graphql-python/graphene-django
1
1
Fork 0
mirror of https://github.com/graphql-python/graphene-django.git synced 2024-09-21 11:29:09 +03:00
Code Issues Packages Projects Releases Wiki Activity

Revert to default query execution behaviour

Browse Source 
The only security risk here is persuading a user to execute a mutation,
which is probably not a big risk. To mitigate this risk and still keep
the same UX (that is so valuable), would require more work than is
proportionate for this PR.
This commit is contained in:
Dan Palmer 2018-09-09 21:44:30 +01:00
parent cb87f40165
commit 2b08e59bea
No known key found for this signature in database
GPG Key ID: DD869B28A1B7AA92
1 changed files with 0 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
graphene_django/static/graphene_django/graphiql.js
View File

@ -35,30 +35,10 @@
} }
} }
// If there are any fragment parameters, confirm the user wants to use them.
var isReload = window.performance ? performance.navigation.type === 1 : false;
var isQueryTrusted = Object.keys(parameters).length === 0 || isReload;
var fetchURL = locationQuery(otherParams); var fetchURL = locationQuery(otherParams);
// Defines a GraphQL fetcher using the fetch API. // Defines a GraphQL fetcher using the fetch API.
function graphQLFetcher(graphQLParams) { function graphQLFetcher(graphQLParams) {
var isIntrospectionQuery = (
graphQLParams.query !== parameters.query
&& graphQLParams.query.indexOf('IntrospectionQuery') !== -1
);
if (!isQueryTrusted
&& !isIntrospectionQuery
&& !window.confirm("This query was loaded from a link, are you sure you want to execute it?")) {
return Promise.resolve('Aborting query.');
}
// We don't want to set this for the introspection query
if (!isIntrospectionQuery) {
isQueryTrusted = true;
}
var headers = { var headers = {
'Accept': 'application/json', 'Accept': 'application/json',
'Content-Type': 'application/json' 'Content-Type': 'application/json'