decidim-api 0.30.3 → 0.30.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 76c62d094e97572b6569774a741351c9f9964c6a0f8c730fc430a7f8f8f3a001
-  data.tar.gz: 3e7ab4bd8390985a72dc6f4789786d98e555dfd061478e4984c5c18288d42ac5
+  metadata.gz: 7ca33c846496c357db67439e87dbdb4ad6639c13fd2a823a52c6f270be3d5d0e
+  data.tar.gz: 346529a751650d30742a0e90225971763ebab4fe3ff6d8e97d3ef1305440b37b
 SHA512:
-  metadata.gz: 2bac50ffb97c86f0527ae5d3eb5872858e29902b29de877b216a7ff3da09284ab546db0861aee4b5a03ed714ec28f211b64b1b76e2eecf5be1334c70e84c0d10
-  data.tar.gz: 41718e680f9c44a0a9f09c77a65994bae9dfd34ca26f57e391572362dbc62e2f5c16a846fc83e69d9c7f0f0637088eacbea16fb80414930a347817b0b99d8f13
+  metadata.gz: 1584a295e5839cf7fb34107ccb4362f61f4c09d19c82b32839dda92282d45c2bce37a768d794962a99b83cfc82c271bdf5f92c693af0dbaa576302d55c9a0b79
+  data.tar.gz: 5447dff2e9c723b47189623b378d4818ba0680fdc4f32e825a0f04d65beb14852d0e9362bc2ef00e8c7cd1814fb1b0c9661c9cf128df67cec922f9de2676c27b

data/app/controllers/decidim/api/queries_controller.rb

@@ -29,7 +29,8 @@ module Decidim
       def context
         {
           current_organization:,
-          current_user:
+          current_user:,
+          can_introspect: Decidim::Api.enable_anonymous_introspection || current_user&.admin?
         }
       end
 

data/config/locales/am-ET.yml

@@ -0,0 +1 @@
+am:

data/config/locales/ar.yml

@@ -0,0 +1 @@
+ar:

data/config/locales/bg.yml

@@ -0,0 +1 @@
+bg:

data/config/locales/bn-BD.yml

@@ -0,0 +1 @@
+bn:

data/config/locales/bs-BA.yml

@@ -0,0 +1 @@
+bs:

data/config/locales/ca-IT.yml

@@ -0,0 +1,8 @@
+---
+ca-IT:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: La introspecció està desactivada per a aquesta sol·licitud
+        recursion_limit_exceeded_error: S'han detectat massa consultes recurrents
+        too_many_aliases_error: S'han fet servir massa àlies (nicknames). Has fet servir %{size} àlies, però es permet un màxim de %{limit}.

data/config/locales/ca.yml

@@ -0,0 +1,8 @@
+---
+ca:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: La introspecció està desactivada per a aquesta sol·licitud
+        recursion_limit_exceeded_error: S'han detectat massa consultes recurrents
+        too_many_aliases_error: S'han fet servir massa àlies (nicknames). Has fet servir %{size} àlies, però es permet un màxim de %{limit}.

data/config/locales/cs.yml

@@ -0,0 +1 @@
+cs:

data/config/locales/da.yml

@@ -0,0 +1 @@
+da:

data/config/locales/de.yml

@@ -0,0 +1 @@
+de:

data/config/locales/el.yml

@@ -0,0 +1 @@
+el:

data/config/locales/en.yml

@@ -0,0 +1,8 @@
+---
+en:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: Introspection is disabled for this request
+        recursion_limit_exceeded_error: Too many recursions detected in query
+        too_many_aliases_error: Too many aliases used. You have used %{size} aliases, but %{limit} are allowed.

data/config/locales/eo.yml

@@ -0,0 +1 @@
+eo:

data/config/locales/es-MX.yml

@@ -0,0 +1,8 @@
+---
+es-MX:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: La introspección está desactivada para esta solicitud
+        recursion_limit_exceeded_error: Se han detectado demasiadas consultas recurrentes
+        too_many_aliases_error: Has utilizado demasiados alias (nicknames). Has usado %{size} alias, pero se permite un máximo de %{limit}.

