 | 5070 | 114 +500 | 11,540 | 208 + +### Gotchas + +#### Permissions of the `.graphql-generated/` and `public/_graphql/` folders {#gotchas-permissions} + +The process that is generating these folders must have write permissions to create the folder and to update existing files. If different users are used to generate the folders, then you must make sure that each user retains write access on them. + +For example, if you manually run a `dev/build` under a foobar user, the folders will be owned by foobar. If your web server is running under the www-data user and you try to call `dev/graphql/build` in your browser, you might get an error if www-data doesn’t have write access. + +### Further reading + +[CHILDREN] diff --git a/docs/en/01_getting_started/index.md b/docs/en/01_getting_started/index.md new file mode 100644 index 00000000..ef0394b2 --- /dev/null +++ b/docs/en/01_getting_started/index.md @@ -0,0 +1,12 @@ +--- +title: Getting started +summary: Open up your first GraphQL server and build your schema +icon: rocket +--- + +# Getting started + +This section of the documentation will give you an overview of how to get a simple GraphQL API +up and running with some `DataObject` content. + +[CHILDREN] diff --git a/docs/en/02_working_with_dataobjects/01_adding_dataobjects_to_the_schema.md b/docs/en/02_working_with_dataobjects/01_adding_dataobjects_to_the_schema.md new file mode 100644 index 00000000..34297688 --- /dev/null +++ b/docs/en/02_working_with_dataobjects/01_adding_dataobjects_to_the_schema.md @@ -0,0 +1,485 @@ +--- +title: Adding DataObject models to the schema +summary: An overview of how the DataObject model can influence the creation of types, queries, and mutations +--- + +# Working with `DataObject` models + +[CHILDREN asList] + +## The `DataObject` model type + +In Silverstripe CMS projects, our data tends to be contained in DataObjects almost exclusively, +and the `silverstripe/graphql` schema API is designed so that adding `DataObject` content to your +GraphQL schema definition is fast and simple. + +### Using model types + +While it is possible to add DataObjects to your schema as generic types under the `types` +section of the configuration, and their associated queries and mutations under `queries` and +`mutations`, this will lead to a lot of boilerplate code and repetition. Unless you have some +really custom needs, a much better approach is to embrace *convention over configuration* +and use the `models` section of the config. + +**Model types** are types that rely on external classes to tell them who they are and what +they can and cannot do. The model can define and resolve fields, auto-generate queries +and mutations, and more. + +Naturally, this module comes bundled with a model type for subclasses of `DataObject`. + +Let's use the `models` config to expose some content. + +```yml +# app/_graphql/models.yml +Page: + fields: '*' + operations: '*' +``` + +The class `Page` is a subclass of `DataObject`, so the bundled model +type will kick in here and provide a lot of assistance in building out this part of our API. + +Case in point, by supplying a value of `*` for `fields` , we're saying that we want *all* of the fields +on the `Page` class. This includes the first level of relationships, as defined on `has_one`, `has_many`, +or `many_many`. + +> [!WARNING] +> Fields on relationships will not inherit the `*` fields selector, and will only expose their ID by default. +> To add additional fields for those relationships you will need to add the corresponding `DataObject` model types. + +The `*` value on `operations` tells the schema to create all available queries and mutations + for the DataObject, including: + +- `read` +- `readOne` +- `create` +- `update` +- `delete` + +Now that we've changed our schema, we need to build it using the `dev/graphql/build` command: + +`vendor/bin/sake dev/graphql/build schema=default` + +Now we can access our schema on the default GraphQL endpoint, `/graphql`. + +Test it out! + +> [!NOTE] +> Note the use of the default arguments on `date`. Fields created from `DBFields` +> generate their own default sets of arguments. For more information, see +> [DBFieldArgs](query_plugins#dbfieldargs). + +**A query:** + +```graphql +query { + readPages { + nodes { + title + content + ... on BlogPage { + date(format: NICE) + comments { + nodes { + comment + author { + firstName + } + } + } + } + } + } +} +``` + +> [!NOTE] +> The `... on BlogPage` syntax is called an [inline fragment](https://graphql.org/learn/queries/#inline-fragments). +> You can learn more about this syntax in the [Inheritance](../inheritance) section. + +**A mutation:** + +```graphql +mutation { + createPage(input: { + title: "my page" + }) { + title + id + } +} +``` + +> [!TIP] +> Did you get a permissions error? Make sure you're authenticated as someone with appropriate access. + +### Configuring operations + +You may not always want to add *all* operations with the `*` wildcard. You can allow those you +want by setting them to `true` (or `false` to remove them). + +```yml +# app/_graphql/models.yml +Page: + fields: '*' + operations: + read: true + create: true + +App\Model\Product: + fields: '*' + operations: + '*': true + delete: false +``` + +Operations are also configurable, and accept a nested map of config. + +```yml +# app/_graphql/models.yml +Page: + fields: '*' + operations: + create: true + read: + name: getAllThePages +``` + +#### Customising the input types + +The input types, specifically in `create` and `update`, can be customised with a +list of fields. The list can include explicitly *disallowed* fields. + +```yml +# app/_graphql/models.yml +Page: + fields: '*' + operations: + create: + fields: + title: true + content: true + update: + fields: + '*': true + immutableField: false +``` + +### Adding more fields + +Let's add some more DataObjects, but this time, we'll only add a subset of fields and operations. + +```yml +# app/_graphql/models.yml +Page: + fields: '*' + operations: '*' + +App\Model\Product: + fields: + onSale: true + title: true + price: true + operations: + delete: true + +App\Model\ProductCategory: + fields: + title: true + featured: true +``` + +> [!WARNING] +> A couple things to note here: +> +> - By assigning a value of `true` to the field, we defer to the model to infer the type for the field. To override that, we can always add a `type` property: +> +> ```yml +> App\Model\Product: +> fields: +> onSale: +> type: Boolean +> ``` +> +> - The mapping of our field names to the `DataObject` property is case-insensitive. It is a +> convention in GraphQL APIs to use lowerCamelCase fields, so this is given by default. + +### Bulk loading models + +It's likely that in your application you have a whole collection of classes you want exposed to the API with roughly +the same fields and operations exposed on them. It can be really tedious to write a new declaration for every single +`DataObject` in your project, and as you add new ones, there's a bit of overhead in remembering to add it to the +GraphQL schema. + +Common use cases might be: + +- Add everything in `App\Model` +- Add every implementation of `BaseElement` +- Add anything with the `Versioned` extension +- Add everything that matches `src/*Model.php` + +You can create logic like this using the `bulkLoad` configuration file, which allows you to specify groups of directives +that load a bundle of classes and apply the same set of configuration to all of them. + +```yml +# app/_graphql/bulkLoad.yml +elemental: # An arbitrary key to define what these directives are doing + # Load all elemental blocks except MySecretElement + load: + inheritanceLoader: + include: + - DNADesign\Elemental\Models\BaseElement + exclude: + - App\Model\Elemental\MySecretElement + # Add all fields and read operations + apply: + fields: + '*': true + operations: + read: true + readOne: true + +app: + # Load everything in our App\Model\ namespace that has the Versioned extension + # unless the filename ends with .secret.php + load: + namespaceLoader: + include: + - App\Model\* + extensionLoader: + include: + - SilverStripe\Versioned\Versioned + filepathLoader: + exclude: + - app/src/Model/*.secret.php + apply: + fields: + '*': true + operations: + '*': true +``` + +By default, four loaders are provided to you to help gather specific classnames: + +#### By namespace + +- **Identifier**: `namespaceLoader` +- **Description**: Include or exclude classes based on their namespace +- **Example**: `include: [App\Model\*]` + +#### By inheritance + +- **Identifier**: `inheritanceLoader` +- **Description**: Include or exclude everything that matches or extends a given base class +- **Example**: `include: [DNADesign\Elemental\Models\BaseElement]` + +#### By applied extension + +- **Identifier**: `extensionLoader` +- **Description**: Include or exclude any class that has a given extension applied +- **Example**: `include: [SilverStripe\Versioned\Versioned]` + +#### By filepath + +- **Identifier**: `filepathLoader` +- **Description**: Include or exclude any classes in files matching a given glob expression, relative to the base path. Module syntax is allowed. +- **Examples**: + - `include: [ 'src/Model/*.model.php' ]` + - `include: [ 'somevendor/somemodule: src/Model/*.php' ]` + +> [!NOTE] +> `exclude` directives will always supersede `include` directives. + +Each block starts with a collection of all classes that gets filtered as each loader runs. The primary job +of a loader is to *remove* classes from the entire collection, not add them in. + +> [!NOTE] +> If you find that this paints with too big a brush, you can always override individual models explicitly in `models.yml`. +> The bulk loaders run *before* the `models.yml` config is loaded. + +#### `DataObject` subclasses are the default starting point + +Because this is Silverstripe CMS, and it's likely that you're using `DataObject` models only, the bulk loaders start with an +initial filter which is defined as follows: + +```yml +inheritanceLoader: + include: + - SilverStripe\ORM\DataObject +``` + +This ensures that at a bare minimum, you're always filtering by `DataObject` classes *only*. If, for some reason, you +have a non-`DataObject` class in `App\Model\*`, it will automatically be filtered out due to this default setting. + +This default is configured in the `defaultBulkLoad` setting in your schema config. Should you ever want to disable +that, just set it to `false`. + +```yml +# app/_graphql/config.yml +defaultBulkLoad: false +``` + +#### Creating your own bulk loader + +Bulk loaders must extend [`AbstractBulkLoader`](api:SilverStripe\GraphQL\Schema\BulkLoader\AbstractBulkLoader). They +need to declare an identifier (e.g. `namespaceLoader`) to be referenced in the config, and they must implement +[`collect()`](api:SilverStripe\GraphQL\Schema\BulkLoader\AbstractBulkLoader::collect()) which returns a new `Collection` +instance once the loader has done its work parsing through the `include` and `exclude` directives. + +Bulk loaders are automatically registered. Just creating the class is all you need to do to have it available for use +in your `bulkLoad.yml` file. + +### Customising model fields + +You don't have to rely on the model to tell you how fields should resolve. Just like +generic types, you can customise them with arguments and resolvers. + +```yml +# app/_graphql/models.yml +App\Model\Product: + fields: + title: + type: String + resolver: ['App\GraphQL\Resolver\ProductResolver', 'resolveSpecialTitle'] + 'price(currency: String = "NZD")': true +``` + +For more information on custom arguments and resolvers, see the +[adding arguments](../working_with_generic_types/adding_arguments) and +[resolver discovery](../working_with_generic_types/resolver_discovery) documentation. + +### Excluding or customising "*" declarations + +You can use `*` as a field or operation, and anything that follows it will override the +all-inclusive collection. This is almost like a spread operator in JavaScript: + +```js +const newObj = { ...oldObj, someProperty: 'custom' }; +``` + +Here's an example: + +```yml +# app/_graphql/models.yml +Page: + fields: + '*': true # Get everything + sensitiveData: false # hide this field + 'content(summaryLength: Int)': true # add an argument to this field + operations: + '*': true + read: + plugins: + paginateList: false # don't paginate the read operation +``` + +### Disallowed fields {#disallowed-fields} + +While selecting all fields via `*` is useful, there are some fields that you +don't want to accidentally expose, especially if you're a module author +and expect models within this code to be used through custom GraphQL endpoints. +For example, a module might add a secret "preview token" to each `SiteTree`. +A custom GraphQL endpoint might have used `fields: '*'` on `SiteTree` to list pages +on the public site, which now includes a sensitive field. + +The `graphql_blacklisted_fields` property on `DataObject` allows you to +disallow fields globally for all GraphQL schemas. +This block list applies for all operations (read, update, etc). + +```yml +# app/_config/graphql.yml +SilverStripe\CMS\Model\SiteTree: + graphql_blacklisted_fields: + myPreviewTokenField: true +``` + +### Model configuration + +There are several settings you can apply to your model class (typically `DataObjectModel`), +but because they can have distinct values *per schema*, the standard `_config` layer is not +an option. Model configuration has to be done within the schema config in the `modelConfig` +subsection. + +### Customising the type name + +Most `DataObject` classes are namespaced, so converting them to a type name ends up +being very verbose. As a default, the `DataObjectModel` class will use the "short name" +of your `DataObject` as its typename (see: [`ClassInfo::shortName()`](api:SilverStripe/Core/ClassInfo::shortName())). +That is, `App\Model\Product` becomes `Product`. + +Given the brevity of these type names, it's not inconceivable that you could run into naming +collisions, particularly if you use feature-based namespacing. Fortunately, there are +hooks you have available to help influence the typename. + +#### Explicit type mapping + +You can explicitly provide type name for a given class using the `typeMapping` setting in your schema config. + +```yml +# app/_graphql/config.yml +typeMapping: + App\PageType\Page: SpecialPage +``` + +It may be necessary to use `typeMapping` in projects that have a lot of similar class names in different namespaces, which will cause a collision +when the type name is derived from the class name. The most case for this +is the `Page` class, which may be both at the root namespace and in your +app namespace, e.g. `App\PageType\Page`. + +#### The type formatter + +The `type_formatter` is a callable that can be set on the `DataObjectModel` config. It takes +the `$className` as a parameter. + +Let's turn the type for `App\Model\Product` from `Product` into the more specific `AppProduct` + +```yml +# app/_graphql/config.yml +modelConfig: + DataObject: + type_formatter: ['App\GraphQL\Formatter', 'formatType'] +``` + +> [!NOTE] +> In the above example, `DataObject` is the result of [`DataObjectModel::getIdentifier()`](api:SilverStripe\GraphQL\Schema\DataObject::getIdentifier()). +> Each model class must declare one of these. + +The formatting function in your `App\GraphQL\Formatter` class could look something like: + +```php +namespace App\GraphQL; + +class Formatter +{ + public static function formatType(string $className): string + { + $parts = explode('\\', $className); + if (count($parts) === 1) { + return $className; + } + $first = reset($parts); + $last = end($parts); + + return $first . $last; + } +} +``` + +#### The type prefix + +You can also add prefixes to all your `DataObject` types. This can be a scalar value or a callable, +using the same signature as `type_formatter`. + +```yml +# app/_graphql/config.yml +modelConfig: + DataObject: + type_prefix: 'App' +``` + +This would automatically set the type name for your `App\Model\Product` class to `AppProduct` +without needing to declare a `type_formatter`. + +### Further reading + +[CHILDREN] diff --git a/docs/en/02_working_with_dataobjects/02_query_plugins.md b/docs/en/02_working_with_dataobjects/02_query_plugins.md new file mode 100644 index 00000000..36f76585 --- /dev/null +++ b/docs/en/02_working_with_dataobjects/02_query_plugins.md @@ -0,0 +1,560 @@ +--- +title: DataObject query plugins +summary: Learn about some of the useful goodies that come pre-packaged with DataObject queries +--- + +# Working with `DataObject` models + +[CHILDREN asList] + +## `DataObject` query plugins + +This module has a [plugin system](../plugins) that affords extensibility to queries, mutations, +types, fields, and just about every other thread of the schema. Model types can define default +plugins to include, and for `DataObject` queries, these include: + +- `filter` +- `sort` +- `dbFieldArgs` +- `paginateList` +- `inheritance` +- `canView` (read, readOne) +- `firstResult` (readOne) + +### The pagination plugin + +The pagination plugin augments your queries in two main ways: + +- Adding `limit` and `offset` arguments +- Wrapping the return type in a "connection" type with the following fields: + - `nodes: '[YourType]'` + - `edges: '[{ node: YourType }]'` + - `pageInfo: '{ hasNextPage: Boolean, hasPreviousPage: Boolean: totalCount: Int }'` + +Let's test it out: + +```graphql +query { + readPages(limit: 10, offset: 20) { + nodes { + title + } + edges { + node { + title + } + } + pageInfo { + totalCount + hasNextPage + hasPrevPage + } + } +} +``` + +> [!WARNING] +> If you're not familiar with the jargon of `edges` and `node`, don't worry too much about it +> for now. It's just a pretty well-established convention for pagination in GraphQL, mostly owing +> to its frequent use with [cursor-based pagination](https://graphql.org/learn/pagination/), which +> isn't something we do in Silverstripe CMS. You can ignore `edges.node` and just use `nodes` if +> you want to. + +#### Limiting pagination + +To change the limit for items per page for a given type, you can set the `maximumLimit` property on the `paginateList` plugin in the schema: + +```yml +# app/_graphql/models.yml +MyProject\Models\ProductCategory: + operations: + read: + plugins: + paginateList: + maximumLimit: 10 +``` + +To change the default limit globally, set the max_limit configuration on the `PaginationPlugin` itself: + +```yml +SilverStripe\GraphQL\Schema\Plugin\PaginationPlugin: + max_limit: 10 +``` + +> [!WARNING] +> If you want to *increase* the limit beyond the default value, you will also need to set a new `default_limit` configuration value on the `PaginationPlugin`. + +#### Disabling pagination + +Just set it to `false` in the configuration. + +```yml +# app/_graphql/models.yml +App\Model\ProductCategory: + operations: + read: + plugins: + paginateList: false +``` + +To disable pagination globally, use `modelConfig`: + +```yml +# app/_graphql/config.yml +modelConfig: + DataObject: + operations: + read: + plugins: + paginateList: false +``` + +### The filter plugin + +The filter plugin ([`QueryFilter`](api:SilverStripe\GraphQL\Schema\DataObject\Plugin\QueryFilter)) adds a +special `filter` argument to the `read` and `readOne` operations. + +```graphql +query { + readPages( + filter: { title: { eq: "Blog" } } + ) { + nodes { + title + created + } + } +} +``` + +In the above example, the `eq` is known as a "comparator". There are several of these +included with the the module, including: + +- `eq` (exact match) +- `ne` (not equal) +- `contains` (fuzzy match) +- `gt` (greater than) +- `lt` (less than) +- `gte` (greater than or equal) +- `lte` (less than or equal) +- `in` (in a given list) +- `startswith` (starts with) +- `endswith` (ends with) + +Example: + +```graphql +query { + readPages ( + filter: { + title: { ne: "Home" }, + created: { gt: "2020-06-01", lte: "2020-09-01" } + } + ) { + nodes { + title + created + } + } +} +``` + +> [!WARNING] +> While it is possible to filter using multiple comparators, segmenting them into +> disjunctive groups (e.g. "OR" and "AND" clauses) is not yet supported. + +Nested fields are supported by default: + +```graphql +query { + readProductCategories( + filter: { + products: { + reviews: { + rating: { gt: 3 }, + comment: { contains: "awesome" }, + author: { ne: "Me" } + } + } + } + ) { + nodes { + title + } + } +} +``` + +Filters are only querying against the database by default - it is not possible to filter by +fields with custom resolvers. + +#### Customising the filter fields + +By default, all fields on the DataObject, including relationships, are included. To customise +this, just add a `fields` config to the plugin definition: + +```yml +# app/_graphql/models.yml +App\Model\ProductCategory: + fields: + title: true + featured: true + operations: + read: + plugins: + filter: + fields: + title: true +``` + +> [!NOTE] +> You can also add all fields with `'*': true`, just like with standard model definitions. + +##### Adding non-native filter fields + +Sometimes you may want to add a filter field that stems from a custom getter, or a complex computation that +isn't easily addressed by simple field comparisons. For cases like this, you can add the custom field as long +as you provide instructions on how to resolve it. + +```yml +# app/_graphql/models.yml +App\Model\Product: + fields: + title: true + price: true + operations: + read: + plugins: + filter: + fields: + title: true + hasReviews: true + resolve: + hasReviews: + type: Boolean + resolver: ['App\GraphQL\Resolver\ProductResolver', 'resolveHasReviewsFilter'] +``` + +We've added the custom field `hasReviews` as a custom field in the `fields` section of the plugin config. A custom field +like this that does not exist on the `Product` dataobject will cause the plugin to throw unless you've provided +a `resolve` directive for it. + +In the `resolve` section, we need to provide two vital pieces of information: + +- What data type will the filter value be? (boolean in this case) +- Where is the code that will apply this filter? (A static function in our `ProductResolver` class) + +The code to resolve the filter will get two relevant pieces of information in its `$context` parameter: + +- `filterComparator`: e.g. "eq", "ne", "gt", etc. +- `filterValue`: What value we're comparing (true or false, in this case, since it's a boolean) + +Here's how we can resolve this custom filter: + +```php +// app/src/GraphQL/Resolver/Resolver.php +namespace App\GraphQL\Resolver; + +use Exception; + +class ProductResolver +{ + public static function resolveHasReviewsFilter(Filterable $list, array $args, array $context) + { + $onlyWithReviews = $context['filterValue']; + $comparator = $context['filterComparator']; + + if (!in_array($comparator, ['eq', 'ne'])) { + throw new Exception('Invalid comparator for hasReviews: ' . $comparator); + } + if ($comparator === 'ne') { + $onlyWithReviews = !