# Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/ class Gql::ZammadSchema < GraphQL::Schema mutation Gql::EntryPoints::Mutations query Gql::EntryPoints::Queries subscription Gql::EntryPoints::Subscriptions context_class Gql::Context::CurrentUserAware use GraphQL::Subscriptions::ActionCableSubscriptions, broadcast: true, default_broadcastable: false # Enable batch loading use GraphQL::Batch description 'This is the Zammad GraphQL API' # Set default limits to protect the system. Values may need to be adjusted in future. default_max_page_size 2000 default_page_size 100 max_complexity 10_000 # Depth of 15 is needed for commmon introspection queries like Insomnia. max_depth 15 TYPE_MAP = { ::Store => ::Gql::Types::StoredFileType, ::Taskbar => ::Gql::Types::User::TaskbarItemType, }.freeze ABSTRACT_TYPE_MAP = { ::Gql::Types::User::TaskbarItemEntityType => ::Gql::Types::User::TaskbarItemEntity::TicketCreateType, }.freeze # Union and Interface Resolution def self.resolve_type(abstract_type, obj, _ctx) TYPE_MAP[obj.class] || "Gql::Types::#{obj.class.name}Type".constantize rescue NameError ABSTRACT_TYPE_MAP[abstract_type] rescue raise GraphQL::RequiredImplementationMissingError, "Cannot resolve type for '#{obj.class.name}'." end # Relay-style Object Identification: # Return a string GUID for the internal ID. def self.id_from_internal_id(klass, internal_id) GlobalID.new(::URI::GID.build(app: GlobalID.app, model_name: klass.to_s, model_id: internal_id)).to_s end # Return a string GUID for `object` def self.id_from_object(object, _type_definition = nil, _query_ctx = nil) object.to_global_id.to_s end # Given a string GUID, find the object. def self.object_from_id(id, _query_ctx = nil, type: ActiveRecord::Base) GlobalID.find(id, only: type) end # Find the object, but also ensure its type and that it was actually found. def self.verified_object_from_id(id, type:) object_from_id(id, type: type) || raise(ActiveRecord::RecordNotFound, "Could not find #{type} #{id}") end # Like .verified_object_from_id, but with additional Pundit autorization. # This is only needed for objects where no validation takes place through their GraphQL type. def self.authorized_object_from_id(id, type:, user:, query: :show?) verified_object_from_id(id, type: type).tap do |object| Pundit.authorize user, object, query rescue Pundit::NotAuthorizedError => e # Map Pundit errors since we are not in a GraphQL built-in authorization context here. raise Exceptions::Forbidden, e.message end end # Given a string GUID, extract the internal ID. # This is very helpful if GUIDs have to be converted en-masse and then authorized in bulk using a scope. # Meanwhile using .object_from_id family would load (and, optionally, authorize) objects one by one. # Beware there's no built-in way to authorize given IDs in this method! # # @param id [String] GUID # @param type [Class] optionally filter to specific class only # # @return [Integer, nil] def self.internal_id_from_id(id, type: ActiveRecord::Base) internal_ids_from_ids([id], type:).first end # Given an array of string GUIDs, extract the internal IDs # @see .internal_id_from_id # # @param ids [Array] GUIDs # @param type [Class] optionally filter to specific class only # # @return [Array] def self.internal_ids_from_ids(...) local_uris_from_ids(...).map { |uri| uri.model_id.to_i } end # Given an array of string GUIDs, return GUID instances # # @param ids [Array] GUIDs # @param type [Class] optionally filter to specific class only # # @return [Array] def self.local_uris_from_ids(ids, type: ActiveRecord::Base) ids .map { |id| GlobalID.parse id } .select { |uri| (klass = uri.model_name.safe_constantize) && klass <= type } end def self.unauthorized_object(error) raise Exceptions::Forbidden, error.message # Add a top-level error to the response instead of returning nil. end def self.unauthorized_field(error) raise Exceptions::Forbidden, error.message # Add a top-level error to the response instead of returning nil. end RETHROWABLE_ERRORS = [GraphQL::ExecutionError, ArgumentError, IndexError, NameError, NoMethodError, RangeError, RegexpError, SystemCallError, ThreadError, TypeError, ZeroDivisionError].freeze # Post-process errors and enrich them with meta information for processing on the client side. rescue_from(StandardError) do |err, _obj, _args, ctx, field| if field&.path&.start_with?('Mutations.') user_locale = ctx.current_user?&.locale case err when ActiveRecord::RecordInvalid next { errors: build_record_invalid_errors(err.record, user_locale) } when ActiveRecord::RecordNotUnique next { errors: [ message: Translation.translate(user_locale, 'This object already exists.') ] } end end # Re-throw built-in errors that point to programming errors rather than problems with input or data - causes GraphQL processing to be aborted. RETHROWABLE_ERRORS.each do |klass| raise err if err.instance_of?(klass) end extensions = { type: err.class.name, } if Rails.env.local? extensions[:backtrace] = Rails.backtrace_cleaner.clean(err.backtrace) end # We need to throw an ExecutionError, all others would cause the GraphQL processing to die. raise GraphQL::ExecutionError.new(err.message, extensions: extensions) end def self.build_record_invalid_errors(record, user_locale) record.errors.map do |e| field_name = e.attribute.to_s.camelize(:lower) { field: field_name == 'base' ? nil : field_name, message: e.localized_full_message(locale: user_locale, no_field_name: true) } end end private_class_method :build_record_invalid_errors end