data/config/locales/es-PY.yml

@@ -0,0 +1,8 @@
+---
+es-PY:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: La introspección está desactivada para esta solicitud
+        recursion_limit_exceeded_error: Se han detectado demasiadas consultas recurrentes
+        too_many_aliases_error: Has utilizado demasiados alias (nicknames). Has usado %{size} alias, pero se permite un máximo de %{limit}.

data/config/locales/es.yml

@@ -0,0 +1,8 @@
+---
+es:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: La introspección está desactivada para esta solicitud
+        recursion_limit_exceeded_error: Se han detectado demasiadas consultas recurrentes
+        too_many_aliases_error: Has utilizado demasiados alias (nicknames). Has usado %{size} alias, pero se permite un máximo de %{limit}.

data/config/locales/et.yml

@@ -0,0 +1 @@
+et:

data/config/locales/eu.yml

@@ -0,0 +1,6 @@
+---
+eu:
+  decidim:
+    api:
+      errors:
+        too_many_aliases_error: Ezizen gehiegi erabiltzen dira. %{size} ezizen erabili dituzu, baina %{limit} onartuta daude.

data/config/locales/fa-IR.yml

@@ -0,0 +1 @@
+fa:

data/config/locales/fi-plain.yml

@@ -0,0 +1,8 @@
+---
+fi-pl:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: Rajapintamallin tarkastelu ei ole käytössä tälle pyynnölle
+        recursion_limit_exceeded_error: Rajapintakyselyssä on liikaa rekursiivisia kyselyitä
+        too_many_aliases_error: Rajapintakysely käyttää liian monta alias-nimitystä. Kyselyssä on %{size} aliasta, mutta maksimissaan %{limit} on sallittu.

data/config/locales/fi.yml

@@ -0,0 +1,8 @@
+---
+fi:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: Rajapintamallin tarkastelu ei ole käytössä tälle pyynnölle
+        recursion_limit_exceeded_error: Rajapintakyselyssä on liikaa rekursiivisia kyselyitä
+        too_many_aliases_error: Rajapintakysely käyttää liian monta alias-nimitystä. Kyselyssä on %{size} aliasta, mutta maksimissaan %{limit} on sallittu.

data/config/locales/fr-CA.yml

@@ -0,0 +1,8 @@
+---
+fr-CA:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: L'introspection est désactivée pour cette requête
+        recursion_limit_exceeded_error: Trop de récursions détectées dans la requête
+        too_many_aliases_error: Trop d'alias utilisés. Vous avez utilisé %{size} alias, mais seulement %{limit} sont autorisés.

data/config/locales/fr.yml

@@ -0,0 +1,8 @@
+---
+fr:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: L'introspection est désactivée pour cette requête
+        recursion_limit_exceeded_error: Trop de récursions détectées dans la requête
+        too_many_aliases_error: Trop d'alias utilisés. Vous avez utilisé %{size} alias, mais seulement %{limit} sont autorisés.

data/config/locales/ga-IE.yml

@@ -0,0 +1 @@
+ga:

data/config/locales/gl.yml

@@ -0,0 +1 @@
+gl:

data/config/locales/gn-PY.yml

@@ -0,0 +1 @@
+gn:

data/config/locales/he-IL.yml

@@ -0,0 +1 @@
+he:

data/config/locales/hr.yml

@@ -0,0 +1 @@
+hr:

data/config/locales/hu.yml

@@ -0,0 +1 @@
+hu:

data/config/locales/id-ID.yml

@@ -0,0 +1 @@
+id:

data/config/locales/is-IS.yml

@@ -0,0 +1 @@
+is-IS:

data/config/locales/it.yml

@@ -0,0 +1 @@
+it:

data/config/locales/ja.yml

@@ -0,0 +1,8 @@
+---
+ja:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: このリクエストのイントロスペクションは無効です
+        recursion_limit_exceeded_error: クエリで再帰が検出された回数が多すぎます
+        too_many_aliases_error: エイリアスが多すぎます。 %{size} 件のエイリアスを使用していますが、許可されているのは %{limit} 件までです。

data/config/locales/ka-GE.yml

@@ -0,0 +1 @@
+ka:

data/config/locales/kaa.yml

@@ -0,0 +1 @@
+kaa:

data/config/locales/ko.yml

@@ -0,0 +1 @@
+ko:

