Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Feature request: way to require only_fields

See original GitHub issue

There doesn’t seem to be a way to enforce only_fields on DjangoObjectTypes. This is a serious security issue, since fields all default to accessible, including Django’s automatically created reverse relation fields.

I tried to introspect this value, but it gets erased at class creation time. We only end up with MyType._meta.fields, which is a value computed from several inputs including only_fields. Possible solutions:

Copy only_fields onto _meta
Don’t delete the Meta attribute from the class in SubclassWithMeta
Official support for requiring only_fields, in the form of a configuration setting

Related: #516

Issue Analytics

State:
Created 4 years ago
Comments:9 (4 by maintainers)

Top GitHub Comments

1reaction

jkimbocommented, Jun 12, 2019

@reverie https://github.com/graphql-python/graphene/pull/1007

Also your code above can be a bit cleaner by using the typemap from the schema directly (when the above PR has been merged):

def enforce_only_fields(schema):
	types = schema.get_type_map()
	for _, t in types.items():
		if issubclass(t.graphene_type, DjangoObjectType):
			assert t.graphene_type.Meta.only_fields

1reaction

jkimbocommented, Jun 12, 2019

Right I get you now. I’m not 100% sure why the Meta class gets deleted either to be honest. I’ll raise a PR in the Graphene repo and see if it gets anywhere.