$onlyWithReviews; + } + + return $onlyWithReviews + ? $list->filter('Reviews.Count():GreaterThan', 0) + : $list->filter('Reviews.Count()', 0); + } +} +``` + +> [!NOTE] +> Custom filter fields are also a good opportunity to implement something like `filterByCallback` on your list for +> particularly complex computations that cannot be done at the database level. + +#### Disabling the filter plugin + +Just set it to `false` in the configuration. + +```yml +# app/_graphql/models.yml +App\Model\ProductCategory: + operations: + read: + plugins: + filter: false +``` + +To disable filtering globally, use `modelConfig`: + +```yml +# app/_graphql/config.yml +modelConfig: + DataObject: + operations: + read: + plugins: + filter: false +``` + +### The sort plugins + +The sort plugin ([`QuerySort`](api:SilverStripe\GraphQL\Schema\DataObject\Plugin\QuerySort)) adds a +special `sort` argument to the `read` and `readOne` operations. + +```graphql +query { + readPages ( + sort: { created: DESC } + ) { + nodes { + title + created + } + } +} +``` + +Nested fields are supported by default, but only for linear relationships (e.g. `has_one`): + +```graphql +query { + readProducts( + sort: { + primaryCategory: { + lastEdited: DESC + } + } + ) { + nodes { + title + } + } +} +``` + +In addition, you can use the field sorting plugin ([`SortPlugin`](api:SilverStripe\GraphQL\Schema\Plugin\SortPlugin)) to sort fields that represent `has_many` and `many_many` relationships. To do this, simply add the desired fields to the query, as well as the `sort` argument to these fields. It is also necessary to update the scheme by adding a `sorter` plugin to those fields that need to be sorted. + +Example how to use SortPlugin. + +```graphql +query { + readPages ( + sort: { created: DESC } + ) { + nodes { + title + created + hasManyFilesField (sort: { parentFolderID: DESC, title: ASC }) { + name + } + } + } +} +``` + +```yml +# app/_graphql/models.yml +Page: + operations: + read: + plugins: + sort: + before: paginateList + fields: + created: true + fields: + title: true + created: true + hasManyFilesField: + fields: + name: true + plugins: + sorter: + fields: + title: true + parentFolderID: true +``` + +#### Customising the sort fields + +By default, all fields on the DataObject, including `has_one` relationships, are included. +To customise this, just add a `fields` config to the plugin definition: + +```yml +# app/_graphql/models.yml +App\Model\ProductCategory: + fields: + title: true + featured: true + operations: + read: + plugins: + sort: + fields: + title: true +``` + +#### Disabling the sort plugin + +Just set it to `false` in the configuration. + +```yml +# app/_graphql/models.yml +App\Model\ProductCategory: + operations: + read: + plugins: + sort: false +``` + +To disable sort globally, use `modelConfig`: + +```yml +# app/_graphql/config.yml +modelConfig: + DataObject: + operations: + read: + plugins: + sort: false +``` + +### The `DBFieldArgs` plugin {#dbfieldargs} + +When fields are introspected from a model and reference a `DBField` instance, +they get populated with a default set of arguments that map to methods on that +`DBField` class, for instance `$field->Nice()` or `$field->LimitSentences(4)`. + +Let's have a look at this query: + +```graphql +query { + readPages { + nodes { + content(format: LIMIT_SENTENCES, limit: 4) + created(format: NICE) + + ... on BlogPage { + introText(format: FIRST_PARAGRAPH) + publishDate(format: CUSTOM, customFormat: "dd/MM/yyyy") + } + } + } +} +``` + +The primary field types that are affected by this include: + +- `DBText` (including `DBHTMLText`) +- `DBDate` (including `DBDatetime`) +- `DBTime` +- `DBDecimal` +- `DBFloat` + +#### All available arguments + +##### `DBText` + +- `format: CONTEXT_SUMMARY` (optional "limit" arg) +- `format: FIRST_PARAGRAPH` +- `format: LIMIT_SENTENCES` (optional "limit" arg) +- `format: SUMMARY` (optional "limit" arg) +- `parseShortcodes: Boolean` (DBHTMLText only) + +##### `DBDate` + +- `format: TIMESTAMP` +- `format: NICE` +- `format: DAY_OF_WEEK` +- `format: MONTH` +- `format: YEAR` +- `format: SHORT_MONTH` +- `format: DAY_OF_MONTH` +- `format: SHORT` +- `format: LONG` +- `format: FULL` +- `format: CUSTOM` (requires `customFormat: String` arg) + +##### `DBTime` + +- `format: TIMESTAMP` +- `format: NICE` +- `format: SHORT` +- `format: CUSTOM` (requires `customFormat: String` arg) + +##### `DBDecimal` + +- `format: INT` + +##### `DBFloat` + +- `format: NICE` +- `format: ROUND` +- `format: NICE_ROUND` + +#### Enum naming strategy and deduplication + +By default, auto-generated Enum types will use as generic a name as possible using the convention `Enum` (e.g. +`OrderStatusEnum`). On occasion, this may collide with other types (e.g. `OptionsEnum` is quite generic and likely to be used already). +In this case, the second enum generated will use `Enum` (e.g. `MyTypeOptionsEnum`). + +If an enum already exists with the same fields and name, it will be reused. For instance, if `OptionsEnum` +is found and has exactly the same defined values (in the same order) as the Enum being generated, +it will be reused rather than proceeding to the deduplication strategy. + +#### Custom enum names + +You can specify custom enum names in the plugin config: + +```yml +# app/_graphql/config.yml +modelConfig: + DataObject: + plugins: + dbFieldTypes: + enumTypeMapping: + MyType: + myEnumField: SomeCustomTypeName +``` + +You can also specify enums to be ignored. (`ClassName` does this on all DataObjects to prevent inheritance +issues) + +```yml +# app/_graphql/config.yml +modelConfig: + DataObject: + plugins: + dbFieldTypes: + ignore: + MyType: + myEnumField: true +``` + +### The getByLink plugin + +The [`LinkablePlugin`](api:SilverStripe\GraphQL\CMS\LinkablePlugin) provides a `getByLink` query + +This queries return a single `DataObject` model (e.g. `readOne`) get a new query argument +called `link` (configurable on the `field_name` property of `LinkablePlugin`). + +```graphql +readOneSiteTree(link: "/about-us" ) { + title +} +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/02_working_with_dataobjects/03_permissions.md b/docs/en/02_working_with_dataobjects/03_permissions.md new file mode 100644 index 00000000..2f9e2ba8 --- /dev/null +++ b/docs/en/02_working_with_dataobjects/03_permissions.md @@ -0,0 +1,64 @@ +--- +title: DataObject operation permissions +summary: A look at how permissions work for DataObject queries and mutations +--- + +# Working with `DataObject` models + +[CHILDREN asList] + +## `DataObject` operation permissions + +Any of the operations that come pre-configured for DataObjects are secured by the appropriate permissions +by default. +Please see [Model-Level Permissions](/developer_guides/model/permissions/#model-level-permissions) for more information. + +### Mutation permssions + +> [!NOTE] +> When mutations fail due to permission checks, they throw a [`PermissionsException`](api:SilverStripe\GraphQL\Schema\Exception\PermissionsException). + +For `create`, if a singleton instance of the record being created doesn't pass a `canCreate($member)` check, +the mutation will throw. + +For `update`, if the record matching the given ID doesn't pass a `canEdit($member)` check, the mutation will +throw. + +For `delete`, if any of the given IDs don't pass a `canDelete($member)` check, the mutation will throw. + +### Query permissions + +Query permissions are a bit more complicated, because they can either be in list form, (paginated or not), +or a single item. Rather than throw, these permission checks work as filters. + +> [!WARNING] +> It is critical that you have a `canView()` method defined on your DataObjects. Without this, only admins are +> assumed to have permission to view a record. + +For `read` and `readOne` a plugin called `canView` will filter the result set by the `canView($member)` check. + +> [!WARNING] +> When paginated items fail a `canView()` check, the `pageInfo` field is not affected. +> Limits and pages are determined through database queries. It would be too inefficient to perform in-memory checks on large data sets. +> This can result in pages showing a smaller number of items than what the page should contain, but keeps the pagination calls consistent +> for `limit` and `offset` parameters. + +### Disabling query permissions + +Though not recommended, you can disable query permissions by setting their plugins to `false`. + +```yml +# app/_graphql/models.yml +Page: + operations: + read: + plugins: + canView: false + readOne: + plugins: + canView: false +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/02_working_with_dataobjects/04_inheritance.md b/docs/en/02_working_with_dataobjects/04_inheritance.md new file mode 100644 index 00000000..07ac51ba --- /dev/null +++ b/docs/en/02_working_with_dataobjects/04_inheritance.md @@ -0,0 +1,483 @@ +--- +title: DataObject inheritance +summary: Learn how inheritance is handled in DataObject model types +--- + +# Working with `DataObject` models + +[CHILDREN asList] + +## `DataObject` inheritance + +The inheritance pattern used in the ORM is a tricky thing to navigate in a GraphQL API, mostly owing +to the fact that there is no concept of inheritance in GraphQL types. The main tools we have at our +disposal are [interfaces](https://graphql.org/learn/schema/#interfaces) and [unions](https://graphql.org/learn/schema/#union-types) +to deal with this type of architecture, and we leverage both of them when working with DataObjects. + +### Key concept: querying types that have descendants + +When you query a type that has descendant classes, you are by definition getting a polymorphic return. There +is no guarantee that each result will be of one specific type. Take this example: + +```graphql +query { + readPages { + nodes { + title + content + } + } +} +``` + +This is fine when the two fields are common to across the entire inheritance chain, but what happens +when we need the `date` field on `BlogPage`? + +```graphql +query { + readPages { + nodes { + title + content + date # fails! + } + } +} +``` + +To solve this problem, the GraphQL module will automatically change these types of queries to return interfaces. + +```graphql +query { + readPages { + nodes { # <--- [PageInterface] + title + content + } + } +} +``` + +Now, in order to query fields that are specific to `BlogPage`, we need to use an +[inline fragment](https://graphql.org/learn/queries/#inline-fragments) to select them. + +In the below example, we are querying `title` and `content` on all page types, but we only query `heroImage` +on `HomePage` objects, and we query `date` and `author` only for `BlogPage` objects. + +```graphql +query { + readPages { + nodes { + title # Common field + content # Common field + ... on HomePage { + heroImage { + url + } + } + ... on BlogPage { + date + author { + firstName + } + } + } + } +} +``` + +So the fields that are common to every possible type in the result set can be directly selected (with no `...on` +syntax), because they're part of the common interface. They're guaranteed to exist on every type. But for fields +that only appear on some types, we need to be explicit. + +Now let's take this a step further. What if there's another class in between? Imagine this ancestry: + +```text +Page + -> EventPage extends Page + -> ConferencePage extends EventPage + -> WebinarPage extends EventPage +``` + +We can use the intermediary interface `EventPageInterface` to consolidate fields that are unique to +`ConferencePage` and `WebinarPage`. + +```graphql +query { + readPages { + nodes { + title # Common to all types + content # Common to all types + ... on EventPageInterface { + # Common fields for WebinarPage, ConferencePage, EventPage + numberOfTickets + featuredSpeaker { + firstName + email + } + } + ... on WebinarPage { + zoomLink + } + ... on ConferencePage { + venueSize + } + ... on BlogPage { + date + author { + firstName + } + } + } + } +} +``` + +You can think of interfaces in this context as abstractions of *parent classes* - and the best part is +they're generated automatically. We don't need to manually define or implement the interfaces. + +> [!NOTE] +> A good way to determine whether you need an inline fragment is to ask +> "can this field appear on any other types in the query?" If the answer is yes, you want to use an interface, +> which is usually the parent class with the "Interface" suffix. + +### Inheritance: a deep dive + +There are several ways inheritance is handled at build time: + +- Implicit field / type exposure +- Interface generation +- Assignment of generated interfaces to types +- Assignment of generated interfaces to queries + +We'll look at each of these in detail. + +#### Inherited fields / implicit exposures + +Here are the rules for how inheritance affects types and fields: + +- Exposing a type implicitly exposes all of its ancestors. +- Ancestors receive any fields exposed by their descendants, if applicable. +- Exposing a type applies all of its fields to descendants only if they are explicitly exposed also. + +All of this is serviced by: [`InheritanceBuilder`](api:SilverStripe\GraphQL\Schema\DataObject\InheritanceBuilder) + +##### Example {#fields-example} + +```yml +App\PageType\BlogPage: + fields: + title: true + content: true + date: true + +App\PageType\GalleryPage: + fields: + images: true + urlSegment: true +``` + +This results in those two types being exposed with the fields as shown, but also results in a `Page` type: + +```graphql +type Page { + id: ID! # always exposed + title: String + content: String + urlSegment: String +} +``` + +#### Interface generation + +Any type that's part of an inheritance chain will generate interfaces. Each applicable ancestral interface is added +to the type. Like the type inheritance pattern shown above, interfaces duplicate fields from their ancestors as well. + +Additionally, a **base interface** is provided for all types containing common fields across the entire `DataObject` +schema. + +All of this is serviced by: [`InterfaceBuilder`](api:SilverStripe\GraphQL\Schema\DataObject\InterfaceBuilder) + +##### Example {#interface-example} + +```text +Page + -> BlogPage extends Page + -> EventsPage extends Page + -> ConferencePage extends EventsPage + -> WebinarPage extends EventsPage +``` + +This will create the following interfaces (assuming the fields below are exposed): + +```graphql +interface PageInterface { + id: ID! + title: String + content: String +} + +interface BlogPageInterface { + id: ID! + title: String + content: String + date: String +} + +interface EventsPageInterface { + id: ID! + title: String + content: String + numberOfTickets: Int +} + +interface ConferencePageInterface { + id: ID! + title: String + content: String + numberOfTickets: Int + venueSize: Int + venurAddress: String +} + +interface WebinarPageInterface { + id: ID! + title: String + content: String + numberOfTickets: Int + zoomLink: String +} +``` + +#### Interface assignment to types + +The generated interfaces then get applied to the appropriate types, like so: + +```graphql +type Page implements PageInterface {} +type BlogPage implements BlogPageInterface & PageInterface {} +type EventsPage implements EventsPageInterface & PageInterface {} +type ConferencePage implements ConferencePageInterface & EventsPageInterface & PageInterface {} +type WebinarPage implements WebinarPageInterface & EventsPageInterface & PageInterface {} +``` + +Lastly, for good measure, we create a `DataObjectInterface` that applies to everything. + +```graphql +interface DataObjectInterface { + id: ID! + # Any other fields you've explicitly exposed in config.modelConfig.DataObject.base_fields +} +``` + +```graphql +type Page implements PageInterface & DataObjectInterface {} +``` + +#### Interface assignment to queries + +Queries, both at the root and nested as fields on types, will have their types +updated if they refer to a type that has had any generated interfaces added to it. + +```graphql +type Query { + readPages: [Page] +} + +type BlogPage { + download: File +} +``` + +Becomes: + +```graphql +type Query { + readPages: [PageInterface] +} + +type BlogPage { + download: FileInterface +} +``` + +All of this is serviced by: [`InterfaceBuilder`](api:SilverStripe\GraphQL\Schema\DataObject\InterfaceBuilder) + +#### Elemental + +This section refers to types added via `dnadesign/silverstripe-elemental`. + +Almost by definition, content blocks are always abstractions. You're never going to query for a `BaseElement` type +specifically. You're always asking for an assortment of its descendants, which adds a lot of polymorphism to +the query. + +```graphql +query { + readElementalPages { + nodes { + elementalArea { + elements { + nodes { + title + id + ... on ContentBlock { + html + } + ... on CTABlock { + link + linkText + } + } + } + } + } + } +} +``` + +> [!NOTE] +> The above example shows a query for elements on all elemental pages - but for most situations you will +> probably only want to query the elements on one page at a time. + +### Optional: use unions instead of interfaces + +You can opt out of using interfaces as your return types for queries and instead use a union of all the concrete +types. This comes at a cost of potentially breaking your API unexpectedly (described below), so it is not enabled by +default. There is no substantive advantage to using unions over interfaces for your query return types. It would +typically only be done for conceptual purposes. + +To use unions, turn on the `useUnionQueries` setting. + +```yml +# app/_graphql/config.yml +modelConfig: + DataObject: + plugins: + inheritance: + useUnionQueries: true +``` + +This means that models that have descendants will create unions that include themselves and all of their descendants. +For queries that return those models, a union is put in its place. + +Serviced by: [`InheritanceUnionBuilder`](api:SilverStripe\GraphQL\Schema\DataObject\InheritanceUnionBuilder) + +#### Example {#unions-example} + +```text +type Page implements PageInterface {} +type BlogPage implements BlogPageInterface & PageInterface {} +type EventsPage implements EventsPageInterface & PageInterface {} +type ConferencePage implements ConferencePageInterface & EventsPageInterface & PageInterface {} +type WebinarPage implements WebinarPageInterface & EventsPageInterface & PageInterface {} +``` + +Creates the following unions: + +```text +union PageInheritanceUnion = Page | BlogPage | EventsPage | ConferencePage | WebinarPage +union EventsPageInheritanceUnion = EventsPage | ConferencePage | WebinarPage +``` + +"Leaf" models like `BlogPage`, `ConferencePage`, and `WebinarPage` that have no exposed descendants will not create +unions, as they are functionally useless. + +This means that queries for `readPages` and `readEventsPages` will now return unions. + +```graphql +query { + readPages { + nodes { + ... on PageInterface { + id # in theory, this common field could be done on DataObjectInterface, but that gets a bit verbose + title + content + } + ... on EventsPageInterface { + numberOfTickets + } + ... on BlogPage { + date + } + ... on WebinarPage { + zoomLink + } + } + } +} +``` + +#### Lookout for the footgun + +Because unions are force substituted for your queries when a model has exposed descendants, it is possible that adding +a subclass to a model will break your queries without much warning to you. + +For instance: + +```php +namespace App\Model; + +class Product extends DataObject +{ + private static $db = ['Price' => 'Int']; +} +``` + +We might query this with: + +```graphql +query { + readProducts { + nodes { + price + } + } +} +``` + +But if we create a subclass for product and expose it to GraphQL: + +```php +namespace App\Model; + +class DigitalProduct extends Product +{ + private static $db = ['DownloadURL' => 'Varchar']; +} +``` + +Now our query breaks: + +```graphql +query { + readProducts { + nodes { + price # Error: Field "price" not found on ProductInheritanceUnion + } + } +} +``` + +We need to revise it: + +```graphql +query { + readProducts { + nodes { + ... on ProductInterface { + price + } + ... on DigitalProduct { + downloadUrl + } + } + } +} +``` + +If we use interfaces, this won't break because the `price` field will be on `ProductInterface` +which makes it directly queryable (without requiring the inline fragment). + +### Further reading + +[CHILDREN] diff --git a/docs/en/02_working_with_dataobjects/05_versioning.md b/docs/en/02_working_with_dataobjects/05_versioning.md new file mode 100644 index 00000000..d49f989d --- /dev/null +++ b/docs/en/02_working_with_dataobjects/05_versioning.md @@ -0,0 +1,190 @@ +--- +title: Versioned content +summary: A guide on how DataObject models with the Versioned extension behave in GraphQL schemas +--- + +# Working with `DataObject` models + +[CHILDREN asList] + +## Versioned content + +For the most part, if your `DataObject` has the `Versioned` extension applied, there is nothing you need to do +explicitly - but be aware that it will affect the operations and fields of your type. +You can also [disable](#disable) versioning for your schema if you don't need it. + +See [model versioning](/developer_guides/model/versioning) for general information about versioning your DataObjects. + +### Versioned plugins + +There are several plugins provided that affect how versioned DataObjects +appear in the schema. These include: + +- The `versioning` plugin, applied to the `DataObject` type +- The `readVersion` plugin, applied to the queries for the DataObject +- The `unpublishOnDelete` plugin, applied to the delete mutation + +Let's walk through each one. + +#### The `versioning` plugin + +Defined in the [`VersionedDataObject`](api:SilverStripe\GraphQL\Modules\Versioned\Plugins\VersionedDataObject) class, this plugin adds +several fields to the `DataObject` type, including: + +##### The `version` field + +The `version` field on your `DataObject` will include the following fields: + +- `author`: Member (Object -- the author of the version) +- `publisher`: Member (Object -- the publisher of the version) +- `published`: Boolean (True if the version is published) +- `liveVersion`: Boolean (True if the version is the one that is currently live) +- `latestDraftVersion`: Boolean (True if the version is the latest draft version) + +> [!NOTE] +> Note that `author` and `publisher` are in relation to the given *version* of the object - these are +> not necessarily the same as the author and publisher of the *original* record (i.e. the author may not +> be the person who created the object, they're the person who saved a specific version of it). + +Let's look at it in context: + +```graphql +query readPages { + nodes { + title + version { + author { + firstname + } + published + } + } +} +``` + +##### The `versions` field + +The `versions` field on your `DataObject` will return a list of the `version` objects described above. +The list is sortable by version number, using the `sort` parameter. + +```graphql +query readPages { + nodes { + title + versions(sort: { version: DESC }) { + author { + firstname + } + published + } + } +} +``` + +#### The `readVersion` plugin + +This plugin updates the `read` operation to include a `versioning` argument that contains the following +fields: + +- `mode`: VersionedQueryMode (An enum of [`ARCHIVE`, `LATEST`, `DRAFT`, `LIVE`, `STATUS`, `VERSION`]) +- `archiveDate`: String (The archive date to read from) +- `status`: VersionedStatus (An enum of [`PUBLISHED`, `DRAFT`, `ARCHIVED`, `MODIFIED`]) +- `version`: Int (The exact version to read) + +The query will automatically apply the settings from the `versioning` input type to the query and affect +the resulting `DataList`. + +#### The `unpublishOnDelete` plugin + +This is mostly for internal use. It's an escape hatch for tidying up after a delete. + +### Versioned operations + +DataObjects with the `Versioned` extension applied will also receive four extra operations +by default. They include: + +- `publish` +- `unpublish` +- `copyToStage` +- `rollback` + +All of these identifiers can be used in the `operations` config for your versioned +`DataObject`. They will all be included if you use `operations: '*'`. + +```yml +# app/_graphql/models.yml +App\Model\MyObject: + fields: '*' + operations: + publish: true + unpublish: true + rollback: true + copyToStage: true +``` + +#### Using the operations + +Let's look at a few examples: + +##### Publishing + +```graphql +mutation publishSiteTree(id: 123) { + id + title +} +``` + +##### Unpublishing + +```graphql +mutation unpublishSiteTree(id: 123) { + id + title +} +``` + +##### Rolling back + +```graphql +mutation rollbackSiteTree(id: 123, toVersion: 5) { + id + title +} +``` + +##### Copying to stage + +```graphql +mutation copySiteTreeToStage(id: 123, fromStage: DRAFT, toStage: LIVE) { + id + title +} +``` + +### Disabling versioning on your schema {#disable} + +Versioning is great for Content APIs (e.g. previews), but often not necessary for public APIs focusing on published data. +You can disable versioning for your schema in the `modelConfig` section: + +```yml +# app/_graphql/config.yml +modelConfig: + DataObject: + plugins: + versioning: false + operations: + read: + plugins: + readVersion: false + readOne: + plugins: + readVersion: false + delete: + plugins: + unpublishOnDelete: false +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/02_working_with_dataobjects/06_property_mapping.md b/docs/en/02_working_with_dataobjects/06_property_mapping.md new file mode 100644 index 00000000..1f190668 --- /dev/null +++ b/docs/en/02_working_with_dataobjects/06_property_mapping.md @@ -0,0 +1,77 @@ +--- +title: Property mapping and dot syntax +summary: Learn how to customise field names, use dot syntax, and use aggregate functions +--- + +# Working with `DataObject` models + +[CHILDREN asList] + +## Property mapping and dot syntax + +For the most part, field names are inferred through the `DataObject` model, but its API affords developers full +control over naming. + +In this example, we are taking a property `content` (which will be defined as `Content` in PHP) and defining it +as `pageContent` for GraphQL queries and mutations. + +```yml +# app/_graphql/models.yml +Page: + fields: + pageContent: + type: String + property: Content +``` + +> [!WARNING] +> When using explicit property mapping, you must also define an explicit type, as it can +> no longer be inferred. + +### Dot-separated accessors + +Property mapping is particularly useful when using **dot syntax** to access fields. + +```yml +# app/_graphql/models.yml +App\PageType\Blog: + fields: + title: true + authorName: + type: String + property: 'Author.FirstName' +``` + +Fields on `has_many` or `many_many` relationships will automatically convert to a `column` array: + +```yml +# app/_graphql/models.yml +App\PageType\Blog: + fields: + title: true + categoryTitles: + type: '[String]' + property: 'Categories.Title' + authorsFavourites: + type: '[String]' + property: 'Author.FavouritePosts.Title' +``` + +We can even use a small subset of **aggregates**, including `Count()`, `Max()`, `Min()` and `Avg()`. + +```yml +# app/_graphql/models.yml +App\Model\ProductCategory: + fields: + title: true + productCount: + type: Int + property: 'Products.Count()' + averageProductPrice: + type: Float + property: 'Products.Avg(Price)' +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/02_working_with_dataobjects/07_nested_definitions.md b/docs/en/02_working_with_dataobjects/07_nested_definitions.md new file mode 100644 index 00000000..49e29228 --- /dev/null +++ b/docs/en/02_working_with_dataobjects/07_nested_definitions.md @@ -0,0 +1,52 @@ +--- +title: Nested type definitions +summary: Define dependent types inline with a parent type +--- +# Working with `DataObject` models + +[CHILDREN asList] + +## Nested type definitions + +For readability and ergonomics, you can take advantage of nested type definitions. Let's imagine +we have a `Blog` and we want to expose `Author` and `Categories`, but while we're at it, we want +to specify what fields they should have. + +```yml +# app/_graphql/models.yml +App\PageType\Blog: + fields: + title: true + author: + fields: + firstName: true + surname: true + email: true + categories: + fields: '*' +``` + +Alternatively, we could flatten that out: + +```yml +# app/_graphql/models.yml +App\PageType\Blog: + fields: + title: true + author: true + categories: true +SilverStripe\Security\Member: + fields: + firstName: true + surname: true + email: true +App\Model\BlogCategory: + fields: '*' +``` + +> [!NOTE] +> You cannot define operations on nested types. They only accept fields. + +### Further reading + +[CHILDREN] diff --git a/docs/en/02_working_with_dataobjects/index.md b/docs/en/02_working_with_dataobjects/index.md new file mode 100644 index 00000000..df46b1e3 --- /dev/null +++ b/docs/en/02_working_with_dataobjects/index.md @@ -0,0 +1,14 @@ +--- +title: Working with DataObject models +summary: Add DataObject models to your schema, expose their fields, add read/write operations, and more +icon: database +--- + +# Working with `DataObject` models + +In this section of the documentation, we'll cover adding DataObjects to the schema, exposing their fields, +and adding read/write operations. We'll also look at some of the plugins that are available to DataObjects +like [sorting, filtering, and pagination](query_plugins), as well as some more advanced concepts like +[permissions](permissions), [inheritance](inheritance) and [property mapping](property_mapping). + +[CHILDREN] diff --git a/docs/en/03_working_with_generic_types/01_creating_a_generic_type.md b/docs/en/03_working_with_generic_types/01_creating_a_generic_type.md new file mode 100644 index 00000000..c110e607 --- /dev/null +++ b/docs/en/03_working_with_generic_types/01_creating_a_generic_type.md @@ -0,0 +1,38 @@ +--- +title: Creating a generic type +summary: Creating a type that doesn't map to a DataObject +--- + +# Working with generic types + +[CHILDREN asList] + +## Creating a generic type + +Let's create a simple type that will work with the inbuilt features of Silverstripe CMS. +We'll define some languages based on the `i18n` API. + +```yml +# app/_graphql/types.yml +Country: + fields: + code: String! + name: String! +``` + +We've defined a type called `Country` that has two fields: `code` and `name`. An example record +could be something like: + +```php +[ + 'code' => 'bt', + 'name' => 'Bhutan', +] +``` + +That's all we have to do for now! We'll need to tell GraphQL how to get this data, but first +we need to [building a custom query](building_a_custom_query) to see how we can use it. + +### Further reading + +[CHILDREN] diff --git a/docs/en/03_working_with_generic_types/02_building_a_custom_query.md b/docs/en/03_working_with_generic_types/02_building_a_custom_query.md new file mode 100644 index 00000000..2cda2461 --- /dev/null +++ b/docs/en/03_working_with_generic_types/02_building_a_custom_query.md @@ -0,0 +1,182 @@ +--- +title: Building a custom query +summary: Add a custom query for any type of data +--- +# Working with generic types + +[CHILDREN asList] + +## Building a custom query + +We've defined the shape of our data, now we need a way to access it. For this, +we'll need a query. Let's add one to the `queries` section of our config. + +```yml +# app/_graphql/schema.yml +queries: + readCountries: '[Country]' +``` + +### Resolving fields + +Now we have a query that will return all the countries. In order to make this work, we'll +need a **resolver** to tell the query where to get the data from. For this, we're going to +have to break out of the configuration layer and write some PHP code. + +```php +// app/src/GraphQL/Resolver/MyResolver.php +namespace App\GraphQL\Resolver; + +use SilverStripe\Core\Injector\Injector; +use SilverStripe\i18n\Data\Locales; + +class MyResolver +{ + public static function resolveCountries(): array + { + $results = []; + $countries = Injector::inst()->get(Locales::class)->getCountries(); + foreach ($countries as $code => $name) { + $results[] = [ + 'code' => $code, + 'name' => $name, + ]; + } + + return $results; + } +} +``` + +Resolvers are pretty loosely defined, and don't have to adhere to any specific contract +other than that they **must be static methods**. You'll see why when we add it to the configuration: + +```yml +# app/_graphql/schema.yml +queries: + readCountries: + type: '[Country]' + resolver: [ 'App\GraphQL\Resolver\MyResolver', 'resolveCountries' ] +``` + +> [!WARNING] +> Note the difference in syntax here between the `type` and the `resolver` - the type declaration +> *must* have quotes around it, because we are saying "this is a list of `Country` objects". The value +> of this must be a YAML *string*. But the resolver must *not* be surrounded in quotes. It is explicitly +> a YAML array, so that PHP recognises it as a `callable`. + +Now, we just have to build the schema: + +`vendor/bin/sake dev/graphql/build schema=default` + +### Testing the query + +Let's test this out in our GraphQL IDE. If you have the [`silverstripe/graphql-devtools`](https://github.com/silverstripe/silverstripe-graphql-devtools) +module installed, just go to `/dev/graphql/ide` in your browser. + +As you start typing, it should autocomplete for you. + +Here's our query: + +```graphql +query { + readCountries { + name + code + } +} +``` + +And the expected response: + +```json +{ + "data": { + "readCountries": [ + { + "name": "Afghanistan", + "code": "af" + }, + { + "name": "Åland Islands", + "code": "ax" + }, + "... etc" + ] + } +} +``` + +> [!WARNING] +> Keep in mind that [plugins](../working_with_DataObjects/query_plugins) +> don't apply in this context - at least without updating the resolver +> to account for them. Most importantly this means you need to +> implement your own `canView()` checks. It also means you need +> to add your own filter functionality, such as [pagination](adding_pagination). + +## Resolver method arguments + +A resolver is executed in a particular query context, which is passed into the method as arguments. + +- `mixed $value`: An optional value of the parent in your data graph. + Defaults to `null` on the root level, but can be useful to retrieve the object + when writing field-specific resolvers (see [Resolver Discovery](resolver_discovery)). +- `array $args`: An array of optional arguments for this field (which is different from the [Query Variables](https://graphql.org/learn/queries/#variables)) +- `array $context`: An arbitrary array which holds information shared between resolvers. + Use implementors of [`ContextProvider`](api:SilverStripe\GraphQL\Schema\Interfaces\ContextProvider) to get and set + data, rather than relying on the array keys directly. +- [`?ResolveInfo`](api:GraphQL\Type\Definition\ResolveInfo)`$info`: Data structure containing useful information for the resolving process (e.g. the field name). + See [Fetching Data](https://webonyx.github.io/graphql-php/data-fetching/) in the underlying PHP library for details. + +## Using context providers + +The `$context` array can be useful to get access to the HTTP request, +retrieve the current member, or find out details about the schema. +You can use it through implementors of the `ContextProvider` interface. +In the example below, we'll demonstrate how you could limit viewing the country code to +users with ADMIN permissions. + +```php +// app/src/GraphQL/Resolver/MyResolver.php +namespace App\GraphQL\Resolver; + +use GraphQL\Type\Definition\ResolveInfo; +use SilverStripe\Core\Injector\Injector; +use SilverStripe\GraphQL\QueryHandler\UserContextProvider; +use SilverStripe\Security\Permission; +use SilverStripe\i18n\Data\Locales; + +class MyResolver +{ + public static function resolveCountries( + mixed $value = null, + array $args = [], + array $context = [], + ?ResolveInfo $info = null + ): array { + $member = UserContextProvider::get($context); + $canViewCode = ($member && Permission::checkMember($member, 'ADMIN')); + $results = []; + $countries = Injector::inst()->get(Locales::class)->getCountries(); + foreach ($countries as $code => $name) { + $results[] = [ + 'code' => $canViewCode ? $code : '', + 'name' => $name, + ]; + } + + return $results; + } +} +``` + +## Resolver discovery + +This is great, but as we write more and more queries for types with more and more fields, +it's going to get awfully laborious mapping all these resolvers. Let's clean this up a bit by +adding a bit of convention over configuration, and save ourselves a lot of time to boot. We can do +that using the [resolver discovery pattern](resolver_discovery). + +### Further reading + +[CHILDREN] diff --git a/docs/en/03_working_with_generic_types/03_resolver_discovery.md b/docs/en/03_working_with_generic_types/03_resolver_discovery.md new file mode 100644 index 00000000..c938a1dd --- /dev/null +++ b/docs/en/03_working_with_generic_types/03_resolver_discovery.md @@ -0,0 +1,191 @@ +--- +title: The resolver discovery pattern +summary: How you can opt out of mapping fields to resolvers by adhering to naming conventions +--- + +# Working with generic types + +[CHILDREN asList] + +## The resolver discovery pattern + +When you define a query, mutation, or any other field on a type, you can opt out of providing +an explicit resolver and allow the system to discover one for you based on naming convention. + +Let's start by registering a resolver class where we can define a bunch of these methods. + +You can register as many classes as makes sense - and each resolver class can have multiple +resolver methods. + +```yml +# app/_graphql/config.yml +resolvers: + - App\GraphQL\Resolver\MyResolver +``` + +What we're registering here is a generic class that should contain one or more static functions that resolve one +or many fields. How those functions will be discovered relies on the *resolver strategy*. + +### Resolver strategy + +Each schema config accepts a `resolverStrategy` property. This should map to a callable that will return +a method name given a class name, type name, and [`Field`](api:SilverStripe\GraphQL\Schema\Field\Field) instance. + +```php +namespace App\GraphQL\Resolver; + +use SilverStripe\GraphQL\Schema\Field\Field; + +class Strategy +{ + public static function getResolverMethod(string $className, ?string $typeName = null, ?Field $field = null): ?string + { + // strategy logic here + } +} +``` + +#### The default resolver strategy + +By default, all schemas use [`DefaultResolverStrategy::getResolverMethod()`](api:SilverStripe\GraphQL\Schema\Resolver\DefaultResolverStrategy::getResolverMethod()) +to discover resolver functions. The logic works like this: + +- Does `resolve` exist? + - Yes? Return that method name + - No? Continue +- Does `resolve` exist? + - Yes? Return that method name + - No? Continue +- Does `resolve` exist? + - Yes? Return that method name + - No? Continue +- Does `resolve` exist? + - Yes? Return that method name + - No? Return null. This resolver cannot be discovered + +Let's look at our query again: + +```graphql +query { + readCountries { + name + } +} +``` + +Imagine we have two classes registered under `resolvers` - `ClassA` and `ClassB` + +```yml +# app/_graphql/config.yml +resolvers: + - App\GraphQL\Resolver\ClassA + - App\GraphQL\Resolver\ClassB +``` + +The `DefaultResolverStrategy` will check for methods in this order: + +- `ClassA::resolveCountryName()` +- `ClassA::resolveCountry()` +- `ClassA::resolveName()` +- `ClassA::resolve()` +- `ClassB::resolveCountryName()` +- `ClassB::resolveCountry()` +- `ClassB::resolveName()` +- `ClassB::resolve()` +- Return `null`. + +You can implement whatever strategy you like in your schema. Just register it to `resolverStrategy` in the config. + +```yml +# app/_graphql/config.yml +resolverStrategy: [ 'App\GraphQL\Resolver\Strategy', 'getResolverMethod' ] +``` + +Let's add a resolver method to our resolver provider: + +```php +// app/src/GraphQL/Resolver/MyResolver.php +namespace App\GraphQL\Resolver; + +use SilverStripe\Core\Injector\Injector; +use SilverStripe\i18n\Data\Locales; + +class MyResolver +{ + public static function resolveReadCountries() + { + $results = []; + $countries = Injector::inst()->get(Locales::class)->getCountries(); + foreach ($countries as $code => $name) { + $results[] = [ + 'code' => $code, + 'name' => $name, + ]; + } + + return $results; + } +} +``` + +Now that we're using logic to discover our resolver, we can remove our resolver method declarations from the individual +queries and instead just register the resolver class. + +```yml +# app/_graphql/config.yml +resolvers: + - App\GraphQL\Resolver\MyResolver +``` + +```yml +# app/_graphql/schema.yml + queries: + readCountries: '[Country]' +``` + +Re-run the schema build, with a flush (because we created a new PHP class), and let's go! + +`vendor/bin/sake dev/graphql/build schema=default flush=1` + +### Field resolvers + +A less magical approach to resolver discovery is defining a `fieldResolver` property on your +types. This is a generic handler for all fields on a given type and can be a nice middle +ground between the rigor of hard coding everything at a query level, and the opacity of discovery logic. + +```yml +# app/_graphql/schema.yml +types: + Country: + fields: + name: String + code: String + fieldResolver: [ 'App\GraphQL\Resolver\MyResolver', 'resolveCountryFields' ] +``` + +In this case the registered resolver method will be used to resolve any number of fields. +You'll need to do explicit checks for the field name in your resolver to make this work. + +```php +namespace App\GraphQL\Resolver; + +use GraphQL\Type\Definition\ResolveInfo; + +class MyResolver +{ + // ... + + public static function resolveCountryFields($obj, $args, $context, ResolveInfo $info) + { + $fieldName = $info->fieldName; + if ($fieldName === 'image') { + return $obj->getImage()->getURL(); + } + // ... + } +} +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/03_working_with_generic_types/04_adding_arguments.md b/docs/en/03_working_with_generic_types/04_adding_arguments.md new file mode 100644 index 00000000..62b13734 --- /dev/null +++ b/docs/en/03_working_with_generic_types/04_adding_arguments.md @@ -0,0 +1,84 @@ +--- +title: Adding arguments +summary: Add arguments to your fields, queries, and mutations +--- + +# Working with generic types + +[CHILDREN asList] + +## Adding arguments + +Fields can have arguments, and queries are just fields, so let's add a simple +way of influencing our query response: + +```yml +# app/_graphql/schema.yml +queries: + 'readCountries(limit: Int!)': '[Country]' +``` + +> [!TIP] +> In the above example, the `limit` argument is *required* by making it non-nullable. If you want to be able +> to get an un-filtered list, you can instead allow the argument to be nullable by removing the `!`: +> `'readCountries(limit: Int)': '[Country]'` + +We've provided the required argument `limit` to the query, which will allow us to truncate the results. +Let's update the resolver accordingly. + +```php +namespace App\GraphQL\Resolver; + +use SilverStripe\Core\Injector\Injector; +use SilverStripe\i18n\Data\Locales; + +class MyResolver +{ + public static function resolveReadCountries($obj, array $args = []) + { + $limit = $args['limit']; + $results = []; + $countries = Injector::inst()->get(Locales::class)->getCountries(); + $countries = array_slice($countries, 0, $limit); + + foreach ($countries as $code => $name) { + $results[] = [ + 'code' => $code, + 'name' => $name, + ]; + } + + return $results; + } +} +``` + +Now let's try our query again. This time, notice that the IDE is telling us we're missing a required argument. +We need to add the argument to our query: + +```graphql +query { + readCountries(limit: 5) { + name + code + } +} +``` + +This works pretty well, but maybe it's a bit over the top to *require* the `limit` argument. We want to optimise +performance, but we also don't want to burden the developer with tedium like this. Let's give it a default value. + +```yml +# app/_graphql/schema.yml +queries: + 'readCountries(limit: Int = 20)': '[Country]' +``` + +Rebuild the schema and try the query again without adding a limit in the query. Notice that the IDE is no longer +yelling at you for a `limit` argument, but the result list is limited to the first 20 items. + +Let's take this a step further by turning this in to a proper [paginated result](adding_pagination). + +### Further reading + +[CHILDREN] diff --git a/docs/en/03_working_with_generic_types/05_adding_pagination.md b/docs/en/03_working_with_generic_types/05_adding_pagination.md new file mode 100644 index 00000000..d207e783 --- /dev/null +++ b/docs/en/03_working_with_generic_types/05_adding_pagination.md @@ -0,0 +1,113 @@ +--- +title: Adding pagination +summary: Add the pagination plugin to a generic query +--- +# Working with generic types + +[CHILDREN asList] + +## Adding pagination + +So far in this section we've created a simple generic query for a `Country` type called `readCountries` that takes a +`limit` argument. + +```graphql +query { + readCountries(limit: 5) { + name + code + } +} +``` + +Let's take this a step further and paginate it using a plugin. + +### The `paginate` plugin + +Since pagination is a fairly common task, we can take advantage of some reusable code here and just add a generic +plugin for paginating. + +> [!WARNING] +> If you're paginating a `DataList`, you might want to consider using models with read operations (instead of declaring +> them as generic types with generic queries), which paginate by default using the `paginateList` plugin. +> You can use generic typing and follow the below instructions too but it requires code that, for `DataObject` models, +> you get for free. + +Let's add the plugin to our query: + +```yml +# app/_graphql/schema.yml +queries: + readCountries: + type: '[Country]' + plugins: + paginate: {} +``` + +Right now the plugin will add the necessary arguments to the query, and update the return types. But +we still need to provide this generic plugin a way of actually limiting the result set, so we need a resolver. + +```yml +# app/_graphql/schema.yml +queries: + readCountries: + type: '[Country]' + plugins: + paginate: + resolver: ['App\GraphQL\Resolver\MyResolver', 'paginateCountries'] +``` + +Let's write that resolver code now: + +```php +namespace App\GraphQL\Resolver; + +use Closure; +use SilverStripe\GraphQL\Schema\Plugin\PaginationPlugin; + +class MyResolver +{ + public static function paginateCountries(array $context): Closure + { + $maxLimit = $context['maxLimit']; + return function (array $countries, array $args) use ($maxLimit) { + $offset = $args['offset']; + $limit = $args['limit']; + $total = count($countries); + if ($limit > $maxLimit) { + $limit = $maxLimit; + } + + $limitedList = array_slice($countries, $offset, $limit); + + return PaginationPlugin::createPaginationResult($total, $limitedList, $limit, $offset); + }; + } +} +``` + +A couple of things are going on here: + +- Notice the new design pattern of a **context-aware resolver**. Since the plugin is configured with a `maxLimit` +parameter, we need to get this information to the function that is ultimately used in the schema. Therefore, +we create a dynamic function in a static method by wrapping it with context. It's kind of like a decorator. +- As long as we can do the work of counting and limiting the array, the [`PaginationPlugin`](api:SilverStripe\GraphQL\Schema\Plugin\PaginationPlugin) +can handle the rest. It will return an array including `edges`, `nodes`, and `pageInfo`. + +Rebuild the schema and test it out: + +`vendor/bin/sake dev/graphql/build schema=default` + +```graphql +query { + readCountries(limit:3, offset:4) { + nodes { + name + } + } +} +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/03_working_with_generic_types/06_adding_descriptions.md b/docs/en/03_working_with_generic_types/06_adding_descriptions.md new file mode 100644 index 00000000..ebc87012 --- /dev/null +++ b/docs/en/03_working_with_generic_types/06_adding_descriptions.md @@ -0,0 +1,54 @@ +--- +title: Adding descriptions +summary: Add descriptions to just about anything in your schema to improve your developer experience +--- +# Working with generic types + +[CHILDREN asList] + +## Adding descriptions + +One of the great features of a schema-backed API is that it is self-documenting. If you use +the [`silverstripe/graphql-devtools`](https://github.com/silverstripe/silverstripe-graphql-devtools) +module you can see the documentation by navigating to /dev/graphql/ide in your browser anc clicking +on "DOCS" on the right. + +Many API developers choose to maximise the benefit of this by adding descriptions to some or +all of the components of their schema. + +The trade-off for using descriptions is that the YAML configuration becomes a bit more verbose. + +Let's add some descriptions to our types and fields. + +```yml +# app/_graphql/schema.yml +types: + Country: + description: A record that describes one of the world's sovereign nations + fields: + code: + type: String! + description: The unique two-letter country code + name: + type: String! + description: The canonical name of the country, in English +``` + +We can also add descriptions to our query arguments. We'll have to remove the inline argument +definition to do that. + +```yml +# app/_graphql/schema.yml +queries: + readCountries: + type: '[Country]' + description: Get all the countries in the world + args: + limit: + type: Int = 20 + description: The limit that is applied to the result set +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/03_working_with_generic_types/07_enums_unions_and_interfaces.md b/docs/en/03_working_with_generic_types/07_enums_unions_and_interfaces.md new file mode 100644 index 00000000..b6f44ef2 --- /dev/null +++ b/docs/en/03_working_with_generic_types/07_enums_unions_and_interfaces.md @@ -0,0 +1,114 @@ +--- +title: Enums, unions, and interfaces +summary: Add some non-object types to your schema +--- +# Working with generic types + +[CHILDREN asList] + +## Enums, unions, and interfaces + +In more complex schemas, you may want to define types that aren't simply a list of fields, or +"object types." These include enums, unions and interfaces. + +### Enum types + +Enum types are simply a list of string values that are possible for a given field. They are +often used in arguments to queries, such as `{sort: DESC}`. + +It's very easy to add enum types to your schema. Just use the `enums` section of the config. + +```yml +# app/_graphql/schema.yml +enums: + SortDirection: + values: + DESC: Descending order + ASC: Ascending order +``` + +### Interfaces + +An interface is a specification of fields that must be included on a type that implements it. +For example, an interface `Person` could include `firstName: String`, `surname: String`, and +`age: Int`. The types `Actor` and `Chef` would implement the `Person` interface, and therefore +querying for `Person` types can also give you `Actor` and `Chef` types in the result. Actors and +chefs must also have the `firstName`, `surname`, and `age` fields for such a query to work. + +To define an interface, use the `interfaces` section of the config. + +```yml +# app/_graphql/schema.yml +interfaces: + Person: + fields: + firstName: String! + surname: String! + age: Int! + resolveType: [ 'App\GraphQL\Resolver\MyResolver', 'resolvePersonType' ] +``` + +Interfaces must define a `resolve[Typename]Type` resolver method to inform the interface +which type it is applied to given a specific result. This method is non-discoverable and +must be applied explicitly. + +```php +namespace App\GraphQL\Resolver; + +use App\Model\Actor; +use App\Model\Chef; + +class MyResolver +{ + public static function resolvePersonType($object): string + { + if ($object instanceof Actor) { + return 'Actor'; + } + if ($object instanceof Chef) { + return 'Chef'; + } + } +} +``` + +### Union types + +A union type is used when a field can resolve to multiple types. For example, a query +for "Articles" could return a list containing both "Blog" and "NewsStory" types. + +To add a union type, use the `unions` section of the configuration. + +```yml +# app/_graphql/schema.yml +unions: + Article: + types: [ 'Blog', 'NewsStory' ] + typeResolver: [ 'App\GraphQL\Resolver\MyResolver', 'resolveArticleUnion' ] +``` + +Like interfaces, unions need to know how to resolve their types. These methods are also +non-discoverable and must be applied explicitly. + +```php +namespace App\GraphQL\Resolver; + +use App\Model\Article; + +class MyResolver +{ + public static function resolveArticleUnion(Article $object): string + { + if ($object->category === 'blogs') { + return 'Blog'; + } + if ($object->category === 'news') { + return 'NewsStory'; + } + } +} +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/03_working_with_generic_types/index.md b/docs/en/03_working_with_generic_types/index.md new file mode 100644 index 00000000..c6af3d5e --- /dev/null +++ b/docs/en/03_working_with_generic_types/index.md @@ -0,0 +1,21 @@ +--- +title: Working with generic types +summary: Break away from the magic of DataObject models and build types and queries from scratch. +icon: clipboard +--- + +# Working with generic types + +In this section of the documentation, we cover the fundamentals that are behind a lot of the magic that goes +into making `DataObject` types work. We'll create some types that are not based on DataObjects at all, and we'll +write some custom queries from the ground up. + +This is useful for situations where your data doesn't come from a `DataObject`, or where you have very specific +requirements for your GraphQL API that don't easily map to the schema of your `DataObject` classes. + +> [!NOTE] +> Just because we won't be using DataObjects in this example doesn't mean you can't do it - you can absolutely +> declare `DataObject` classes as generic types. You would lose a lot of the benefits of the `DataObject` model +> in doing so, but this lower level API may suit your needs for very specific use cases. + +[CHILDREN] diff --git a/docs/en/04_security_and_best_practices/01_authentication.md b/docs/en/04_security_and_best_practices/01_authentication.md new file mode 100644 index 00000000..888d4832 --- /dev/null +++ b/docs/en/04_security_and_best_practices/01_authentication.md @@ -0,0 +1,107 @@ +--- +title: Authentication +summary: Ensure your GraphQL api is only accessible to provisioned users +icon: user-lock +--- + +# Security & best practices + +[CHILDREN asList] + +## Authentication + +Some Silverstripe CMS resources have permission requirements to perform CRUD operations +on, for example the `Member` object in the previous examples. + +If you are logged into the CMS and performing a request from the same session then +the same `Member` session is used to authenticate GraphQL requests, however if you +are performing requests from an anonymous/external application you may need to +authenticate before you can complete a request. + +> [!WARNING] +> Please note that when implementing GraphQL resources it is the developer's +> responsibility to ensure that permission checks are implemented wherever +> resources are accessed. + +### Default authentication + +The [`MemberAuthenticator`](api:SilverStripe\GraphQL\Auth\MemberAuthenticator) class is +configured as the default option for authentication, +and will attempt to use the current CMS `Member` session for authentication context. + +**If you are using the default session-based authentication, please be sure that you have +not disabled the [CSRF Middleware](csrf_protection). (It is enabled by default).** + +### HTTP basic authentication + +Silverstripe CMS has built-in support for [HTTP basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication). + +There is a [`BasicAuthAuthenticator`](api:SilverStripe\GraphQL\Auth\BasicAuthAuthenticator) +which can be configured for GraphQL that +will only activate when required. It is kept separate from the Silverstripe CMS +authenticator because GraphQL needs to use the successfully authenticated member +for CMS permission filtering, whereas the global [`BasicAuth`](api:SilverStripe\Security\BasicAuth) does not log the +member in or use it for model security. Note that basic auth will bypass MFA authentication +so if MFA is enabled it is not recommended that you also use basic auth for GraphQL. + +When using HTTP basic authentication, you can feel free to remove the [CSRF Middleware](csrf_protection), +as it just adds unnecessary overhead to the request. + +#### In graphiQL + +If you want to add basic authentication support to your GraphQL requests you can +do so by adding a custom `Authorization` HTTP header to your GraphiQL requests. + +If you are using the [GraphiQL macOS app](https://github.com/skevy/graphiql-app) +this can be done from "Edit HTTP Headers". + +The `/dev/graphql/ide` endpoint in [`silverstripe/graphql-devtools`](https://github.com/silverstripe/silverstripe-graphql-devtools) +does not support custom HTTP headers at this point. + +Your custom header should follow the following format: + +```text +# Key: Value +Authorization: Basic aGVsbG86d29ybGQ= +``` + +`Basic` is followed by a [base64 encoded](https://en.wikipedia.org/wiki/Base64) +combination of your username, colon and password. The above example is `hello:world`. + +**Note:** Authentication credentials are transferred in plain text when using HTTP +basic authentication. We strongly recommend using TLS for non-development use. + +Example: + +```bash +php -r 'echo base64_encode("hello:world");' +# aGVsbG86d29ybGQ= +``` + +### Defining your own authenticators + +You will need to define the class under `SilverStripe\GraphQL\Auth\Handlers.authenticators`. +You can optionally provide a `priority` number if you want to control which +authenticator is used when multiple are defined (higher priority returns first). + +Authenticator classes need to implement the [`AuthenticatorInterface`](api:SilverStripe\GraphQL\Auth\AuthenticatorInterface) +interface, which requires you to define an `authenticate()` method to return a `Member` or `false`, and +and an `isApplicable()` method which tells the [`Handler`](api:SilverStripe\GraphQL\Auth\Handler) whether +or not this authentication method +is applicable in the current request context (provided as an argument). + +Here's an example for implementing HTTP basic authentication: + +> [!WARNING] +> Note that basic authentication for GraphQL will bypass Multi-Factor Authentication (MFA) if that's enabled. Using basic authentication for GraphQL is considered insecure if you are using MFA. + +```yml +SilverStripe\GraphQL\Auth\Handler: + authenticators: + - class: SilverStripe\GraphQL\Auth\BasicAuthAuthenticator + priority: 10 +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/04_security_and_best_practices/02_cors.md b/docs/en/04_security_and_best_practices/02_cors.md new file mode 100644 index 00000000..5ef567f2 --- /dev/null +++ b/docs/en/04_security_and_best_practices/02_cors.md @@ -0,0 +1,139 @@ +--- +title: Cross-Origin Resource Sharing (CORS) +summary: Ensure that requests to your API come from a whitelist of origins +--- + +# Security & best practices + +[CHILDREN asList] + +## Cross-Origin resource sharing (CORS) + +By default [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS) is disabled in the GraphQL Server. This can be easily enabled via YAML: + +```yml +SilverStripe\GraphQL\Controller: + cors: + Enabled: true +``` + +Once you have enabled CORS you can then control four new headers in the HTTP Response. + +1. **Access-Control-Allow-Origin.** + + This lets you define which domains are allowed to access your GraphQL API. There are + 4 options: + + - **Blank**: Deny all domains (except localhost) + + ```yml + Allow-Origin: + ``` + + - **'\*'**: Allow requests from all domains. + + ```yml + Allow-Origin: '*' + ``` + + - **Single Domain**: Allow requests from one specific external domain. + + ```yml + Allow-Origin: 'https://my.domain.com' + ``` + + - **Multiple Domains**: Allow requests from multiple specified external domains. + + ```yml + Allow-Origin: + - 'https://my.domain.com' + - 'https://your.domain.org' + ``` + +1. **Access-Control-Allow-Headers.** + + Access-Control-Allow-Headers is part of a CORS 'pre-flight' request to identify + what headers a CORS request may include. By default, the GraphQL server enables the + `Authorization` and `Content-Type` headers. You can add extra allowed headers that + your GraphQL may need by adding them here. For example: + + ```yml + Allow-Headers: 'Authorization, Content-Type, Content-Language' + ``` + + > [!WARNING] + > If you add extra headers to your GraphQL server, you will need to write a + > custom resolver function to handle the response. + +1. **Access-Control-Allow-Methods.** + + This defines the HTTP request methods that the GraphQL server will handle. By + default this is set to `GET, PUT, OPTIONS`. Again, if you need to support extra + methods you will need to write a custom resolver to handle this. For example: + + ```yml + Allow-Methods: 'GET, PUT, DELETE, OPTIONS' + ``` + +1. **Access-Control-Max-Age.** + + Sets the maximum cache age (in seconds) for the CORS pre-flight response. When + the client makes a successful OPTIONS request, it will cache the response + headers for this specified duration. If the time expires or the required + headers are different for a new CORS request, the client will send a new OPTIONS + pre-flight request to ensure it still has authorisation to make the request. + This is set to 86400 seconds (24 hours) by default but can be changed in YAML as + in this example: + + ```yml + Max-Age: 600 + ``` + +1. **Access-Control-Allow-Credentials.** + + When a request's credentials mode (Request.credentials) is "include", browsers + will only expose the response to frontend JavaScript code if the + Access-Control-Allow-Credentials value is true. + + The Access-Control-Allow-Credentials header works in conjunction with the + XMLHttpRequest.withCredentials property or with the credentials option in the + Request() constructor of the Fetch API. For a CORS request with credentials, + in order for browsers to expose the response to frontend JavaScript code, both + the server (using the Access-Control-Allow-Credentials header) and the client + (by setting the credentials mode for the XHR, Fetch, or Ajax request) must + indicate that they’re opting in to including credentials. + + This is set to empty by default but can be changed in YAML as in this example: + + ```yml + Allow-Credentials: 'true' + ``` + +### Apply a CORS config to all GraphQL endpoints + +```yml +## CORS Config +SilverStripe\GraphQL\Controller: + cors: + Enabled: true + Allow-Origin: 'https://silverstripe.org' + Allow-Headers: 'Authorization, Content-Type' + Allow-Methods: 'GET, POST, OPTIONS' + Allow-Credentials: 'true' + Max-Age: 600 # 600 seconds = 10 minutes. +``` + +### Apply a CORS config to a single GraphQL endpoint + +```yml +## CORS Config +SilverStripe\Core\Injector\Injector: + SilverStripe\GraphQL\Controller.default: + properties: + corsConfig: + Enabled: false +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/04_security_and_best_practices/03_csrf_protection.md b/docs/en/04_security_and_best_practices/03_csrf_protection.md new file mode 100644 index 00000000..75382587 --- /dev/null +++ b/docs/en/04_security_and_best_practices/03_csrf_protection.md @@ -0,0 +1,45 @@ +--- +title: CSRF protection +summary: Protect destructive actions from cross-site request forgery +--- +# Security & best practices + +[CHILDREN asList] + +## CSRF tokens (required for mutations) + +Even if your GraphQL endpoints are behind authentication, it is still possible for unauthorised +users to access that endpoint through a [CSRF exploitation](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)). This involves +forcing an already authenticated user to access an HTTP resource unknowingly (e.g. through a fake image), thereby hijacking the user's +session. + +In the absence of a token-based authentication system, like OAuth, the best countermeasure to this +is the use of a CSRF token for any requests that destroy or mutate data. + +By default, this module comes with a [`CSRFMiddleware`](api:SilverStripe\GraphQL\Middleware\CSRFMiddleware) +implementation that forces all mutations to check +for the presence of a CSRF token in the request. That token must be applied to a header named `X-CSRF-TOKEN`. + +In Silverstripe CMS, CSRF tokens are most commonly stored in the session as `SecurityID`, or accessed through +the [`SecurityToken`](api:SilverStripe\Security\SecurityToken) API, using `SecurityToken::inst()->getValue()`. + +Queries do not require CSRF tokens. + +### Disabling CSRF protection (for token-based authentication only) + +If you are using HTTP basic authentication or a token-based system like OAuth or [JWT](https://github.com/Firesphere/silverstripe-graphql-jwt), +you will want to remove the CSRF protection, as it just adds unnecessary overhead. You can do this by setting +the middleware to `false`. + +```yml +SilverStripe\Core\Injector\Injector: + SilverStripe\GraphQL\QueryHandler\QueryHandlerInterface.default: + class: SilverStripe\GraphQL\QueryHandler\QueryHandler + properties: + Middlewares: + csrf: false +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/04_security_and_best_practices/04_http_method_checking.md b/docs/en/04_security_and_best_practices/04_http_method_checking.md new file mode 100644 index 00000000..1a8c3cb1 --- /dev/null +++ b/docs/en/04_security_and_best_practices/04_http_method_checking.md @@ -0,0 +1,28 @@ +--- +title: Strict HTTP method checking +summary: Ensure requests are GET or POST +--- + +# Security & best practices + +[CHILDREN asList] + +## Strict HTTP method checking + +According to GraphQL best practices, mutations should be done over `POST`, while queries have the option +to use either `GET` or `POST`. By default, this module enforces the `POST` request method for all mutations. + +To disable that requirement, you can remove the [`HTTPMethodMiddleware`](api:SilverStripe\GraphQL\Middleware\HTTPMethodMiddleware) +from the [`QueryHandler`](api:SilverStripe\GraphQL\QueryHandler\QueryHandler). + +```yml +SilverStripe\GraphQL\QueryHandler\QueryHandlerInterface.default: + class: SilverStripe\GraphQL\QueryHandler\QueryHandler + properties: + Middlewares: + httpMethod: false +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/04_security_and_best_practices/05_recursive_or_complex_queries.md b/docs/en/04_security_and_best_practices/05_recursive_or_complex_queries.md new file mode 100644 index 00000000..63cfb3f9 --- /dev/null +++ b/docs/en/04_security_and_best_practices/05_recursive_or_complex_queries.md @@ -0,0 +1,47 @@ +--- +title: Recursive or complex queries +summary: Protecting against potentially malicious queries +--- + +# Security & best practices + +[CHILDREN asList] + +## Recursive or complex queries + +GraphQL schemas can contain recursive types and circular dependencies. Recursive or overly complex queries can take up a lot of resources, +and could have a high impact on server performance and even result in a denial of service if not handled carefully. + +Before parsing queries, if a query is found to have more than 500 nodes, it is rejected. While executing queries there is a default query depth limit of 15 for all schemas with no complexity limit. + +You can customise the node limit and query depth and complexity limits by setting the following configuration: + +```yml +# app/_config/graphql.yml +--- +After: 'graphql-schema-global' +--- +SilverStripe\GraphQL\Schema\Schema: + schemas: + '*': + config: + max_query_nodes: 250 # default 500 + max_query_depth: 20 # default 15 + max_query_complexity: 100 # default unlimited +``` + +> [!NOTE] +> For calculating the query complexity, every field in the query gets a default score 1 (including ObjectType nodes). Total complexity of the query is the sum of all field scores. + +You can also configure these settings for individual schemas. This allows you to fine-tune the security of your custom public-facing schema without affecting the security of the schema used in the CMS. To do so, either replace `'*'` with the name of your schema in the YAML configuration above, or set the values under the `config` key for your schema using preferred file structure as defined in [configuring your schema](../getting_started/configuring_your_schema/). For example: + +```yml +# app/_graphql/config.yml +max_query_nodes: 250 +max_query_depth: 20 +max_query_complexity: 100 +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/04_security_and_best_practices/index.md b/docs/en/04_security_and_best_practices/index.md new file mode 100644 index 00000000..ea935db9 --- /dev/null +++ b/docs/en/04_security_and_best_practices/index.md @@ -0,0 +1,12 @@ +--- +title: Security & best practices +summary: A guide to keeping your GraphQL API secure and accessible +icon: user-lock +--- + +# Security and best practices + +In this section we'll cover several options you have for keeping your GraphQL API secure and compliant +with best practices. Some of these tools require configuration, while others come pre-installed. + +[CHILDREN] diff --git a/docs/en/05_plugins/01_overview.md b/docs/en/05_plugins/01_overview.md new file mode 100644 index 00000000..d60d7340 --- /dev/null +++ b/docs/en/05_plugins/01_overview.md @@ -0,0 +1,139 @@ +--- +title: What are plugins? +summary: An overview of how plugins work with the GraphQL schema +--- + +# Plugins + +[CHILDREN asList] + +## What are plugins? + +Plugins are used to distribute reusable functionality across your schema. Some examples of commonly used plugins include: + +- Adding versioning arguments to versioned DataObjects +- Adding a custom filter/sort arguments to `DataObject` queries +- Adding a one-off `VerisionedStage` enum to the schema +- Ensuring `Member` is in the schema +- And many more... + +### Default plugins + +By default, all schemas ship with some plugins installed that will benefit most use cases: + +- The `DataObject` model (i.e. any `DataObject` based type) has: + - An `inheritance` plugin that builds the interfaces, unions, and merges ancestral fields. + - An `inheritedPlugins` plugin (a bit meta!) that merges plugins from ancestral types into descendants. + installed). +- The `read` and `readOne` operations have: + - A `canView` plugin for hiding records that do not pass a `canView()` check +- The `read` operation has: + - A `paginateList` plugin for adding pagination arguments and types (e.g. `nodes`) + +In addition to the above, the `default` schema specifically ships with an even richer set of default +plugins, including: + +- A `versioning` plugin that adds `version` fields to the `DataObject` type (if `silverstripe/versioned` is installed) +- A `readVersion` plugin (if `silverstripe/versioned` is installed) that allows versioned operations on +`read` and `readOne` queries. +- A `filter` plugin for filtering queries (adds a `filter` argument) +- A `sort` plugin for sorting queries (adds a `sort` argument) + +All of these are defined in the `modelConfig` section of the schema (see [configuring your schema](../getting_started/configuring_your_schema)). + +#### Overriding default plugins + +You can override default plugins generically in the `modelConfig` section. + +```yml +# app/_graphql/config.yml +modelConfig: + DataObject: + plugins: + inheritance: false # No `DataObject` models get this plugin unless opted into + operations: + read: + plugins: + paginateList: false # No `DataObject` models have paginated read operations unless opted into +``` + +You can override default plugins on your specific `DataObject` type and these changes will be inherited by descendants. + +```yml +# app/_graphql/models.yml +Page: + plugins: + inheritance: false +App\PageType\MyCustomPage: {} # now has no inheritance plugin +``` + +Likewise, you can do the same for operations: + +```yml +# app/_graphql/models.yml +Page: + operations: + read: + plugins: + readVersion: false +App\PageType\MyCustomPage: + operations: + read: true # has no readVersion plugin +``` + +### What plugins must do + +There isn't a huge API surface to a plugin. They just have to: + +- Implement at least one of several plugin interfaces +- Declare an identifier +- Apply themselves to the schema with the `apply(Schema $schema)` method +- Be registered with the [`PluginRegistry`](api:SilverStripe\GraphQL\Schema\Registry\PluginRegistry) + +### Available plugin interfaces + +Plugin interfaces are all found in the `SilverStripe\GraphQL\Schema\Interfaces` namespace + +- [`SchemaUpdater`](api:SilverStripe\GraphQL\Schema\Interfaces\SchemaUpdater): Make a one-off, context-free update to the schema +- [`QueryPlugin`](api:SilverStripe\GraphQL\Schema\Interfaces\QueryPlugin): Update a generic query +- [`MutationPlugin`](api:SilverStripe\GraphQL\Schema\Interfaces\MutationPlugin): Update a generic mutation +- [`TypePlugin`](api:SilverStripe\GraphQL\Schema\Interfaces\TypePlugin): Update a generic type +- [`FieldPlugin`](api:SilverStripe\GraphQL\Schema\Interfaces\FieldPlugin): Update a field on a generic type +- [`ModelQueryPlugin`](api:SilverStripe\GraphQL\Schema\Interfaces\ModelQueryPlugin): Update queries generated by a model, e.g. `readPages` +- [`ModelMutationPlugin`](api:SilverStripe\GraphQL\Schema\Interfaces\ModelMutationPlugin): Update mutations generated by a model, e.g. `createPage` +- [`ModelTypePlugin`](api:SilverStripe\GraphQL\Schema\Interfaces\ModelTypePlugin): Update types that are generated by a model +- [`ModelFieldPlugin`](api:SilverStripe\GraphQL\Schema\Interfaces\ModelFieldPlugin): Update a field on types generated by a model + +Wow, that's a lot of interfaces, right? This is owing mostly to issues around strict typing between interfaces, +and allows for a more expressive developer experience. Almost all of these interfaces have the same requirements, +just for different types. It's pretty easy to navigate if you know what you want to accomplish. + +### Registering plugins + +Plugins have to be registered to the `PluginRegistry` via the `Injector`. + +```yml +SilverStripe\Core\Injector\Injector: + SilverStripe\GraphQL\Schema\Registry\PluginRegistry: + constructor: + - 'App\GraphQL\Plugin\MyPlugin' +``` + +### Resolver middleware and afterware + +The real power of plugins is the ability to distribute not just configuration across the schema, but +more importantly, *functionality*. + +Fields have their own resolvers already, so we can't really get into those to change +their functionality without a massive hack. This is where the idea of **resolver middleware** and +**resolver afterware** comes in really useful. + +**Resolver middleware** runs *before* the field's assigned resolver +**Resolver afterware** runs *after* the field's assigned resolver + +Middlewares and afterwares are pretty straightforward. They get the same `$args`, `$context`, and `$info` +parameters as the assigned resolver, but the first argument, `$result` is mutated with each resolver. + +### Further reading + +[CHILDREN] diff --git a/docs/en/05_plugins/02_writing_a_simple_plugin.md b/docs/en/05_plugins/02_writing_a_simple_plugin.md new file mode 100644 index 00000000..47db3aee --- /dev/null +++ b/docs/en/05_plugins/02_writing_a_simple_plugin.md @@ -0,0 +1,100 @@ +--- +title: Writing a simple plugin +summary: In this tutorial, we add a simple plugin for string fields +--- + +# Plugins + +[CHILDREN asList] + +## Writing a simple plugin + +For this example, we want all `String` fields to have a `truncate` argument that will limit the length of the string +in the response. + +Because it applies to fields, we'll want to implement the [`FieldPlugin`](api:SilverStripe\GraphQL\Schema\Interfaces\FieldPlugin) +interface for this. + +```php +namespace App\GraphQL\Plugin; + +use SilverStripe\GraphQL\Schema\Field\Field; +use SilverStripe\GraphQL\Schema\Interfaces\FieldPlugin; +use SilverStripe\GraphQL\Schema\Schema; + +class Truncator implements FieldPlugin +{ + public function getIdentifier(): string + { + return 'truncate'; + } + + public function apply(Field $field, Schema $schema, array $config = []) + { + $field->addArg('truncate', 'Int'); + } +} +``` + +Now we've added an argument to any field that uses the `truncate` plugin. This is good, but it really +doesn't save us a whole lot of time. The real value here is that the field will automatically apply the truncation. + +For that, we'll need to augment our plugin with some *afterware*. + +```php +namespace App\GraphQL\Plugin; + +use SilverStripe\GraphQL\Schema\Field\Field; +use SilverStripe\GraphQL\Schema\Interfaces\FieldPlugin; +use SilverStripe\GraphQL\Schema\Schema; + +class Truncator implements FieldPlugin +{ + public function apply(Field $field, Schema $schema, array $config = []) + { + // Sanity check + Schema::invariant( + $field->getType() === 'String', + 'Field %s is not a string. Cannot truncate.', + $field->getName() + ); + + $field->addArg('truncate', 'Int'); + $field->addResolverAfterware([static::class, 'truncate']); + } + + public static function truncate(string $result, array $args): string + { + $limit = $args['truncate'] ?? null; + if ($limit) { + return substr($result, 0, $limit); + } + + return $result; + } +} +``` + +Let's register the plugin: + +```yml +SilverStripe\Core\Injector\Injector: + SilverStripe\GraphQL\Schema\Registry\PluginRegistry: + constructor: + - 'App\GraphQL\Plugin\Truncator' +``` + +And now we can apply it to any string field we want: + +```yml +# app/_graphql/types.yml +Country: + name: + type: String + plugins: + truncate: true +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/05_plugins/03_writing_a_complex_plugin.md b/docs/en/05_plugins/03_writing_a_complex_plugin.md new file mode 100644 index 00000000..f81f3899 --- /dev/null +++ b/docs/en/05_plugins/03_writing_a_complex_plugin.md @@ -0,0 +1,328 @@ +--- +title: Writing a complex plugin +summary: In this tutorial, we'll create a plugin that affects models, queries, and input types +--- + +# Plugins + +[CHILDREN asList] + +## Writing a complex plugin + +For this example, we'll imagine that a lot of our DataObjects are geocoded, and this is ostensibly some kind of +`DataExtension` that adds lat/lon information to the `DataObject`, and maybe allows you to ask how close it is to +a given lat/lon pair. + +We want any queries using these DataObjects to be able to search within a radius of a given lat/lon. + +To do this, we'll need a few things: + +- DataObjects that are geocodable should always expose their lat/lon fields for GraphQL queries +- `read` operations for DataObjects that are geocodable should include a `within` parameter +- An input type for this lat/lon parameter should be globally available to the schema +- A resolver should automatically filter the result set by proximity. + +Let's get started. + +### Step 1: ensure `DataObject` models expose lat/lon fields + +Since we're dealing with `DataObject` models, we'll need to implement a [`ModelTypePlugin`](api:SilverStripe\GraphQL\Schema\Interfaces\ModelTypePlugin). + +```php +namespace App\GraphQL\Plugin; + +use App\Geo\GeocodableExtension; +use SilverStripe\GraphQL\Schema\Interfaces\ModelTypePlugin; +use SilverStripe\GraphQL\Schema\Schema; +use SilverStripe\GraphQL\Schema\Type\ModelType; +// ... + +class GeocodableModelPlugin implements ModelTypePlugin +{ + public function getIdentifier(): string + { + return 'geocode'; + } + + public function apply(ModelType $type, Schema $schema, array $config = []): void + { + $class = $type->getModel()->getSourceClass(); + + // sanity check that this is a DataObject + Schema::invariant( + is_subclass_of($class, DataObject::class), + 'The %s plugin can only be applied to types generated by %s models', + __CLASS__, + DataObject::class + ); + + // only apply the plugin to geocodable DataObjects + if (!ViewableData::has_extension($class, GeocodableExtension::class)) { + return; + } + + $type->addField('Lat') + ->addField('Lon'); + } +} +``` + +And register the plugin: + +```yml +SilverStripe\Core\Injector\Injector: + SilverStripe\GraphQL\Schema\Registry\PluginRegistry: + constructor: + - 'App\GraphQL\Plugin\GeocodableModelPlugin' +``` + +Once we've [applied the plugin](#step-5-apply-the-plugins), all DataObjects that have the `GeocodableExtension` extension will be forced to expose their lat/lon fields. + +### Step 2: add a new parameter to the queries + +We want any `readXXX` query to include a `within` parameter if it's for a geocodable `DataObject`. +For this, we're going to implement [`ModelQueryPlugin`](api:SilverStripe\GraphQL\Schema\Interfaces\ModelQueryPlugin), +because this is for queries generated by a model. + +```php +namespace App\GraphQL\Plugin; + +// ... + +class GeocodableQueryPlugin implements ModelQueryPlugin +{ + public function getIdentifier(): string + { + return 'geocodableQuery'; + } + + public function apply(ModelQuery $query, Schema $schema, array $config = []): void + { + $class = $query->getModel()->getSourceClass(); + // Only apply to geocodable objects + if (!ViewableData::has_extension($class, GeocodableExtension::class)) { + return; + } + + $query->addArg('within', 'SearchRadiusInput'); + } +} +``` + +Register the new plugin + +```yml +SilverStripe\Core\Injector\Injector: + SilverStripe\GraphQL\Schema\Registry\PluginRegistry: + constructor: + - 'App\GraphQL\Plugin\GeocodableModelPlugin' + - 'App\GraphQL\Plugin\GeocodableQueryPlugin' +``` + +Now after we [apply the plugins](#step-5-apply-the-plugins), our read queries will have a new parameter: + +```graphql +query readEvents(within: ...) +``` + +But we're not done yet! What is `SearchRadiusInput`? We haven't defined that yet. Ideally, we want our query +to look like this: + +```graphql +query { + readEvents(within: { + lat: 123.123456, + lon: 123.123456, + proximity: 500, + unit: METER + }) { + nodes { + title + lat + lon + } + } +} +``` + +### Step 3: adding an input type + +We'll need this `SearchRadiusInput` to be shared across queries. It's not specific to any `DataObject`. +For this, we can implement [`SchemaUpdater`](api:SilverStripe\GraphQL\Schema\Interfaces\SchemaUpdater). +For tidiness, let's just to this in the same `GeocodeableQuery` class, since they share concerns. + +```php +namespace App\GraphQL\Plugin; + +use SilverStripe\GraphQL\Schema\Interfaces\SchemaUpdater; +use SilverStripe\GraphQL\Schema\Type\Enum; +use SilverStripe\GraphQL\Schema\Type\InputType; +// ... + +class GeocodableQueryPlugin implements ModelQueryPlugin, SchemaUpdater +{ + // ... + + public static function updateSchema(Schema $schema): void + { + $unitType = Enum::create('Unit', [ + 'METER' => 'METER', + 'KILOMETER' => 'KILOMETER', + 'FOOT' => 'FOOT', + 'MILE' => 'MILE', + ]); + $radiusType = InputType::create('SearchRadiusInput') + ->setFields([ + 'lat' => 'Float!', + 'lon' => 'Float!', + 'proximity' => 'Int!', + 'unit' => 'Unit!', + ]); + $schema->addType($unitType); + $schema->addType($unitType); + } +} +``` + +So now we can run queries with these parameters, but we need to somehow apply it to the result set. + +### Step 4: add a resolver to apply the filter + +All these DataObjects have their own resolvers already, so we can't really get into those to change +their functionality without a massive hack. This is where the idea of **resolver middleware** and +**resolver afterware** comes in really useful. + +**Resolver middleware** runs *before* the operation's assigned resolver +**Resolver afterware** runs *after* the operation's assigned resolver + +Middlewares and afterwares are pretty straightforward. They get the same `$args`, `$context`, and `$info` +parameters as the assigned resolver, but the first argument, `$result` is mutated with each resolver. + +In this case, we're going to be filtering our `DataList` procedurally and transforming it into an array. +We need to know that things like filters and sort have already been applied, because they expect a `DataList` +instance. So we'll need to do this fairly late in the chain. Afterware makes the most sense. + +```php +namespace App\GraphQL\Plugin; + +use App\Geo\Proximity; +// ... + +class GeocodableQueryPlugin implements ModelQueryPlugin, SchemaUpdater +{ + // ... + + public function apply(ModelQuery $query, Schema $schema, array $config = []): void + { + $class = $query->getModel()->getSourceClass(); + // Only apply to geocodable objects + if (!ViewableData::has_extension($class, GeocodableExtension::class)) { + return; + } + + $query->addArg('within', 'SearchRadiusInput'); + $query->addResolverAfterware([static::class, 'applyRadius']); + } + + public static function applyRadius($result, array $args): array + { + $results = []; + $proximity = new Proximity($args['unit'], $args['lat'], $args['lon']); + foreach ($result as $record) { + if ($proximity->isWithin($args['proximity'], $record->Lat, $record->Lon)) { + $results[] = $record; + } + } + + return $results; + } +} +``` + +Looking good! + +But there's still one little gotcha. This is likely to be run after pagination has been executed, so our +`$result` parameter is probably an array of `edges`, `nodes`, etc. + +```php +// app/src/GraphQL/Resolver/MyResolver.php +namespace App\GraphQL\Resolver; + +use App\Geo\Proximity; + +class MyResolver +{ + public static function applyRadius($result, array $args) + { + $results = []; + // imaginary class + $proximity = new Proximity($args['unit'], $args['lat'], $args['lon']); + foreach ($result['nodes'] as $record) { + if ($proximity->isWithin($args['proximity'], $record->Lat, $record->Lon)) { + $results[] = $record; + } + } + + return [ + 'edges' => $results, + 'nodes' => $results, + 'pageInfo' => $result['pageInfo'], + ]; + } +} +``` + +If we added this plugin in middleware rather than afterware, +we could filter the result set by a list of `IDs` early on, which would allow us to keep +a `DataList` throughout the whole cycle, but this would force us to loop over an +unlimited result set, and that's never a good idea. + +> [!WARNING] +> If you've picked up on the inconsistency that the `pageInfo` property is now inaccurate, this is a long-standing +> issue with doing post-query filters. Ideally, any middleware that filters a `DataList` should do it at the query level, +> but that's not always possible. + +### Step 5: apply the plugins + +We can apply the plugins to queries and DataObjects one of two ways: + +- Add them on a case-by-case basis to our config +- Add them as default plugins so that we never have to worry about it. + +Let's look at each approach: + +#### Case-by-case + +```yml +# app/_graphql/models.yml +App\Model\Event: + plugins: + geocode: true + fields: + title: true + operations: + read: + plugins: + geocodeableQuery: true +``` + +This can get pretty verbose, so you might just want to register them as default plugins for all DataObjects +and their `read` operations. In this case we've already added logic within the plugin itself to skip +DataObjects that don't have the `GeoCodable` extension. + +#### Apply by default + +```yml +# apply the `DataObject` plugin +SilverStripe\GraphQL\Schema\DataObject\DataObjectModel: + default_plugins: + geocode: true +# apply the query plugin +SilverStripe\GraphQL\Schema\DataObject\ReadCreator: + default_plugins: + geocodableQuery: true +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/05_plugins/index.md b/docs/en/05_plugins/index.md new file mode 100644 index 00000000..4d72382c --- /dev/null +++ b/docs/en/05_plugins/index.md @@ -0,0 +1,13 @@ +--- +title: Plugins +summary: Learn what plugins are and how you can use them to extend your schema +icon: file-code +--- + +# Plugins + +Plugins play a critical role in distributing reusable functionality across your schema. They can apply to just about +everything loaded into the schema, including types, fields, queries, mutations, and even specifically to model types +and their fields and operations. + +[CHILDREN] diff --git a/docs/en/06_extending/adding_a_custom_model.md b/docs/en/06_extending/adding_a_custom_model.md new file mode 100644 index 00000000..918d8d12 --- /dev/null +++ b/docs/en/06_extending/adding_a_custom_model.md @@ -0,0 +1,80 @@ +--- +title: Adding a custom model +summary: Add a new class-backed type beyond DataObject +--- +# Extending the schema + +[CHILDREN asList] + +## Adding a custom model + +The only point of contact the `silverstripe/graphql` schema has with +the Silverstripe ORM specifically is through the `DataObjectModel` adapter +and its associated plugins. This is important, because it means you +can plug in any schema-aware class as a model, and it will be afforded +all the same features as DataObjects. + +It is, however, hard to imagine a model-driven type that isn't +related to an ORM, so we'll keep this section simple and just describe +what the requirements are rather than think up an outlandish example +of what a non-`DataObject` model might be. + +### SchemaModelInterface + +Models must implement the [`SchemaModelInterface`](api:SilverStripe\GraphQL\Schema\Interfaces\SchemaModelInterface), +which has a lot of methods to implement. Let's walk through them: + +- `getIdentifier(): string`: A unique identifier for this model type, e.g. `DataObject` +- `hasField(string $fieldName): bool`: Return true if `$fieldName` exists +on the model +- `getTypeForField(string $fieldName): ?string`: Given a field name, +infer the type. If the field doesn't exist, return `null` +- `getTypeName(): string`: Get the name of the type (i.e. based on +the source class) +- `getDefaultResolver(?array $context = []): ResolverReference`: +Get the generic resolver that should be used for types that are built +with this model. +- `getSourceClass(): string`: Get the name of the class that builds +the type, e.g. `MyDataObject` +- `getAllFields(): array`: Get all available fields on the object +- `getModelField(string $fieldName): ?ModelType`: For nested fields. +If a field resolves to another model (e.g. has_one), return that +model type. + +In addition, models may want to implement: + +- [`OperationProvider`](api:SilverStripe\GraphQL\Schema\Interfaces\OperationProvider) (if your model creates operations, like +read, create, etc) +- [`DefaultFieldsProvider`](api:SilverStripe\GraphQL\Schema\Interfaces\DefaultFieldsProvider) (if your model provides a default list +of fields, e.g. `id`) + +This is all a lot to take in out of context. A good exercise would be +to look through how [`DataObjectModel`](api:SilverStripe\GraphQL\Schema\DataObject\DataObjectModel) implements all these methods. + +### SchemaModelCreatorInterface + +Given a class name, create an instance of [`SchemaModelCreatorInterface`](api:SilverStripe\GraphQL\Schema\Interfaces\SchemaModelCreatorInterface). +This layer of abstraction is necessary because we can't assume that +all implementations of `SchemaModelCreatorInterface` will accept a class name in their +constructors. + +Implementors of this interface just need to be able to report +whether they apply to a given class and create a model given a +class name. + +Look at the [`ModelCreator`](api:SilverStripe\GraphQL\Schema\DataObject\ModelCreator) implementation +for a good example of how this works. + +### Registering your model creator + +Just add it to the registry: + +```yml +# app/_graphql/config.yml +modelCreators: + - 'SilverStripe\GraphQL\Schema\DataObject\ModelCreator' +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/06_extending/adding_a_custom_operation.md b/docs/en/06_extending/adding_a_custom_operation.md new file mode 100644 index 00000000..a0657890 --- /dev/null +++ b/docs/en/06_extending/adding_a_custom_operation.md @@ -0,0 +1,119 @@ +--- +title: Adding a custom operation +summary: Add a new operation for model types +--- +# Extending the schema + +[CHILDREN asList] + +## Adding a custom operation + +By default, we get basic operations for our models, like `read`, `create`, +`update`, and `delete`, but we can add to this list by creating +an implementation of [`OperationProvider`](api:SilverStripe\GraphQL\Schema\Interfaces\OperationProvider) and registering it. + +Let's build a new operation that **duplicates** DataObjects. + +```php +namespace App\GraphQL; + +use SilverStripe\GraphQL\Schema\Field\ModelMutation; +use SilverStripe\GraphQL\Schema\Interfaces\ModelOperation; +use SilverStripe\GraphQL\Schema\Interfaces\OperationCreator; +use SilverStripe\GraphQL\Schema\Interfaces\SchemaModelInterface; +use SilverStripe\GraphQL\Schema\SchemaConfig; + +class DuplicateCreator implements OperationCreator +{ + public function createOperation( + SchemaModelInterface $model, + string $typeName, + array $config = [] + ): ?ModelOperation { + $mutationName = 'duplicate' . ucfirst(SchemaConfig::pluralise($typeName)); + + return ModelMutation::create($model, $mutationName) + ->setType($typeName) + ->addArg('id', 'ID!') + ->setDefaultResolver([static::class, 'resolve']) + ->setResolverContext([ + 'dataClass' => $model->getSourceClass(), + ]); + } +} +``` + +We add **resolver context** to the mutation because we need to know +what class to duplicate, but we need to make sure we still have a +static function. + +The signature for resolvers with context is: + +```php +namespace App\GraphQL\Resolvers; + +use Closure; + +class MyResolver +{ + public static function resolve(array $context): Closure + { + // ... + } +} +``` + +We use the context to pass to a function that we'll create dynamically. +Let's add that now. + +```php +namespace App\GraphQL; + +use Closure; +// ... +use SilverStripe\ORM\DataObject; + +class DuplicateCreator implements OperationCreator +{ + // ... + + public static function resolve(array $context = []): Closure + { + $dataClass = $context['dataClass'] ?? null; + return function ($obj, array $args) use ($dataClass) { + if (!