data/config/locales/lb.yml

@@ -0,0 +1 @@
+lb:

data/config/locales/lo-LA.yml

@@ -0,0 +1 @@
+lo:

data/config/locales/lt.yml

@@ -0,0 +1 @@
+lt:

data/config/locales/lv.yml

@@ -0,0 +1 @@
+lv:

data/config/locales/mt.yml

@@ -0,0 +1 @@
+mt:

data/config/locales/nl.yml

@@ -0,0 +1 @@
+nl:

data/config/locales/no.yml

@@ -0,0 +1,6 @@
+---
+"no":
+  decidim:
+    api:
+      errors:
+        recursion_limit_exceeded_error: For mange rekursjoner oppdaget i spørringen

data/config/locales/oc-FR.yml

@@ -0,0 +1 @@
+oc:

data/config/locales/om-ET.yml

@@ -0,0 +1 @@
+om:

data/config/locales/pl.yml

@@ -0,0 +1 @@
+pl:

data/config/locales/pt-BR.yml

@@ -0,0 +1,8 @@
+---
+pt-BR:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: A inspeção está desabilitada para esta requisição
+        recursion_limit_exceeded_error: Muitas recursões detectadas na consulta
+        too_many_aliases_error: Foram utilizados muitos aliases. Você usou %{size} aliases, mas são permitidos apenas %{limit}.

data/config/locales/pt.yml

@@ -0,0 +1 @@
+pt:

data/config/locales/ro-RO.yml

@@ -0,0 +1,8 @@
+---
+ro:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: Introspection este dezactivat pentru această solicitare
+        recursion_limit_exceeded_error: Prea multe recursii detectate în interogare
+        too_many_aliases_error: Prea multe aliasuri folosite. Ați folosit aliasuri %{size}, dar %{limit} sunt permise.

data/config/locales/ru.yml

@@ -0,0 +1 @@
+ru:

data/config/locales/si-LK.yml

@@ -0,0 +1 @@
+si:

data/config/locales/sk.yml

@@ -0,0 +1 @@
+sk:

data/config/locales/sl.yml

@@ -0,0 +1 @@
+sl:

data/config/locales/so-SO.yml

@@ -0,0 +1 @@
+so:

data/config/locales/sq-AL.yml

@@ -0,0 +1 @@
+sq:

data/config/locales/sr-CS.yml

@@ -0,0 +1 @@
+sr:

data/config/locales/sv.yml

@@ -0,0 +1 @@
+sv:

data/config/locales/sw-KE.yml

@@ -0,0 +1 @@
+sw:

data/config/locales/th-TH.yml

@@ -0,0 +1 @@
+th:

data/config/locales/ti-ER.yml

@@ -0,0 +1 @@
+ti:

data/config/locales/tr-TR.yml

@@ -0,0 +1 @@
+tr:

data/config/locales/uk.yml

@@ -0,0 +1 @@
+uk:

data/config/locales/val-ES.yml

@@ -0,0 +1 @@
+val:

data/config/locales/vi.yml

@@ -0,0 +1 @@
+vi:

data/config/locales/zh-CN.yml

@@ -0,0 +1 @@
+zh-CN:

data/config/locales/zh-TW.yml

@@ -0,0 +1 @@
+zh-TW:

data/lib/decidim/api/alias_analyzer.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Api
+    class AliasAnalyzer < GraphQL::Analysis::AST::Analyzer
+      def initialize(query)
+        super
+
+        @aliases = Set.new
+      end
+
+      def on_enter_field(node, _parent, _visitor)
+        @aliases.add(node.alias) if node.alias.present?
+      end
+
+      def result
+        if @aliases.size > Decidim::Api.max_aliases
+          Errors::TooManyAliasesError.new(I18n.t("decidim.api.errors.too_many_aliases_error", size: @aliases.size, limit: Decidim::Api.max_aliases))
+        end
+      end
+    end
+  end
+end

