V0.3.40 patched#139
Open
asmgit wants to merge 5 commits into
Open
Conversation
…atalogs
MySQL connections expose every database on the server as a schema of the
attached catalog, so a self-described source wraps even the database the
connection is scoped to into a schema module and prefixes its GraphQL type
names: crm_db { crm { crm_clients } }.
Treat the DSN database as the connection default schema, the same way as
public (PostgreSQL) and main (DuckDB): its objects are exposed without a
schema module and without a schema prefix, while @table names stay
schema-qualified for SQL generation. Sources opt in via the new
DefaultSchemaProvider interface; only the mysql source implements it.
Co-Authored-By: Claude Fable 5 <[email protected]>
Introspection filtered type fields only by Visible() (the hidden flag), so a
field denied with {disabled:true} stayed listed in __schema/__type even though
querying it returns forbidden. The docs state disabled means "completely
inaccessible and not visible in introspection", and a role's introspected
schema should match its actual access. Also skip fields that are not Enabled
(disabled) so the exposed schema reflects the role's permissions; hidden-only
fields remain omitted-but-queryable as before.
Co-Authored-By: Claude Fable 5 <[email protected]>
CookieExtractor returned http.ErrNoCookie when the configured cookie was missing. golang-jwt/v5 MultiExtractor propagates any non-ErrNoTokenInRequest error immediately, so enabling jwt.cookie-name made every tokenless request (anonymous, admin secret, other providers) fail with "named cookie not present" instead of falling through. Return request.ErrNoTokenInRequest so the provider cleanly skips when neither header nor cookie carries a token. Co-Authored-By: Claude Fable 5 <[email protected]>
The data-object:* permission check ran for every object node in a query plan, including synthetic wrappers (module query types, aggregation types). A `data-object:query "*"` deny therefore blocked the module/aggregation wrappers that sit above a table in the path, so an exact per-table allow could never take effect (secure-by-default table permissions were unusable). Gate DataObjectDisabled/DataObjectFilter on Object.IsDataObject() so the rules apply only to real table/view objects; wrappers pass through and the filter/deny still lands on the underlying table node. Co-Authored-By: Claude Fable 5 <[email protected]>
A field whose return type is a data-object denied for the role (e.g. via a `data-object:query "*"` base-deny) was still shown in the role's introspected schema — access was forbidden but the entrypoint cluttered the Explorer tree. Omit such fields, mirroring the field-level disabled-hiding behavior, so the introspected schema matches the role's actual access. Guarded by sdl.IsDataObject on the resolved return type so module-query and aggregation wrapper types are never hidden (a wildcard rule must not hide the module field itself). Co-Authored-By: Claude Fable 5 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.