$dataClass) { + return null; + } + return DataObject::get_by_id($dataClass, $args['id']) + ->duplicate(); + }; + } +} +``` + +Now, just add the operation to the `DataObjectModel` configuration +to make it available to all `DataObject` types. + +```yml +# app/_graphql/config.yml +modelConfig: + DataObject: + operations: + duplicate: + class: 'App\GraphQL\DuplicateCreator' +``` + +And use it: + +```yml +# app/_graphql/models.yml +App\Model\MyDataObject: + fields: '*' + operations: + read: true + duplicate: true +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/06_extending/adding_middleware.md b/docs/en/06_extending/adding_middleware.md new file mode 100644 index 00000000..b7b1104c --- /dev/null +++ b/docs/en/06_extending/adding_middleware.md @@ -0,0 +1,81 @@ +--- +title: Adding middleware +summary: Add middleware to to extend query execution +--- +# Extending the schema + +[CHILDREN asList] + +## Adding middleware + +Middleware is any piece of functionality that is interpolated into +a larger process. A key feature of middleware is that it can be used +with other middlewares in sequence and not have to worry about the order +of execution. + +In `silverstripe/graphql`, middleware is used for query execution, +but could ostensibly be used elsewhere too if the API ever accomodates +such an expansion. + +> [!WARNING] +> The middleware API in the `silverstripe/graphql` module is separate from other common middleware +> APIs in Silverstripe CMS, such as `HTTPMiddleware`. The two are not interchangable. + +The signature for middleware (defined in [`QueryMiddleware`](api:SilverStripe\GraphQL\Middleware\QueryMiddleware)) looks like this: + +```php +use GraphQL\Type\Schema; + +public abstract function process(Schema $schema, string $query, array $context, array $vars, callable $next); +``` + +The return value should be [`ExecutionResult`](api:GraphQL\Executor\ExecutionResult) or an `array`. + +- `$schema`: The underlying [Schema](https://webonyx.github.io/graphql-php/schema-definition/) object. + Useful to inspect whether types are defined in a schema. +- `$query`: The raw query string. +- `$context`: An arbitrary array which holds information shared between resolvers. + Use implementors of [`ContextProvider`](api:SilverStripe\GraphQL\Schema\Interfaces\ContextProvider) to get and set + data, rather than relying on the array keys directly. +- `$vars`: An array of (optional) [Query Variables](https://graphql.org/learn/queries/#variables). +- `$next`: A callable referring to the next middleware in the chain + +Let's write a simple middleware that logs our queries as they come in. + +```php +namespace App\GraphQL\Middleware; + +use GraphQL\Type\Schema; +use SilverStripe\GraphQL\Middleware\QueryMiddleware; +use SilverStripe\GraphQL\QueryHandler\UserContextProvider; +// ... + +class LoggingMiddleware implements QueryMiddleware +{ + public function process(Schema $schema, string $query, array $context, array $vars, callable $next) + { + $member = UserContextProvider::get($context); + + Injector::inst()->get(LoggerInterface::class) + ->info(sprintf( + 'Query executed: %s by %s', + $query, + $member ? $member->Title : ''; + )); + + // Hand off execution to the next middleware + return $next($schema, $query, $context, $vars); + } +} +``` + +Now we can register the middleware with our query handler: + +```yml +SilverStripe\Core\Injector\Injector: + SilverStripe\GraphQL\QueryHandler\QueryHandlerInterface.default: + class: SilverStripe\GraphQL\QueryHandler\QueryHandler + properties: + Middlewares: + logging: '%$App\GraphQL\Middleware\LoggingMiddleware' +``` diff --git a/docs/en/06_extending/global_schema.md b/docs/en/06_extending/global_schema.md new file mode 100644 index 00000000..6cd8ce7b --- /dev/null +++ b/docs/en/06_extending/global_schema.md @@ -0,0 +1,32 @@ +--- +title: The global schema +summary: How to push modifications to every schema in the project +--- + +# Extending the schema + +[CHILDREN asList] + +## The global schema + +Developers of thirdparty modules that influence GraphQL schemas may want to take advantage +of the *global schema*. This is a pseudo-schema that will merge itself with all other schemas +that have been defined. A good use case is in the `silverstripe/versioned` module, where it +is critical that all schemas can leverage its schema modifications. + +The global schema is named `*`. + +```yml +# app/_config/graphql.yml +SilverStripe\GraphQL\Schema\Schema: + schemas: + '*': + enums: + VersionedStage: + DRAFT: DRAFT + LIVE: LIVE +``` + +### Further reading + +[CHILDREN] diff --git a/docs/en/06_extending/index.md b/docs/en/06_extending/index.md new file mode 100644 index 00000000..692a36e6 --- /dev/null +++ b/docs/en/06_extending/index.md @@ -0,0 +1,13 @@ +--- +title: Extending the schema +summary: Add new functionality to the schema +icon: code +--- + +# Extending the schema + +In this section of the documentation, we'll look at some advanced +features for developers who want to extend their GraphQL server +using custom models, middleware, and new operations. + +[CHILDREN] diff --git a/docs/en/07_tips_and_tricks.md b/docs/en/07_tips_and_tricks.md new file mode 100644 index 00000000..0b528683 --- /dev/null +++ b/docs/en/07_tips_and_tricks.md @@ -0,0 +1,198 @@ +--- +title: Tips & Tricks +summary: Miscellaneous useful tips for working with your GraphQL schema +--- + +# Tips & tricks + +## Debugging the generated code + +By default, the generated PHP code is put into obfuscated classnames and filenames to prevent poisoning the search +tools within IDEs. Without this, you can search for something like "Page" in your IDE and get both a generated GraphQL +type (probably not what you want) and a `SiteTree` subclass (more likely what you want) in the results and have no easy way +of differentiating between the two. + +When debugging, however, it's much easier if these classnames are human-readable. To turn on debug mode, add `DEBUG_SCHEMA=1` +to your environment file. The classnames and filenames in the generated code directory will then match their type names. + +> [!WARNING] +> Take care not to use `DEBUG_SCHEMA=1` as an inline environment variable to your build command, e.g. +> `DEBUG_SCHEMA=1 vendor/bin/sake dev/graphql/build` because any activity that happens at run time, e.g. querying the schema +> will fail, since the environment variable is no longer set. + +In live mode, full obfuscation kicks in and the filenames become unreadable. You can only determine the type they map +to by looking at the generated classes and finding the `// @type:` inline comment, e.g. `// @type:Page`. + +This obfuscation is handled by the [`NameObfuscator`](api:SilverStripe\GraphQL\Schema\Storage\NameObfuscator) interface. + +There are various implementations: + +- [`NaiveNameObfuscator`](api:SilverStripe\GraphQL\Schema\Storage\NaiveNameObfuscator): Filename/Classname === Type name (debug only) +- [`HybridNameObfuscator`](api:SilverStripe\GraphQL\Schema\Storage\HybridNameObfuscator): Filename/Classname is a mix of the typename and a md5 hash (default). +- [`HashNameObfuscator`](api:SilverStripe\GraphQL\Schema\Storage\HashNameObfuscator): Filename/Classname is a md5 hash of the type name (non-dev only). + +## Getting the type name for a model class + +Often times, you'll need to know the name of the type given a class name. There's a bit of context to this. + +### Getting the type name from within your app + +If you need the type name during normal execution of your app, e.g. to display in your UI, you can rely +on the cached typenames, which are persisted alongside your generated schema code. + +```php +use SilverStripe\GraphQL\Schema\SchemaBuilder; + +SchemaBuilder::singleton()->read('default')->getTypeNameForClass($className); +``` + +## Persisting queries + +A common pattern in GraphQL APIs is to store queries on the server by an identifier. This helps save +on bandwidth, as the client doesn't need to put a fully expressed query in the request body - they can use a +simple identifier. Also, it allows you to whitelist only specific query IDs, and block all other ad-hoc, +potentially malicious queries, which adds an extra layer of security to your API, particularly if it's public. + +To implement persisted queries, you need an implementation of the +[`PersistedQueryMappingProvider`](api:SilverStripe\GraphQL\PersistedQuery\PersistedQueryMappingProvider) interface. +By default three are provided, which cover most use cases: + +- [`FileProvider`](api:SilverStripe\GraphQL\PersistedQuery\FileProvider): Store your queries in a flat JSON file on the local filesystem. +- [`HTTPProvider`](api:SilverStripe\GraphQL\PersistedQuery\HTTPProvider): Store your queries on a remote server and reference a JSON file by URL. +- [`JSONStringProvider`](api:SilverStripe\GraphQL\PersistedQuery\JSONStringProvider): Store your queries as hardcoded JSON + +### Configuring query mapping providers + +All of these implementations can be configured through `Injector`. + +> [!WARNING] +> Note that each schema gets its own set of persisted queries. In these examples, we're using the `default` schema. + +#### FileProvider + +```yml +SilverStripe\Core\Injector\Injector: + SilverStripe\GraphQL\PersistedQuery\PersistedQueryMappingProvider: + class: SilverStripe\GraphQL\PersistedQuery\FileProvider + properties: + schemaMapping: + default: '/var/www/project/query-mapping.json' +``` + +A flat file in the path `/var/www/project/query-mapping.json` should contain something like: + +```json +{"someUniqueID":"query{validateToken{Valid Message Code}}"} +``` + +> [!WARNING] +> The file path must be absolute. + +#### HTTPProvider + +```yml +SilverStripe\Core\Injector\Injector: + SilverStripe\GraphQL\PersistedQuery\PersistedQueryMappingProvider: + class: SilverStripe\GraphQL\PersistedQuery\HTTPProvider + properties: + schemaMapping: + default: 'https://www.example.com/myqueries.json' +``` + +A flat file at the URL `https://www.example.com/myqueries.json` should contain something like: + +```json +{"someUniqueID":"query{readMembers{Name+Email}}"} +``` + +#### JSONStringProvider + +```yml +SilverStripe\Core\Injector\Injector: + SilverStripe\GraphQL\PersistedQuery\PersistedQueryMappingProvider: + class: SilverStripe\GraphQL\PersistedQuery\HTTPProvider + properties: + schemaMapping: + default: '{"myMutation":"mutation{createComment($comment:String!){Comment}}"}' +``` + +The queries are hardcoded into the configuration. + +### Requesting queries by identifier + +To access a persisted query, simply pass an `id` parameter in the request in lieu of `query`. + +`GET https://www.example.com/graphql?id=someID` + +> [!WARNING] +> Note that if you pass `query` along with `id`, an exception will be thrown. + +## Query caching (caution: EXPERIMENTAL) + +The [`QueryCachingMiddleware`](api:SilverStripe\GraphQL\Middleware\QueryCachingMiddleware) class is +an experimental cache layer that persists the results of a GraphQL +query to limit unnecessary calls to the database. The query cache is automatically expired when any +`DataObject` that it relies on is modified. The entire cache will be discarded on `?flush` requests. + +To implement query caching, add the middleware to your `QueryHandler` + +```yml +SilverStripe\Core\Injector\Injector: + SilverStripe\GraphQL\QueryHandler\QueryHandlerInterface.default: + class: SilverStripe\GraphQL\QueryHandler\QueryHandler + properties: + Middlewares: + cache: '%$SilverStripe\GraphQL\Middleware\QueryCachingMiddleware' +``` + +And you will also need to apply the [QueryRecorderExtension](api:SilverStripe\GraphQL\Extensions\QueryRecorderExtension) extension to all DataObjects: + +```yml +SilverStripe\ORM\DataObject: + extensions: + - SilverStripe\GraphQL\Extensions\QueryRecorderExtension +``` + +> [!WARNING] +> This feature is experimental, and has not been thoroughly evaluated for security. Use at your own risk. + +## Schema introspection {#schema-introspection} + +Some GraphQL clients such as [Apollo Client](https://www.apollographql.com/apollo-client) require some level of introspection +into the schema. The [`SchemaTranscriber`](api:SilverStripe\GraphQL\Schema\Services\SchemaTranscriber) +class will persist this data to a static file in an event +that is fired on completion of the schema build. This file can then be consumed by a client side library +like Apollo. + +```json +{ + "data":{ + "__schema":{ + "types":[ + { + "kind":"OBJECT", + "name":"Query", + "possibleTypes":null + } + // etc ... + ] + } + } +} +``` + +By default, the file will be stored in `public/_graphql/`. + +If you need these types for your own uses, add a new handler: + +```yml +SilverStripe\Core\Injector\Injector: + SilverStripe\EventDispatcher\Dispatch\Dispatcher: + properties: + handlers: + graphqlTranscribe: + on: [ graphqlSchemaBuild.mySchema ] + handler: '%$SilverStripe\GraphQL\Schema\Services\SchemaTranscribeHandler' +``` + +This handler will only apply to events fired in the `mySchema` context. diff --git a/docs/en/08_architecture_diagrams.md b/docs/en/08_architecture_diagrams.md new file mode 100644 index 00000000..69b0989e --- /dev/null +++ b/docs/en/08_architecture_diagrams.md @@ -0,0 +1,123 @@ +--- +title: Architecture Diagrams +summary: A visual overview of the architecture and design of silverstripe/graphql +icon: sitemap +--- + +# Architecture diagrams + +## A very high-level overview + +![A high-level overview of the lifecycle](../../_images/graphql/high-level-lifecycle.png) + +The schema is generated during a build step, which generates code generation artefacts. These artefacts are executed at request time, meaning the schema itself imposes no penalty on the response time. + +## The build process + +![A high-level view of the GraphQL build process](../../_images/graphql/build_process.png) + +- **`/dev/graphql/build`**: This is the command that builds the schema. It also runs as a side effect of `dev/build` as a fallback. It accepts a `schema` parameter if you only want to build one schema. + +- **Schema Factory**: This class is responsible for rebuilding a schema or fetching an existing one (i.e. as cached generated code) + +- **Schema**: The most central class that governs the composition of your GraphQL schema and all of the connected services. It is largely a value object hydrated by config files and executable PHP code. + +- **Plugins**: Plugins are the primary input for mutating the schema through thirdparty code. They can also be used in app code to augment core features, e.g. default resolvers for DataObjects. + +- **Storable Schema**: A value object that is agnostic of domain-specific entities like plugins and models, and just contains the finalised set of types, queries, mutations, interfaces, unions, and scalars. It cannot be mutated once created. + +- **Schema Storage**: By default, there is only one implementation of the schema storage service -- the code generator. It produces two artefacts that are accessed at request time: the schema config (a giant multi-dimensional array), and the schema code (a massive bank of classes that implement the `webonyx/graphql-php` library) + +## The request process + +![A high-level view of what happens during a GraphQL request](../../_images/graphql/request_process.png) + +There are two key processes that happen at request time. Although they're run in serial, they rely on state, so they're depicted above as separate paths. + +The controller receives the query as a request parameter and persists it as state. It then fetches the schema from the schema storage service (generated code). Then, the query is passed to a query handler service that runs the query through the generated schema code, into a stack of resolvers that execute in serial, much like a stack of middlewares, until finally the response is generated and sent down the wire. + +> [!NOTE] +> The concept of the "resolver stack" is illustrated later in this document. + +## Schema composition + +![A diagram of what makes up a GraphQL schema](../../_images/graphql/schema_composition.png) + +The `Schema` class is largely a value object that serves as the air traffic controller for the creation of a storable schema (i.e. generated code). Most of what it contains will be familiar to anyone with a basic understanding of GraphQL - types, mutations, queries, etc. The magic, however, is in its nonstandard components: models and config. + +Models are the layers of abstraction that create plain types and queries based on DataObjects. Imagine these few lines of config: + +```yml +App\Model\MyModel: + fields: + '*': true + operations: + read: true +``` + +It is the model's job to interpret what `*` or "all fields" means in that context (e.g. looking at `$db`, `$has_one`, etc). It also can create a read query for that `DataObject` with the simple `read: true` directive, and adding something `query readMyDataObjects` to the schema for you. Models are described in more detail below. There is also a lot more to learn about the model layer in the [Working with DataObjects](../working_with_DataObjects) section. + +The nonstandard "config" component here contains arbitrary directives, most of which influence the behaviour of models - for instance adding plugins and influencing how resolvers operate. + +The primary role of the `Schema` class is to create a "storable schema" - a readonly object that contains only standard GraphQL components. That is, all models have been transformed into plain types, queries, mutations, interfaces, etc., and the schema is ready to encode. + +## Models and model types + +![A diagram showing how GraphQL type schema for DataObjects is generated](../../_images/graphql/models.png) + +Model types are created by providing a class name to the schema. From there, it asks the `Model Creator` service to create a model for that class name. This may seem like an unnessary layer of abstraction, but in theory, models could be based on classes that are not DataObjects, and in such a case a new model creator would be required. + +The model type composes itself by interrogating the model, an implementation of `SchemaModelInterface`. This will almost always be `DataObjectModel`. The model is responsible for solving domain-specific problems pertaining to a Silverstripe project, including: + +- What type should be used for this field? +- Create an operation for this class, e.g. "read", "update" +- Add all the fields for this class +- How do I resolve this field? + +All model types eventually become plain GraphQL types when the `Schema` class creates a `StorableSchema` instance. + +## Plugins + +![A diagram showing a few of the plugin interfaces and what they are used for](../../_images/graphql/plugins.png) + +As explained in [available plugin interfaces](../plugins/overview#available-plugin-interfaces), there are a lot of interfaces available for implementing a plugin. This is because you will need different types passed into the `apply()` method depending on what the plugin is for. This is illustrated in the diagram above. + +## Resolver composition + +![A diagram showing how multiple resolvers can be used to get data for a single query](../../_images/graphql/resolver_composition.png) + +Injecting behaviour into resolvers is one of the main ways the schema can be customised. For instance, if you add a new argument to a query, the standard `DataObject` resolver will not know about it, so you'll want to write your own code to handle that argument. You could overwrite the entire resolver, but then you would lose key functionality from other plugins, like pagination, sort, and filtering. + +To this end, resolvers are a product of composition. Each bit of functionality is just another resolver in the "stack." The stack passes the result of the previous resolver to the next resolver, while the other three parameters, `$args, $context, $info` are immutable. + +This pattern allows, for instance, filter plugin to run `$obj = $obj->filter(...)` and pass this result to the next resolver. If that next resolver is responsible for pagination, it is not working with a filtered set of results and can get an accurate total count on the result set. + +### Resolver context + +![A diagram showing how some resolvers will be passed contextual information about the query, while others will not](../../_images/graphql/resolver_context.png) + +Sometimes, a resolver needs to be used in multiple contexts, for instance, a generic "read" resolver for a `DataObject` that simply runs `DataList::create($className)`. That `$className` parameter needs to come from somewhere. Normally we would use some kind of state on an instance, but because resolver methods must be static, we don't have that option. This gets really tricky. + +To solve this problem, we can use "resolver context". + +> [!NOTE] +> The word "context" is a bit overloaded here. This section has nothing to do with the `$context` parameter that is passed to all resolvers. + +When resolvers have context, they must be factories, or functions that return functions, using the following pattern: + +```php +namespace App\GraphQL\Resolvers; + +class MyResolver +{ + public static function resolve(array $resolverContext) + { + $someInfo = $resolverContext['foo']; + return function ($obj, $args, $context, $info) use ($someInfo) { + // ... + }; + } +} +``` + +As illustrated above, some resolvers in the stack can be provided context, while others may not. diff --git a/docs/en/index.md b/docs/en/index.md new file mode 100644 index 00000000..6a0bb6ef --- /dev/null +++ b/docs/en/index.md @@ -0,0 +1,7 @@ +# Silverstripe CMS GraphQL server + +GraphQL can be used as a content API layer for Silverstripe CMS to get data in and out of the content management system. + +For more information on GraphQL in general, visit its [documentation site](https://graphql.org). + +[CHILDREN includeFolders] diff --git a/src/Modules/AssetAdmin/FileFilter.php b/src/Modules/AssetAdmin/FileFilter.php new file mode 100644 index 00000000..d7d1cd3b --- /dev/null +++ b/src/Modules/AssetAdmin/FileFilter.php @@ -0,0 +1,114 @@ + 0) { + $list = $list->filter('ID', $filter['id']); + + if ($list->count() === 0) { + throw new HTTPResponse_Exception(_t( + 'SilverStripe\\AssetAdmin\\GraphQL\\FileFilter.FileNotFound', + 'File or Folder could not be found' + )); + } + } elseif (isset($filter['id']) && (int)$filter['id'] === 0) { + // Special case for root folder + $list = new ArrayList([new Folder([ + 'ID' => 0, + ])]); + } + + // track if search is being applied + $search = false; + + // Optionally limit search to a folder, supporting recursion + if (isset($filter['parentId'])) { + $recursive = !empty($filter['recursive']); + + if (!