data/lib/decidim/api/decidim_introspection.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Api
+    module DecidimIntrospection
+      module FieldVisibility
+        extend ActiveSupport::Concern
+
+        included do
+          def self.visible?(context)
+            raise Errors::IntrospectionDisabledError, I18n.t("decidim.api.errors.introspection_disabled") unless context[:can_introspect] == true
+
+            super
+          end
+        end
+      end
+
+      class SchemaType < GraphQL::Introspection::SchemaType
+        include FieldVisibility
+      end
+
+      class TypeType < GraphQL::Introspection::TypeType
+        include FieldVisibility
+      end
+
+      class DirectiveType < GraphQL::Introspection::DirectiveType
+        include FieldVisibility
+      end
+
+      class DirectiveLocationEnum < GraphQL::Introspection::DirectiveLocationEnum
+        include FieldVisibility
+      end
+
+      class EnumValueType < GraphQL::Introspection::EnumValueType
+        include FieldVisibility
+      end
+
+      class FieldType < GraphQL::Introspection::FieldType
+        include FieldVisibility
+      end
+
+      class InputValueType < GraphQL::Introspection::InputValueType
+        include FieldVisibility
+      end
+
+      class TypeKindEnum < GraphQL::Introspection::TypeKindEnum
+        include FieldVisibility
+      end
+    end
+  end
+end

data/lib/decidim/api/errors/introspection_disabled_error.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Api
+    module Errors
+      # i18n-tasks-use t("decidim.api.errors.introspection_disabled")
+      class IntrospectionDisabledError < GraphQL::ExecutionError
+        def to_h
+          super.merge({ "extensions" => { "code" => "INTROSPECTION_DISABLED_ERROR" } })
+        end
+      end
+    end
+  end
+end

data/lib/decidim/api/errors/recursion_limit_exceeded_error.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Api
+    module Errors
+      # i18n-tasks-use t("decidim.api.errors.recursion_limit_exceeded_error")
+      class RecursionLimitExceededError < GraphQL::AnalysisError
+        def to_h
+          super.merge({ "extensions" => { "code" => "RECURSION_LIMIT_EXCEEDED_ERROR" } })
+        end
+      end
+    end
+  end
+end

data/lib/decidim/api/errors/too_many_aliases_error.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Api
+    module Errors
+      # i18n-tasks-use t("decidim.api.errors.too_many_aliases_error")
+
+      class TooManyAliasesError < GraphQL::AnalysisError
+        def to_h
+          super.merge({ "extensions" => { "code" => "TOO_MANY_ALIASES_ERROR" } })
+        end
+      end
+    end
+  end
+end

data/lib/decidim/api/recursion_analyzer.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+# This analyzer checks for too many recursions in GraphQL queries.
+# Copyright (c) GitLab B.V.
+# License: MIT Expat license
+# This content of the class was copied from the GitLab repository
+# @see https://gitlab.com/gitlab-org/gitlab/-/blob/f59f7aa0d86f07496e68abf7172edd703669e7bd/lib/gitlab/graphql/query_analyzers/ast/recursion_analyzer.rb
+# To which I have modified the result format to be compatible with decidim-api.
+
+module Decidim
+  module Api
+    class RecursionAnalyzer < GraphQL::Analysis::AST::Analyzer
+      IGNORED_FIELDS = %w(node edges nodes ofType).freeze
+      RECURSION_THRESHOLD = 2
+
+      def initialize(query)
+        super
+
+        @node_visits = {}
+        @recurring_fields = {}
+      end
+
+      def on_enter_field(node, _parent, visitor)
+        return if skip_node?(node, visitor)
+
+        node_name = node.name
+        node_visits[node_name] ||= 0
+        node_visits[node_name] += 1
+
+        times_encountered = @node_visits[node_name]
+        recurring_fields[node_name] = times_encountered if recursion_too_deep?(node_name, times_encountered)
+      end
+
+      # Visitors are all defined on the AST::Analyzer base class
+      # We override them for custom analyzers.
+      def on_leave_field(node, _parent, visitor)
+        return if skip_node?(node, visitor)
+
+        node_name = node.name
+        node_visits[node_name] ||= 0
+        node_visits[node_name] -= 1
+      end
+
+      def result
+        @recurring_fields = @recurring_fields.select { |k, v| recursion_too_deep?(k, v) }
+
+        Decidim::Api::Errors::RecursionLimitExceededError.new I18n.t("decidim.api.errors.recursion_limit_exceeded_error") if @recurring_fields.any?
+      end
+
+      private
+
+      attr_reader :node_visits, :recurring_fields
+
+      def recursion_too_deep?(node_name, times_encountered)
+        return false if IGNORED_FIELDS.include?(node_name)
+
+        times_encountered > recursion_threshold
+      end
+
+      def skip_node?(node, visitor)
+        # We do not want to count skipped fields or fields
+        # inside fragment definitions
+        return false if visitor.skipping? || visitor.visiting_fragment_definition?
+
+        !node.is_a?(GraphQL::Language::Nodes::Field) || node.selections.empty?
+      end
+
+      # Separated into a method to allow overriding or customization of the recursion limit.
+      def recursion_threshold
+        RECURSION_THRESHOLD
+      end
+    end
+  end
+end

data/lib/decidim/api/schema.rb

@@ -7,10 +7,16 @@ module Decidim
       mutation(MutationType)
       query(QueryType)
 
+      introspection(DecidimIntrospection)
+      query_analyzer RecursionAnalyzer
+      query_analyzer AliasAnalyzer
+
       default_max_page_size Decidim::Api.schema_max_per_page
       max_depth Decidim::Api.schema_max_depth
       max_complexity Decidim::Api.schema_max_complexity
 
+      query_analyzer AliasAnalyzer
+
       orphan_types(Api.orphan_types)
     end
   end

data/lib/decidim/api/test/component_context.rb

@@ -4,6 +4,7 @@ require "decidim/api/test/type_context"
 
 shared_context "with a graphql decidim component" do
   include_context "with a graphql class type"
+  include_examples "when the introspection is disabled"
 
   let(:schema) { Decidim::Api::Schema }
 

data/lib/decidim/api/test/type_context.rb

@@ -8,6 +8,7 @@ shared_context "with a graphql class type" do
   let(:type_class) { described_class }
   let(:variables) { {} }
   let(:root_value) { model }
+  let(:can_introspect) { Decidim::Api.enable_anonymous_introspection || current_user&.admin? }
 
   let(:schema) do
     klass = type_class
@@ -21,6 +22,20 @@ shared_context "with a graphql class type" do
     execute_query query, variables.stringify_keys
   end
 
+  def raise_proper_error(error)
+    code = error.dig("extensions", "code")
+
+    # Matches the error code with the Error class
+    # For instance, if the error code is NOT_FOUND_ERROR then it will raise the "Decidim::Api::Errors::NotFoundError" class
+    raise "Decidim::Api::Errors::#{code.downcase.classify}".constantize, error["message"] if %w(
+      INTROSPECTION_DISABLED_ERROR
+      TOO_MANY_ALIASES_ERROR
+      RECURSION_LIMIT_EXCEEDED_ERROR
+    ).include?(code)
+
+    raise GraphQL::ExecutionError, error["message"]
+  end
+
   def execute_query(query, variables)
     result = schema.execute(
       query,
@@ -28,17 +43,93 @@ shared_context "with a graphql class type" do
       context: {
         current_organization:,
         current_user:,
-        current_component:
+        current_component:,
+        can_introspect:
       },
       variables:
     )
 
-    raise StandardError, result["errors"].map { |e| e["message"] }.join(", ") if result["errors"]
+    raise_proper_error(result["errors"].first) if result["errors"]
 