$recursive) { + $list = $list->filter('ParentID', $filter['parentId']); + } elseif ($filter['parentId']) { + // Note: Simplify parentID = 0 && recursive to no filter at all + $parents = AssetAdminFile::nestedFolderIDs($filter['parentId']); + $list = $list->filter('ParentID', $parents); + } + $search = true; + } + + if (!empty($filter['name'])) { + $list = $list->filterAny(array( + 'Name:PartialMatch' => $filter['name'], + 'Title:PartialMatch' => $filter['name'] + )); + $search = true; + } + + // Date filtering last edited + if (!empty($filter['lastEditedFrom'])) { + $fromDate = new DateField(null, null, $filter['lastEditedFrom']); + $list = $list->filter("LastEdited:GreaterThanOrEqual", $fromDate->dataValue().' 00:00:00'); + $search = true; + } + if (!empty($filter['lastEditedTo'])) { + $toDate = new DateField(null, null, $filter['lastEditedTo']); + $list = $list->filter("LastEdited:LessThanOrEqual", $toDate->dataValue().' 23:59:59'); + $search = true; + } + + // Date filtering created + if (!empty($filter['createdFrom'])) { + $fromDate = new DateField(null, null, $filter['createdFrom']); + $list = $list->filter("Created:GreaterThanOrEqual", $fromDate->dataValue().' 00:00:00'); + $search = true; + } + if (!empty($filter['createdTo'])) { + $toDate = new DateField(null, null, $filter['createdTo']); + $list = $list->filter("Created:LessThanOrEqual", $toDate->dataValue().' 23:59:59'); + $search = true; + } + + // Categories (mapped to extensions through the enum type automatically) + if (!empty($filter['appCategory'])) { + $list = $list->filter('Name:EndsWith', $filter['appCategory']); + $search = true; + } + + // Filter unknown id by known child if search is not applied + if (!$search && isset($filter['anyChildId'])) { + $child = File::get()->byID($filter['anyChildId']); + $id = $child ? ($child->ParentID ?: 0) : 0; + if ($id) { + $list = $list->filter('ID', $id); + } else { + // Special case for root folder, since filter by ID = 0 will return an empty list + $list = new ArrayList([new Folder([ + 'ID' => 0, + ])]); + } + } + + return $list; + } +} diff --git a/src/Modules/AssetAdmin/Notice.php b/src/Modules/AssetAdmin/Notice.php new file mode 100644 index 00000000..170746df --- /dev/null +++ b/src/Modules/AssetAdmin/Notice.php @@ -0,0 +1,98 @@ +message = $message; + $this->noticeType = $noticeType; + $this->ids = $ids; + } + + /** + * @return string + */ + public function getNoticeType() + { + return $this->noticeType; + } + + /** + * @param string $noticeType + * @return $this + */ + public function setNoticeType($noticeType) + { + $this->noticeType = $noticeType; + + return $this; + } + + /** + * @return array + */ + public function getIDs() + { + return $this->ids; + } + + /** + * @param array $ids + * @return $this + */ + public function setIDs($ids) + { + $this->ids = $ids; + + return $this; + } + + /** + * @return string + */ + public function getMessage() + { + return $this->message; + } + + /** + * @param string $message + * @return $this + */ + public function setMessage($message) + { + $this->message = $message; + + return $this; + } +} diff --git a/src/Modules/AssetAdmin/Resolvers/AssetAdminResolver.php b/src/Modules/AssetAdmin/Resolvers/AssetAdminResolver.php new file mode 100644 index 00000000..f5f08d44 --- /dev/null +++ b/src/Modules/AssetAdmin/Resolvers/AssetAdminResolver.php @@ -0,0 +1,328 @@ +byID($parentID); + if (!$parent) { + throw new InvalidArgumentException(sprintf( + '%s#%s not found', + Folder::class, + $parentID + )); + } + } + + $canCreateContext = []; + foreach ($args['file'] as $name => $val) { + $canCreateContext[$accessor->normaliseField(File::singleton(), $name)] = $val; + } + $member = UserContextProvider::get($context); + if (!File::singleton()->canCreate($member, $canCreateContext)) { + throw new InvalidArgumentException(sprintf( + '%s# create not allowed', + File::class + )); + } + + $file = File::create(); + foreach ($args['file'] as $name => $val) { + $field = $accessor->normaliseField($file, $name); + $file->$field = $val; + } + + $file->writeToStage(Versioned::DRAFT); + + return $file; + } + + public static function resolveCreateFolder($object, array $args, $context, ResolveInfo $info) + { + $accessor = FieldAccessor::singleton(); + $parentID = isset($args['folder']['parentId']) ? intval($args['folder']['parentId']) : 0; + if ($parentID) { + $parent = Versioned::get_by_stage(Folder::class, Versioned::DRAFT)->byID($parentID); + if (!$parent) { + throw new InvalidArgumentException(sprintf( + '%s#%s not found', + Folder::class, + $parentID + )); + } + } + + // Check permission + $canCreateContext = []; + foreach ($args['folder'] as $name => $val) { + $canCreateContext[$accessor->normaliseField(Folder::singleton(), $name)] = $val; + } + if (!Folder::singleton()->canCreate($context['currentUser'] ?? null, $canCreateContext)) { + throw new InvalidArgumentException(sprintf( + '%s create not allowed', + Folder::class + )); + } + + $folder = Folder::create(); + foreach ($args['folder'] as $name => $val) { + $field = $accessor->normaliseField($folder, $name); + $folder->$field = $val; + } + + $folder->writeToStage(Versioned::DRAFT); + + return $folder; + } + + public static function resolveDeleteFiles($object, array $args, $context, ResolveInfo $info) + { + if (!isset($args['ids']) || !is_array($args['ids'])) { + throw new InvalidArgumentException('ids must be an array'); + } + $idList = $args['ids']; + + $files = Versioned::get_by_stage(File::class, Versioned::DRAFT)->byIDs($idList); + if ($files->count() < count($idList ?? [])) { + // Find out which files count not be found + $missingIds = array_diff($idList ?? [], $files->column('ID')); + throw new InvalidArgumentException(sprintf( + '%s items %s are not found', + File::class, + implode(', ', $missingIds) + )); + } + + $deletedIDs = []; + $member = UserContextProvider::get($context); + foreach ($files as $file) { + if ($file->canArchive($member)) { + $file->doArchive(); + $deletedIDs[] = $file->ID; + } + } + + return $deletedIDs; + } + + public static function resolveMoveFiles($object, array $args, $context) + { + $folderId = (isset($args['folderId'])) ? $args['folderId'] : 0; + $member = UserContextProvider::get($context); + + if ($folderId) { + $folder = Versioned::get_by_stage(Folder::class, Versioned::DRAFT) + ->byID($folderId); + if (!$folder) { + throw new InvalidArgumentException(sprintf( + '%s#%s not found', + Folder::class, + $folderId + )); + } + + // Check permission + if (!$folder->canEdit($member)) { + throw new InvalidArgumentException(sprintf( + '%s edit not allowed', + Folder::class + )); + } + } + $files = Versioned::get_by_stage(File::class, Versioned::DRAFT) + ->byIDs($args['fileIds']); + $errorFiles = []; + foreach ($files as $file) { + if ($file->canEdit($member)) { + $file->ParentID = $folderId; + $file->writeToStage(Versioned::DRAFT); + } else { + $errorFiles[] = $file->ID; + } + } + + if ($errorFiles) { + throw new InvalidArgumentException(sprintf( + '%s (%s) edit not allowed', + File::class, + implode(', ', $errorFiles) + )); + } + + if (!isset($folder)) { + return Folder::singleton(); + } + return $folder; + } + + + public static function resolvePublicationNotice($value, array $args, array $context, ResolveInfo $info) + { + $fieldName = $info->fieldName; + $method = 'get'.$fieldName; + if (method_exists($value, $method ?? '')) { + return $value->$method(); + } + + throw new \Exception(sprintf( + 'Invalid field %s on %s', + $fieldName, + get_class($value) + )); + } + + /** + * @param $value + * @return string + */ + public static function resolvePublicationResultUnion($value): string + { + if ($value instanceof File) { + return 'File'; + } + if ($value instanceof Notice) { + return 'PublicationNotice'; + } + } + + public static function resolveReadDescendantFileCounts($object, array $args, $context, ResolveInfo $info): array + { + if (!isset($args['ids']) || !is_array($args['ids'])) { + throw new \InvalidArgumentException('ids must be an array'); + } + $ids = $args['ids']; + + $files = Versioned::get_by_stage(File::class, Versioned::DRAFT)->byIDs($ids); + if ($files->count() < count($ids ?? [])) { + $class = File::class; + $missingIds = implode(', ', array_diff($ids ?? [], $files->column('ID'))); + throw new \InvalidArgumentException("{$class} items {$missingIds} are not found"); + } + + $data = []; + foreach ($files as $file) { + if (!$file->canView($context['currentUser'])) { + continue; + } + $data[] = [ + 'id' => $file->ID, + 'count' => $file->getDescendantFileCount() + ]; + } + return $data; + } + + public static function resolveReadFileUsage($object, array $args, $context, ResolveInfo $info): array + { + if (!isset($args['ids']) || !is_array($args['ids'])) { + throw new InvalidArgumentException('ids must be an array'); + } + $idList = $args['ids']; + + $files = Versioned::get_by_stage(File::class, Versioned::DRAFT)->byIDs($idList); + if ($files->count() < count($idList ?? [])) { + // Find out which files count not be found + $missingIds = array_diff($idList ?? [], $files->column('ID')); + throw new InvalidArgumentException(sprintf( + '%s items %s are not found', + File::class, + implode(', ', $missingIds) + )); + } + + $usage = []; + $member = UserContextProvider::get($context); + foreach ($files as $file) { + if ($file->canView($member)) { + $useEntry = ['id' => $file->ID]; + $useEntry['inUseCount'] = $file instanceof Folder ? + $file->getFilesInUse()->count(): + $file->BackLinkTrackingCount(); + $usage[] = $useEntry; + } + } + + return $usage; + } + + /** + * @param $object + * @param array $args + * @param $context + * @param $info + * @return DataList + * @throws HTTPResponse_Exception + */ + public static function resolveReadFiles($object, array $args = [], $context = [], $info = null) + { + $filter = (!empty($args['filter'])) ? $args['filter'] : []; + $member = UserContextProvider::get($context); + + // Permission checks + $parent = Folder::singleton(); + if (isset($filter['parentId']) && $filter['parentId'] !== 0) { + $parent = Folder::get()->byID($filter['parentId']); + if (!$parent) { + throw new InvalidArgumentException(sprintf( + '%s#%s not found', + Folder::class, + $filter['parentId'] + )); + } + } + if (!$parent->canView($member)) { + throw new InvalidArgumentException(sprintf( + '%s#%s view access not permitted', + Folder::class, + $parent->ID + )); + } + + if (isset($filter['recursive']) && $filter['recursive']) { + throw new InvalidArgumentException(( + 'The "recursive" flag can only be used for the "children" field' + )); + } + + // Filter list + $list = Versioned::get_by_stage(File::class, Versioned::DRAFT); + $list = FileFilter::filterList($list, $filter); + + // Permission checks + $list = $list->filterByCallback(function (File $file) use ($context, $member) { + return $file->canView($member); + }); + + return $list; + } +} diff --git a/src/Modules/AssetAdmin/Resolvers/FieldResolver.php b/src/Modules/AssetAdmin/Resolvers/FieldResolver.php new file mode 100644 index 00000000..0f1dca1b --- /dev/null +++ b/src/Modules/AssetAdmin/Resolvers/FieldResolver.php @@ -0,0 +1,20 @@ +fieldName; + if ($obj->hasMethod($field)) { + return $obj->$field(); + } + $fieldName = FieldAccessor::singleton()->normaliseField($obj, $field); + return $obj->$fieldName; + } +} diff --git a/src/Modules/AssetAdmin/Resolvers/FileTypeResolver.php b/src/Modules/AssetAdmin/Resolvers/FileTypeResolver.php new file mode 100644 index 00000000..6f65e664 --- /dev/null +++ b/src/Modules/AssetAdmin/Resolvers/FileTypeResolver.php @@ -0,0 +1,189 @@ + '%$SilverStripe\AssetAdmin\Model\ThumbnailGenerator.graphql' + ]; + + /** + * @var ThumbnailGenerator + */ + private $thumbnailGenerator; + + /** + * @param $object + * @return mixed + */ + public static function resolveFileType($object) + { + return $object->FileType; + } + + /** + * @return string + */ + public static function resolveFolderType(): string + { + return 'folder'; + } + + /** + * @param File $object + * @return string + */ + public static function resolveFileCategory($object) + { + return $object->appCategory(); + } + + /** + * @return string + */ + public static function resolveFolderCategory(): string + { + return 'folder'; + } + + public static function resolveFileUrl($object) + { + return $object->AbsoluteURL; + } + + public static function resolveFileSize($object) + { + return $object->AbsoluteSize; + } + + /** + * @param File $object + * @return string|null + */ + public static function resolveFileSmallThumbnail($object) + { + // Make small thumbnail + $width = UploadField::config()->uninherited('thumbnail_width'); + $height = UploadField::config()->uninherited('thumbnail_height'); + return static::singleton() + ->getThumbnailGenerator() + ->generateThumbnailLink($object, $width, $height); + } + + /** + * @param File $object + * @return string|null + */ + public static function resolveFileThumbnail($object) + { + // Make large thumbnail + $width = AssetAdmin::config()->uninherited('thumbnail_width'); + $height = AssetAdmin::config()->uninherited('thumbnail_height'); + return static::singleton() + ->getThumbnailGenerator() + ->generateThumbnailLink($object, $width, $height); + } + + /** + * @param File $object + * @return string|null + */ + public static function resolveFileDraft($object) + { + return $object->isOnDraftOnly(); + } + + /** + * @param File $object + * @return string|null + */ + public static function resolveFilePublished($object) + { + return $object->isPublished(); + } + + /** + * @param File $object + * @return string|null` + */ + public static function resolveFileModified($object) + { + return $object->isModifiedOnDraft(); + } + + /** + * @param File|AssetAdminFile $object + * @return int + */ + public static function resolveFileDescendantFileCount($object) + { + return 0; + } + + /** + * @param File $object + * @return int + */ + public static function resolveFileInUseCount($object) + { + return $object->BackLinkTrackingCount(); + } + + /** + * @param AssetContainer $object + * @return string|null + */ + public static function resolveFileThumbnailFieldGraceful(AssetContainer $object): ?string + { + $width = AssetAdmin::config()->uninherited('thumbnail_width'); + $height = AssetAdmin::config()->uninherited('thumbnail_height'); + return static::singleton() + ->getThumbnailGenerator() + ->generateThumbnailLink($object, $width, $height, true); + } + + /** + * @param AssetContainer $object + * @return string|null + */ + public static function resolveFileSmallThumbnailFieldGraceful(AssetContainer $object): ?string + { + $width = UploadField::config()->uninherited('thumbnail_width'); + $height = UploadField::config()->uninherited('thumbnail_height'); + return static::singleton() + ->getThumbnailGenerator() + ->generateThumbnailLink($object, $width, $height, true); + } + + /** + * @return ThumbnailGenerator + */ + public function getThumbnailGenerator() + { + return $this->thumbnailGenerator; + } + + /** + * @param ThumbnailGenerator $generator + * @return $this + */ + public function setThumbnailGenerator(ThumbnailGenerator $generator) + { + $this->thumbnailGenerator = $generator; + return $this; + } +} diff --git a/src/Modules/AssetAdmin/Resolvers/FolderTypeResolver.php b/src/Modules/AssetAdmin/Resolvers/FolderTypeResolver.php new file mode 100644 index 00000000..31d5ce88 --- /dev/null +++ b/src/Modules/AssetAdmin/Resolvers/FolderTypeResolver.php @@ -0,0 +1,184 @@ +ID) { + throw new InvalidArgumentException(sprintf( + 'The "parentId" value (#%d) needs to match the current object id (#%d)', + (int)$filter['parentId'], + (int)$object->ID + )); + } + + $list = Versioned::get_by_stage(File::class, 'Stage'); + $filter['parentId'] = $object->ID; + $list = FileFilter::filterList($list, $filter); + + // Filter by permission + // DataQuery::column ignores surrogate sorting fields + // see https://github.com/silverstripe/silverstripe-framework/issues/8926 + // the following line is a workaround for `$ids = $list->column('ID');` + $ids = $list->dataQuery()->execute()->column('ID'); + + $permissionChecker = File::singleton()->getPermissionChecker(); + $member = UserContextProvider::get($context); + $canViewIDs = array_keys(array_filter($permissionChecker->canViewMultiple( + $ids, + $member + ) ?? [])); + // Filter by visible IDs (or force empty set if none are visible) + // Remove the limit as it no longer applies. We've already filtered down to the exact + // IDs we need. + $canViewList = $list->filter('ID', $canViewIDs ?: 0) + ->limit(null); + + return $canViewList; + } + + /** + * @param Folder|AssetAdminFile $object + * @param array $args + * @param array $context + * @param ResolveInfo $info + * @return int + */ + public static function resolveFolderDescendantFileCount($object, array $args, $context, ResolveInfo $info) + { + return $object->getDescendantFileCount(); + } + + /** + * @param Folder|AssetAdminFile $object + * @param array $args + * @param array $context + * @param ResolveInfo $info + * @return int + */ + public static function resolveFolderFilesInUseCount($object, array $args, $context, ResolveInfo $info) + { + return $object->getFilesInUse()->count(); + } + + /** + * @param File $object + * @param array $args + * @param array $context + * @param ResolveInfo $info + * @return File[] + */ + public static function resolveFolderParents($object, array $args, $context, ResolveInfo $info) + { + $parents = []; + $next = $object->Parent(); + while ($next && $next->isInDB()) { + array_unshift($parents, $next); + if ($next->ParentID) { + $next = $next->Parent(); + } else { + break; + } + } + + return $parents; + } + + /** + * @param array $context + * @return Closure + */ + public static function sortChildren(array $context): Closure + { + $fieldName = $context['fieldName']; + return function (?DataList $list, array $args) use ($fieldName) { + if ($list === null) { + return null; + } + + $sortArgs = $args[$fieldName] ?? []; + + $list = $list->alterDataQuery(static function (DataQuery $dataQuery) use ($sortArgs) { + $query = $dataQuery->query(); + $existingOrderBys = []; + foreach ($query->getOrderBy() as $field => $direction) { + if (strpos($field, '.') === false) { + // some fields may be surrogates added by extending augmentSQL + // we have to preserve those expressions rather than auto-generated names + // that SQLSelect::addOrderBy leaves for them (e.g. _SortColumn0) + $field = $query->expressionForField(trim($field, '"')) ?: $field; + } + $existingOrderBys[$field] = $direction; + } + + // Folders always go first + $dataQuery->sort( + sprintf( + '(CASE WHEN "ClassName"=%s THEN 1 ELSE 0 END)', + DB::get_conn()->quoteString(Folder::class) + ), + 'DESC', + true + ); + + foreach ($sortArgs as $field => $dir) { + $normalised = FieldAccessor::singleton()->normaliseField(File::singleton(), $field); + Schema::invariant( + $normalised, + 'Could not find field %s on %s', + $field, + File::class + ); + $dataQuery->sort($normalised, $dir, false); + } + + // respect default_sort + foreach ($existingOrderBys as $field => $dir) { + $dataQuery->sort($field, $dir, false); + } + + return $dataQuery; + }); + return $list; + }; + } +} diff --git a/src/Modules/AssetAdmin/Resolvers/PublicationResolver.php b/src/Modules/AssetAdmin/Resolvers/PublicationResolver.php new file mode 100644 index 00000000..f3ecbcf1 --- /dev/null +++ b/src/Modules/AssetAdmin/Resolvers/PublicationResolver.php @@ -0,0 +1,165 @@ +byIds($idList); + + // If warning suppression is not on, bundle up all the warnings into a single exception + if (!$quiet && $files->count() < count($idList ?? [])) { + $missingIds = array_diff($idList ?? [], $files->column('ID')); + foreach ($missingIds as $id) { + $warningMessages[] = sprintf( + 'File #%s either does not exist or is not on stage %s.', + $id, + $sourceStage + ); + } + } + $allowedFiles = []; + // Check permissions + foreach ($files as $file) { + $permissionMethod = $isPublish ? 'canPublish' : 'canUnpublish'; + $member = UserContextProvider::get($context); + if ($file->$permissionMethod($member)) { + $allowedFiles[] = $file; + } elseif (!$quiet) { + $warningMessages[] = sprintf( + 'User does not have permission to perform this operation on file "%s"', + $file->Title + ); + } + } + + if (!empty($warningMessages)) { + throw new InvalidArgumentException(implode('\n', $warningMessages)); + } + + foreach ($allowedFiles as $file) { + $result[] = $isPublish + ? PublicationResolver::publishFile($file, $force) + : PublicationResolver::unpublishFile($file, $force); + } + + return $result; + } + + /** + * @param File $file + * @param boolean $force + * @return File|Notice + */ + private static function publishFile(File $file, $force = false) + { + $file->publishRecursive(); + + return $file; + } + + + /** + * @param File|RecursivePublishable $file + * @param boolean $force + * @return Notice|File + */ + private static function unpublishFile(File $file, $force = false) + { + // If not forcing, make sure we aren't interfering with any owners + if (!$force) { + $ownersCount = PublicationResolver::countLiveOwners($file); + if ($ownersCount) { + return new Notice( + _t( + 'SilverStripe\\AssetAdmin\\GraphQL\\Resolvers\\PublicationResolver.OWNER_WARNING', + 'File "{file}" is used in {count} place|File "{file}" is used in {count} places.', + [ + 'file' => $file->Title, + 'count' => $ownersCount + ] + ), + 'HAS_OWNERS', + [$file->ID] + ); + } + } + + $file->doUnpublish(); + return $file; + } + + /** + * Count number of live owners this file uses + * + * @param File $file + * @return int Number of live owners + */ + private static function countLiveOwners(File $file): int + { + // In case no versioning + if (!$file->hasExtension(RecursivePublishable::class)) { + return 0; + } + + // Query live record + /** @var Versioned|RecursivePublishable $liveRecord */ + $liveRecord = Versioned::get_by_stage(File::class, Versioned::LIVE)->byID($file->ID); + if ($liveRecord) { + return $liveRecord + ->findOwners(false) + ->count(); + } + + // No live record, no live owners + return 0; + } +} diff --git a/src/Modules/AssetAdmin/Schema/Builder.php b/src/Modules/AssetAdmin/Schema/Builder.php new file mode 100644 index 00000000..534fcce8 --- /dev/null +++ b/src/Modules/AssetAdmin/Schema/Builder.php @@ -0,0 +1,33 @@ + $category]; + }, File::config()->get('app_categories') ?? []); + + // Sanitise GraphQL Enum aliases (some contain slashes) + foreach ($categoryValues as $key => $v) { + unset($categoryValues[$key]); + $newKey = strtoupper(preg_replace('/[^[[:alnum:]]]*/', '', $key ?? '') ?? ''); + $categoryValues[$newKey] = $v; + } + + $schema->addEnum(Enum::create('AppCategory', $categoryValues)); + } +} diff --git a/src/Modules/CMS/LinkablePlugin.php b/src/Modules/CMS/LinkablePlugin.php new file mode 100644 index 00000000..f441970f --- /dev/null +++ b/src/Modules/CMS/LinkablePlugin.php @@ -0,0 +1,103 @@ +getModel()->getSourceClass(); + // Only site trees have the get_by_link capability + if ($class !== SiteTree::class && !is_subclass_of($class, SiteTree::class)) { + return; + } + $singleFieldName = $this->config()->get('single_field_name'); + $listFieldName = $this->config()->get('list_field_name'); + $fieldName = $query->isList() ? $listFieldName : $singleFieldName; + $type = $query->isList() ? '[String]' : 'String'; + $query->addArg($fieldName, $type); + $query->addResolverAfterware( + $config['resolver'] ?? static::config()->get('resolver') + ); + } + + /** + * @param array $context + * @return callable + */ + public static function applyLinkFilter($obj, array $args, array $context, ResolveInfo $info) + { + $singleFieldName = static::config()->get('single_field_name'); + $listFieldName = static::config()->get('list_field_name'); + $filterLink = $args['filter'][$singleFieldName] ?? ($args['filter'][$listFieldName] ?? null); + $argLink = $args[$singleFieldName] ?? ($args[$listFieldName] ?? null); + $linkData = $filterLink ?: $argLink; + if (!