     result["data"]
   end
 end
 
+shared_examples "when the introspection is disabled" do
+  shared_examples "check introspection behavior" do
+    context "and the user is not authenticated" do
+      let!(:current_user) { nil }
+
+      it "raises an Decidim::Api::Errors::IntrospectionDisabledError" do
+        expect { response }.to raise_error(Decidim::Api::Errors::IntrospectionDisabledError, "Introspection is disabled for this request")
+      end
+    end
+
+    context "and the user is not an admin" do
+      let!(:current_user) { create(:user, :confirmed, organization: current_organization) }
+
+      it "raises an Decidim::Api::Errors::IntrospectionDisabledError" do
+        expect { response }.to raise_error(Decidim::Api::Errors::IntrospectionDisabledError, "Introspection is disabled for this request")
+      end
+    end
+
+    context "and the user is an admin" do
+      let!(:current_user) { create(:user, :confirmed, :admin, organization: current_organization) }
+
+      it "runs successfully" do
+        expect { response }.not_to raise_error
+      end
+    end
+
+    context "and the setting is true" do
+      before do
+        allow(Decidim::Api).to receive(:enable_anonymous_introspection).and_return(true)
+      end
+
+      it "runs successfully" do
+        expect { response }.not_to raise_error
+      end
+    end
+
+    context "and the setting is false" do
+      before do
+        allow(Decidim::Api).to receive(:enable_anonymous_introspection).and_return(false)
+      end
+      it "raises an Decidim::Api::Errors::IntrospectionDisabledError" do
+        expect { response }.to raise_error(Decidim::Api::Errors::IntrospectionDisabledError, "Introspection is disabled for this request")
+      end
+    end
+  end
+
+  context "when requesting the schema introspection" do
+    let(:query) do
+      %( query { __schema { types { fields { type { fields { type { name } } } } } } } )
+    end
+
+    it_behaves_like "check introspection behavior"
+  end
+
+  context "when requesting the type introspection" do
+    let(:query) do
+      %( query CircularIntrospection {
+  __type(name: "User") {
+    fields {
+      type {
+        fields {
+          type {
+            name
+          }
+        }
+      }
+    }
+  }
+} )
+    end
+
+    it_behaves_like "check introspection behavior"
+  end
+end
+
 shared_context "with a graphql scalar class type" do
   include_context "with a graphql class type"
 

data/lib/decidim/api/test.rb

@@ -1,3 +1,4 @@
 # frozen_string_literal: true
 
 require "decidim/api/test/shared_examples/statistics_examples"
+require "decidim/api/test/type_context"

data/lib/decidim/api/types.rb

@@ -2,9 +2,18 @@
 
 module Decidim
   module Api
+    autoload :AliasAnalyzer, "decidim/api/alias_analyzer"
     autoload :QueryType, "decidim/api/query_type"
     autoload :MutationType, "decidim/api/mutation_type"
     autoload :Schema, "decidim/api/schema"
+    autoload :DecidimIntrospection, "decidim/api/decidim_introspection"
+    autoload :RecursionAnalyzer, "decidim/api/recursion_analyzer"
+
+    module Errors
+      autoload :IntrospectionDisabledError, "decidim/api/errors/introspection_disabled_error"
+      autoload :RecursionLimitExceededError, "decidim/api/errors/recursion_limit_exceeded_error"
+      autoload :TooManyAliasesError, "decidim/api/errors/too_many_aliases_error"
+    end
 
     module Types
       autoload :BaseArgument, "decidim/api/types/base_argument"

data/lib/decidim/api/version.rb

@@ -4,7 +4,7 @@ module Decidim
   # This holds the decidim-api version.
   module Api
     def self.version
-      "0.30.3"
+      "0.30.5"
     end
   end
 end

data/lib/decidim/api.rb

@@ -19,6 +19,11 @@ module Decidim
       5000
     end
 
+    # defines how many aliases are permitted in a query
+    config_accessor :max_aliases do
+      ENV.fetch("API_SCHEMA_MAX_ALIASES", 5).to_i
+    end
+
     # defines the schema max_depth to configure GraphQL query max_depth
     config_accessor :schema_max_depth do
       15
@@ -28,6 +33,13 @@ module Decidim
       %w(1 true yes).include?(ENV.fetch("DECIDIM_API_DISCLOSE_SYSTEM_VERSION", nil))
     end
 
+    # allows anonymous introspection queries
+    # If you are not sure, leave it set to false. In this way only administrator users will be able to access the introspection query.
+    # Otherwise, anyone can access it, causing security issues.
+    config_accessor :enable_anonymous_introspection do
+      ENV.fetch("DECIDIM_API_ENABLE_ANONYMOUS_INTROSPECTION", nil) == "true"
+    end
+
     # This declares all the types an interface or union can resolve to. This needs
     # to be done in order to be able to have them found. This is a shortcoming of
     # graphql-ruby and the way it deals with loading types, in combination with

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: decidim-api
 version: !ruby/object:Gem::Version
-  version: 0.30.3
+  version: 0.30.5
 platform: ruby
 authors:
 - Josep Jaume Rey Peroy
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-10-28 00:00:00.000000000 Z
+date: 2026-01-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: decidim-core
@@ -18,14 +18,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.30.3
+        version: 0.30.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.30.3
+        version: 0.30.5
 - !ruby/object:Gem::Dependency
   name: graphql
   requirement: !ruby/object:Gem::Requirement
@@ -74,56 +74,56 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.30.3
+        version: 0.30.5
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.30.3
+        version: 0.30.5
 - !ruby/object:Gem::Dependency
   name: decidim-comments
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.30.3
+        version: 0.30.5
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.30.3
+        version: 0.30.5
 - !ruby/object:Gem::Dependency
   name: decidim-dev
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.30.3
+        version: 0.30.5
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.30.3
+        version: 0.30.5
 - !ruby/object:Gem::Dependency
   name: decidim-participatory_processes
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.30.3
+        version: 0.30.5
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.30.3
+        version: 0.30.5
 description: API engine for decidim
 email:
 - josepjaume@gmail.com
@@ -148,15 +148,87 @@ files:
 - app/views/decidim/api/graphiql/show.html.erb
 - app/views/layouts/decidim/api/documentation.html.erb
 - config/assets.rb
+- config/locales/am-ET.yml
+- config/locales/ar.yml
+- config/locales/bg.yml
+- config/locales/bn-BD.yml
+- config/locales/bs-BA.yml
+- config/locales/ca-IT.yml
+- config/locales/ca.yml
+- config/locales/cs.yml
+- config/locales/da.yml
+- config/locales/de.yml
+- config/locales/el.yml
+- config/locales/en.yml
+- config/locales/eo.yml
+- config/locales/es-MX.yml
+- config/locales/es-PY.yml
+- config/locales/es.yml
+- config/locales/et.yml
+- config/locales/eu.yml
+- config/locales/fa-IR.yml
+- config/locales/fi-plain.yml
+- config/locales/fi.yml
+- config/locales/fr-CA.yml
+- config/locales/fr.yml
+- config/locales/ga-IE.yml
+- config/locales/gl.yml
+- config/locales/gn-PY.yml
+- config/locales/he-IL.yml
+- config/locales/hr.yml
+- config/locales/hu.yml
+- config/locales/id-ID.yml
+- config/locales/is-IS.yml
+- config/locales/it.yml
+- config/locales/ja.yml
+- config/locales/ka-GE.yml
+- config/locales/kaa.yml
+- config/locales/ko.yml
+- config/locales/lb.yml
+- config/locales/lo-LA.yml
+- config/locales/lt.yml
+- config/locales/lv.yml
+- config/locales/mt.yml
+- config/locales/nl.yml
+- config/locales/no.yml
+- config/locales/oc-FR.yml
+- config/locales/om-ET.yml
+- config/locales/pl.yml
+- config/locales/pt-BR.yml
+- config/locales/pt.yml
+- config/locales/ro-RO.yml
+- config/locales/ru.yml
+- config/locales/si-LK.yml
+- config/locales/sk.yml
+- config/locales/sl.yml
+- config/locales/so-SO.yml
+- config/locales/sq-AL.yml
+- config/locales/sr-CS.yml
+- config/locales/sv.yml
+- config/locales/sw-KE.yml
+- config/locales/th-TH.yml
+- config/locales/ti-ER.yml
+- config/locales/tr-TR.yml
+- config/locales/uk.yml
+- config/locales/val-ES.yml
+- config/locales/vi.yml
+- config/locales/zh-CN.yml
+- config/locales/zh-TW.yml
 - config/routes.rb
 - decidim-api.gemspec
 - docs/usage.md
 - lib/decidim/api.rb
+- lib/decidim/api/alias_analyzer.rb
+- lib/decidim/api/decidim_introspection.rb
 - lib/decidim/api/engine.rb
+- lib/decidim/api/errors/introspection_disabled_error.rb
+- lib/decidim/api/errors/recursion_limit_exceeded_error.rb
+- lib/decidim/api/errors/too_many_aliases_error.rb
 - lib/decidim/api/graphiql-initial-query.txt
 - lib/decidim/api/graphiql/config.rb
 - lib/decidim/api/mutation_type.rb
 - lib/decidim/api/query_type.rb
+- lib/decidim/api/recursion_analyzer.rb
 - lib/decidim/api/schema.rb
 - lib/decidim/api/test.rb
 - lib/decidim/api/test/component_context.rb