$linkData) { + return $obj; + } + // Normalise to an array for both cases. The readOne operation will get + // ->first() run on it by the firstResult plugin. + $links = is_array($linkData) ? $linkData : [$linkData]; + + $result = ArrayList::create(); + + foreach ($links as $link) { + $page = SiteTree::get_by_link($link); + if ($page) { + $result->push($page); + } + } + return $result; + } +} diff --git a/src/Modules/CMS/Resolver.php b/src/Modules/CMS/Resolver.php new file mode 100644 index 00000000..3b511d4c --- /dev/null +++ b/src/Modules/CMS/Resolver.php @@ -0,0 +1,13 @@ +getSourceClass(), Versioned::class)) { + return null; + } + + $plugins = $config['plugins'] ?? []; + $name = $config['name'] ?? null; + if (!$name) { + $name = $this->createOperationName($typeName); + } + return ModelMutation::create($model, $name) + ->setPlugins($plugins) + ->setType($typeName) + ->setResolver([VersionedResolver::class, 'resolvePublishOperation']) + ->addResolverContext('action', $this->getAction()) + ->addResolverContext('dataClass', $model->getSourceClass()) + ->addArg('id', 'ID!'); + } + + abstract protected function createOperationName(string $typeName): string; + + abstract protected function getAction(): string; +} diff --git a/src/Modules/Versioned/Operations/CopyToStageCreator.php b/src/Modules/Versioned/Operations/CopyToStageCreator.php new file mode 100644 index 00000000..b92a1cc7 --- /dev/null +++ b/src/Modules/Versioned/Operations/CopyToStageCreator.php @@ -0,0 +1,69 @@ +getSourceClass(), Versioned::class)) { + return null; + } + + $plugins = $config['plugins'] ?? []; + $mutationName = $config['name'] ?? null; + if (!$mutationName) { + $mutationName = 'copy' . ucfirst($typeName ?? '') . 'ToStage'; + } + + return ModelMutation::create($model, $mutationName) + ->setType($typeName) + ->setPlugins($plugins) + ->setResolver([VersionedResolver::class, 'resolveCopyToStage']) + ->addResolverContext('dataClass', $model->getSourceClass()) + ->addArg('input', 'CopyToStageInputType!'); + } +} diff --git a/src/Modules/Versioned/Operations/PublishCreator.php b/src/Modules/Versioned/Operations/PublishCreator.php new file mode 100644 index 00000000..84bec300 --- /dev/null +++ b/src/Modules/Versioned/Operations/PublishCreator.php @@ -0,0 +1,35 @@ +getSourceClass(), Versioned::class)) { + return null; + } + + $defaultPlugins = $this->config()->get('default_plugins'); + $configPlugins = $config['plugins'] ?? []; + $plugins = array_merge($defaultPlugins, $configPlugins); + $mutationName = 'rollback' . ucfirst($typeName ?? ''); + return ModelMutation::create($model, $mutationName) + ->setPlugins($plugins) + ->setType($typeName) + ->setResolver([VersionedResolver::class, 'resolveRollback']) + ->addResolverContext('dataClass', $model->getSourceClass()) + ->addArg('id', [ + 'type' => 'ID!', + 'description' => 'The object ID that needs to be rolled back' + ]) + ->addArg('toVersion', [ + 'type' => 'Int!', + 'description' => 'The version of the object that should be rolled back to', + ]); + } +} diff --git a/src/Modules/Versioned/Operations/UnpublishCreator.php b/src/Modules/Versioned/Operations/UnpublishCreator.php new file mode 100644 index 00000000..61fa9c34 --- /dev/null +++ b/src/Modules/Versioned/Operations/UnpublishCreator.php @@ -0,0 +1,34 @@ +addResolverMiddleware( + [static::class, 'unpublishOnDelete'], + ['dataClass' => $mutation->getModel()->getSourceClass()] + ); + } + + /** + * @param array $context + * @return Closure + */ + public static function unpublishOnDelete(array $context) + { + $dataClass = $context['dataClass'] ?? null; + return function ($objects, array $args, array $context) use ($dataClass) { + if (!$dataClass) { + return; + } + if (!ViewableData::has_extension($dataClass, Versioned::class)) { + return; + } + DB::get_conn()->withTransaction(function () use ($args, $context, $dataClass) { + // Build list to filter + $objects = DataList::create($dataClass) + ->byIDs($args['ids']); + + foreach ($objects as $object) { + /** @var DataObject&Versioned $object */ + if (!$object->hasExtension(Versioned::class) || !$object->isPublished()) { + continue; + } + $member = UserContextProvider::get($context); + if (!$object->canUnpublish($member)) { + throw new Exception(sprintf( + 'Cannot unpublish %s with ID %s', + get_class($object), + $object->ID + )); + } + + $object->doUnpublish(); + } + }); + }; + } +} diff --git a/src/Modules/Versioned/Plugins/VersionedDataObject.php b/src/Modules/Versioned/Plugins/VersionedDataObject.php new file mode 100644 index 00000000..f84a819d --- /dev/null +++ b/src/Modules/Versioned/Plugins/VersionedDataObject.php @@ -0,0 +1,143 @@ +addModelbyClassName(Member::class); + // Hack.. we can't add a plugin within a plugin, so we have to add sort + // and pagination manually. This requires ensuring the sort types are added + // to the schema (most of the time this is redundant) + if (!$schema->getType('SortDirection')) { + AbstractQuerySortPlugin::updateSchema($schema); + } + if (!$schema->getType('PageInfo')) { + PaginationPlugin::updateSchema($schema); + } + } + + /** + * @param ModelType $type + * @param Schema $schema + * @param array $config + * @throws SchemaBuilderException + */ + public function apply(ModelType $type, Schema $schema, array $config = []): void + { + $class = $type->getModel()->getSourceClass(); + Schema::invariant( + is_subclass_of($class, DataObject::class), + 'The %s plugin can only be applied to types generated by %s models', + __CLASS__, + DataObject::class + ); + if (!ViewableData::has_extension($class, Versioned::class)) { + return; + } + + $versionName = $type->getModel()->getTypeName() . 'Version'; + $memberType = $schema->getModelByClassName(Member::class); + Schema::invariant( + $memberType, + 'The %s class was not added as a model. Should have been done in %s::%s?', + Member::class, + __CLASS__, + 'updateSchema' + ); + $memberTypeName = $memberType->getModel()->getTypeName(); + $resolver = ['resolver' => [VersionedResolver::class, 'resolveVersionFields']]; + + $type->addField('version', 'Int', function (ModelField $field) { + $field->addResolverAfterware([ScalarDBField::class, 'resolve']); + }); + + $versionType = Type::create($versionName) + ->addField('author', ['type' => $memberTypeName] + $resolver) + ->addField('publisher', ['type' => $memberTypeName] + $resolver) + ->addField('published', ['type' => 'Boolean'] + $resolver) + ->addField('liveVersion', ['type' => 'Boolean'] + $resolver) + ->addField('deleted', ['type' => 'Boolean'] + $resolver) + ->addField('draft', ['type' => 'Boolean'] + $resolver) + ->addField('latestDraftVersion', ['type' => 'Boolean'] + $resolver); + + foreach ($type->getFields() as $field) { + $clone = clone $field; + $versionType->addField($clone->getName(), $clone); + } + foreach ($type->getInterfaces() as $interface) { + $versionType->addInterface($interface); + } + + $schema->addType($versionType); + $type->addField('versions', '[' . $versionName . ']', function (Field $field) use ($type, $schema, $config) { + $field->setResolver([VersionedResolver::class, 'resolveVersionList']) + ->addResolverContext('sourceClass', $type->getModel()->getSourceClass()); + SortPlugin::singleton()->apply($field, $schema, [ + 'resolver' => [static::class, 'sortVersions'], + 'fields' => [ 'version' => true ], + ]); + Paginator::singleton()->apply($field, $schema); + }); + } + + /** + * @param array $config + * @return Closure + */ + public static function sortVersions(array $config): Closure + { + $fieldName = $config['fieldName']; + return function (Sortable $list, array $args) use ($fieldName) { + $versionSort = $args[$fieldName]['version'] ?? null; + if ($versionSort) { + $list = $list->sort('Version', $versionSort); + } + + return $list; + }; + } +} diff --git a/src/Modules/Versioned/Plugins/VersionedRead.php b/src/Modules/Versioned/Plugins/VersionedRead.php new file mode 100644 index 00000000..fb438e2f --- /dev/null +++ b/src/Modules/Versioned/Plugins/VersionedRead.php @@ -0,0 +1,53 @@ +getModel()->getSourceClass(); + if (!ViewableData::has_extension($class, Versioned::class)) { + return; + } + + // The versioned argument only affects global reading state. Should not + // apply to nested queries. + $rootQuery = $schema->getQueryType()->getFieldByName($query->getName()); + if (!$rootQuery) { + return; + } + + $query->addResolverAfterware([VersionedResolver::class, 'resolveVersionedRead']); + $query->addArg('versioning', 'VersionedInputType'); + } +} diff --git a/src/Modules/Versioned/Resolvers/VersionFilters.php b/src/Modules/Versioned/Resolvers/VersionFilters.php new file mode 100644 index 00000000..24a3b094 --- /dev/null +++ b/src/Modules/Versioned/Resolvers/VersionFilters.php @@ -0,0 +1,240 @@ +validateArgs($versioningArgs); + + $mode = $versioningArgs['mode']; + switch ($mode) { + case Versioned::LIVE: + case Versioned::DRAFT: + Versioned::set_stage($mode); + break; + case 'archive': + $date = $versioningArgs['archiveDate']; + Versioned::set_reading_mode($mode); + Versioned::reading_archived_date($date); + break; + } + } + + /** + * @template T of DataObject + * @param DataList $list + * @param array $versioningArgs + * @throws InvalidArgumentException + * @return DataList + */ + public function applyToList(DataList $list, array $versioningArgs): DataList + { + if ($list instanceof RelationList) { + throw new InvalidArgumentException(sprintf( + 'Version filtering cannot be applied to instances of %s. Are you using the plugin on a nested query?', + get_class($list) + )); + } + if (!isset($versioningArgs['mode'])) { + return $list; + } + + $this->validateArgs($versioningArgs); + + $mode = $versioningArgs['mode']; + switch ($mode) { + case Versioned::LIVE: + case Versioned::DRAFT: + $list = $list + ->setDataQueryParam('Versioned.mode', 'stage') + ->setDataQueryParam('Versioned.stage', $mode); + break; + case 'archive': + $date = $versioningArgs['archiveDate']; + $list = $list + ->setDataQueryParam('Versioned.mode', 'archive') + ->setDataQueryParam('Versioned.date', $date); + break; + case 'all_versions': + $list = $list->setDataQueryParam('Versioned.mode', 'all_versions'); + break; + case 'latest_versions': + $list = $list->setDataQueryParam('Versioned.mode', 'latest_versions'); + break; + case 'status': + // When querying by Status we need to ensure both stage / live tables are present + /* @var DataObject&Versioned $sng */ + $sng = singleton($list->dataClass()); + $baseTable = $sng->baseTable(); + $liveTable = $sng->stageTable($baseTable, Versioned::LIVE); + $statuses = $versioningArgs['status']; + + // If we need to search archived records, we need to manually join draft table + if (in_array('archived', $statuses ?? [])) { + $list = $list + ->setDataQueryParam('Versioned.mode', 'latest_versions'); + // Join a temporary alias BaseTable_Draft, renaming this on execution to BaseTable + // See Versioned::augmentSQL() For reference on this alias + $draftTable = $sng->stageTable($baseTable, Versioned::DRAFT) . '_Draft'; + $list = $list + ->leftJoin( + $draftTable, + "\"{$baseTable}\".\"ID\" = \"{$draftTable}\".\"ID\"" + ); + } else { + // Use draft as base query mode (base join live) + $draftTable = $baseTable; + $list = $list + ->setDataQueryParam('Versioned.mode', 'stage') + ->setDataQueryParam('Versioned.stage', Versioned::DRAFT); + } + + // Always include live table + $list = $list->leftJoin( + $liveTable, + "\"{$baseTable}\".\"ID\" = \"{$liveTable}\".\"ID\"" + ); + + // Add all conditions + $conditions = []; + + // Modified exist on both stages, but differ + if (in_array('modified', $statuses ?? [])) { + $conditions[] = "\"{$liveTable}\".\"ID\" IS NOT NULL AND \"{$draftTable}\".\"ID\" IS NOT NULL" + . " AND \"{$draftTable}\".\"Version\" <> \"{$liveTable}\".\"Version\""; + } + + // Is deleted and sent to archive + if (in_array('archived', $statuses ?? [])) { + // Note: Include items staged for deletion for the time being, as these are effectively archived + // we could split this out into "staged for deletion" in the future + $conditions[] = "\"{$draftTable}\".\"ID\" IS NULL"; + } + + // Is on draft only + if (in_array('draft', $statuses ?? [])) { + $conditions[] = "\"{$liveTable}\".\"ID\" IS NULL AND \"{$draftTable}\".\"ID\" IS NOT NULL"; + } + + if (in_array('published', $statuses ?? [])) { + $conditions[] = "\"{$liveTable}\".\"ID\" IS NOT NULL"; + } + + // Validate that all statuses have been handled + if (empty($conditions) || count($statuses ?? []) !== count($conditions ?? [])) { + throw new InvalidArgumentException("Invalid statuses provided"); + } + $list = $list->whereAny(array_filter($conditions ?? [])); + break; + case 'version': + // Note: Only valid for ReadOne + $list = $list->setDataQueryParam([ + "Versioned.mode" => 'version', + "Versioned.version" => $versioningArgs['version'], + ]); + break; + default: + throw new InvalidArgumentException("Unsupported read mode {$mode}"); + } + + return $list; + } + + /** + * @throws InvalidArgumentException + * @param $versioningArgs + */ + public function validateArgs(array $versioningArgs) + { + $mode = $versioningArgs['mode']; + + switch ($mode) { + case Versioned::LIVE: + case Versioned::DRAFT: + break; + case 'archive': + if (empty($versioningArgs['archiveDate'])) { + throw new InvalidArgumentException(sprintf( + 'You must provide an ArchiveDate parameter when using the "%s" mode', + $mode + )); + } + $date = $versioningArgs['archiveDate']; + if (!$this->isValidDate($date)) { + throw new InvalidArgumentException(sprintf( + 'Invalid date: "%s". Must be YYYY-MM-DD format', + $date + )); + } + break; + case 'all_versions': + break; + case 'latest_versions': + break; + case 'status': + if (empty($versioningArgs['status'])) { + throw new InvalidArgumentException(sprintf( + 'You must provide a Status parameter when using the "%s" mode', + $mode + )); + } + break; + case 'version': + // Note: Only valid for ReadOne + if (!isset($versioningArgs['version'])) { + throw new InvalidArgumentException( + 'When using the "version" mode, you must specify a Version parameter' + ); + } + break; + default: + throw new InvalidArgumentException("Unsupported read mode {$mode}"); + } + } + + /** + * Returns true if date is in proper YYYY-MM-DD format + * @param string $date + * @return bool + */ + protected function isValidDate($date) + { + $dt = DateTime::createFromFormat('Y-m-d', $date); + if ($dt === false) { + return false; + } + // DateTime::getLastErrors() has an undocumented difference pre PHP 8.2 for what's returned + // if there are no errors + // https://www.php.net/manual/en/datetime.getlasterrors.php + $errors = $dt->getLastErrors(); + // PHP 8.2 - will return false if no errors + if ($errors === false) { + return true; + } + // PHP 8.2+ will only return an array containing a count of errors only if there are errors + // PHP < 8.2 will always return an array containing a count of errors even if there are no errors + return array_sum($errors) === 0; + } +} diff --git a/src/Modules/Versioned/Resolvers/VersionedResolver.php b/src/Modules/Versioned/Resolvers/VersionedResolver.php new file mode 100644 index 00000000..4b152376 --- /dev/null +++ b/src/Modules/Versioned/Resolvers/VersionedResolver.php @@ -0,0 +1,269 @@ +fieldName) { + case 'author': + return $obj->Author(); + case 'publisher': + return $obj->Publisher(); + case 'published': + return $obj->WasPublished; + case 'draft': + return $obj->WasDraft; + case 'deleted': + return $obj->WasDeleted; + case 'liveVersion': + return $obj->isLiveVersion(); + case 'latestDraftVersion': + return $obj->isLatestDraftVersion(); + } + + return null; + } + + /** + * @param array $resolverContext + * @return Closure + * @see VersionedDataObject + */ + public static function resolveVersionList(array $resolverContext): Closure + { + $sourceClass = $resolverContext['sourceClass']; + return function ($object, array $args, array $context, ResolveInfo $info) use ($sourceClass) { + /** @var DataObject|Versioned $object */ + if (!$object->hasExtension(Versioned::class)) { + throw new Exception(sprintf( + 'Types using the %s plugin must have the Versioned extension applied. (See %s)', + VersionedDataObject::class, + $sourceClass + )); + } + $member = UserContextProvider::get($context); + if (!$object->canViewStage(Versioned::DRAFT, $member)) { + throw new Exception(sprintf( + 'Cannot view versions on %s', + $sourceClass + )); + } + + // Get all versions + return VersionedResolver::getVersionsList($object); + }; + } + + private static function getVersionsList(DataObject $object) + { + $id = $object->ID ?: $object->OldID; + $class = DataObject::getSchema()->baseDataClass($object); + return Versioned::get_all_versions($class, $id); + } + + /** + * @template T of DataObject + * @param DataList $list + * @param array $args + * @param array $context + * @param ResolveInfo $info + * @return DataList + * @see VersionedRead + */ + public static function resolveVersionedRead(DataList $list, array $args, array $context, ResolveInfo $info) + { + if (!isset($args['versioning'])) { + return $list; + } + + // Set the reading state globally, we don't support mixing versioned states in the same query + Injector::inst()->get(VersionFilters::class) + ->applyToReadingState($args['versioning']); + + // Also set on the specific list + $list = Injector::inst()->get(VersionFilters::class) + ->applyToList($list, $args['versioning']); + + return $list; + } + + /** + * @param array $context + * @return Closure + * @see CopyToStageCreator + */ + public static function resolveCopyToStage(array $context): Closure + { + $dataClass = $context['dataClass'] ?? null; + return function ($object, array $args, $context, ResolveInfo $info) use ($dataClass) { + if (!$dataClass) { + return; + } + + $input = $args['input']; + $id = $input['id']; + $to = $input['toStage']; + /** @var Versioned|DataObject $record */ + $record = null; + if (isset($input['fromVersion'])) { + $from = $input['fromVersion']; + $record = Versioned::get_version($dataClass, $id, $from); + } elseif (isset($input['fromStage'])) { + $from = $input['fromStage']; + $record = Versioned::get_by_stage($dataClass, $from)->byID($id); + } else { + throw new InvalidArgumentException('You must provide either a FromStage or FromVersion argument'); + } + if (!$record) { + throw new InvalidArgumentException("Record {$id} not found"); + } + + $member = UserContextProvider::get($context); + // Permission check object + $can = $to === Versioned::LIVE + ? $record->canPublish($member) + : $record->canEdit($member); + if (!$can) { + throw new InvalidArgumentException(sprintf( + 'Copying %s from %s to %s is not allowed', + $this->getTypeName(), + $from, + $to + )); + } + + /** @var DataObject|Versioned $record */ + $record->copyVersionToStage($from, $to); + return $record; + }; + } + + /** + * @param array $context + * @return Closure + */ + public static function resolvePublishOperation(array $context) + { + $action = $context['action'] ?? null; + $dataClass = $context['dataClass'] ?? null; + $allowedActions = [ + AbstractPublishOperationCreator::ACTION_PUBLISH, + AbstractPublishOperationCreator::ACTION_UNPUBLISH, + ]; + if (!in_array($action, $allowedActions ?? [])) { + throw new InvalidArgumentException(sprintf( + 'Invalid publish action: %s', + $action + )); + } + + $isPublish = $action === AbstractPublishOperationCreator::ACTION_PUBLISH; + + return function ($obj, array $args, array $context, ResolveInfo $info) use ($isPublish, $dataClass) { + if (!$dataClass) { + return; + } + $stage = $isPublish ? Versioned::DRAFT : Versioned::LIVE; + $obj = Versioned::get_by_stage($dataClass, $stage) + ->byID($args['id']); + if (!$obj) { + throw new Exception(sprintf( + '%s with ID %s not found', + $dataClass, + $args['id'] + )); + } + $permissionMethod = $isPublish ? 'canPublish' : 'canUnpublish'; + $member = UserContextProvider::get($context); + if (!$obj->$permissionMethod($member)) { + throw new Exception(sprintf( + 'Not allowed to change published state of this %s', + $dataClass + )); + } + + try { + DB::get_conn()->withTransaction(function () use ($obj, $isPublish) { + if ($isPublish) { + $obj->publishRecursive(); + } else { + $obj->doUnpublish(); + } + }); + } catch (ValidationException $e) { + throw new Exception( + 'Could not changed published state of %s. Got error: %s', + $dataClass, + $e->getMessage() + ); + } + return $obj; + }; + } + + /** + * @param array $context + * @return Closure + * @see RollbackCreator + */ + public static function resolveRollback(array $context) + { + $dataClass = $context['dataClass'] ?? null; + return function ($obj, array $args, array $context, ResolveInfo $info) use ($dataClass) { + if (!$dataClass) { + return; + } + // Get the args + $id = $args['id']; + $rollbackVersion = $args['toVersion']; + + // Pull the latest version of the record + /** @var Versioned|DataObject $record */ + $record = Versioned::get_latest_version($dataClass, $id); + + // Assert permission + $user = UserContextProvider::get($context); + if (!$record->canEdit($user)) { + throw new InvalidArgumentException('Current user does not have permission to roll back this resource'); + } + + // Perform the rollback + $record = $record->rollbackRecursive($rollbackVersion); + + return $record; + }; + } +} diff --git a/tests/Middleware/CSRFMiddlewareTest.php b/tests/Middleware/CSRFMiddlewareTest.php index b0349d7c..61487bbc 100644 --- a/tests/Middleware/CSRFMiddlewareTest.php +++ b/tests/Middleware/CSRFMiddlewareTest.php @@ -8,6 +8,26 @@ class CSRFMiddlewareTest extends BaseMiddlewareProcessTest { + private bool $securityTokenWasEnabled = false; + + protected function setUp(): void + { + parent::setUp(); + // CSRF token check is normally disabled for unit-tests + $this->securityTokenWasEnabled = SecurityToken::is_enabled(); + if (!$this->securityTokenWasEnabled) { + SecurityToken::enable(); + } + } + + protected function tearDown(): void + { + parent::tearDown(); + if (!$this->securityTokenWasEnabled) { + SecurityToken::disable(); + } + } + public function testItDoesntDoAnythingIfNotAMutation() { $this->assertEquals('resolved', $this->simulateMiddlewareProcess( diff --git a/tests/Schema/TestSchemaBuilder.php b/tests/Schema/TestSchemaBuilder.php index 05047971..33d8eff3 100644 --- a/tests/Schema/TestSchemaBuilder.php +++ b/tests/Schema/TestSchemaBuilder.php @@ -13,6 +13,7 @@ use SilverStripe\GraphQL\Schema\Logger; use SilverStripe\GraphQL\Schema\Schema; use SilverStripe\GraphQL\Schema\SchemaBuilder; +use SilverStripe\GraphQL\Schema\Services\SchemaTranscribeHandler; class TestSchemaBuilder extends SchemaBuilder { @@ -101,7 +102,9 @@ private function bootstrapSchema(string $key) 'properties' => [ 'handlers' => [ 'graphqlTranscribe' => [ - 'off' => ['graphqlSchemaBuild'] + 'off' => ['graphqlSchemaBuild'], + 'on' => ['graphqlSchemaBuild'], + 'handler' => '%$' . SchemaTranscribeHandler::class, ], ], ],