Merge branch 'main' into fix-merge-4-into-main

api-platform · Jan 15, 2025 · d432260 · d432260
2 parents 6d52907 + 582d250
commit d432260
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 2 deletions.
diff --git a/core/configuration.md b/core/configuration.md
@@ -155,7 +155,13 @@ api_platform:
 
         # The nesting separator used in the filter names.
         nesting_separator: _
-
+
+        # The maximum query depth. Set to 0 to disable it. Look at https://webonyx.github.io/graphql-php/security/#limiting-query-depth
+        max_query_depth: 20
+
+        # The maximum query complexity. Set to 0 to disable it. Look at https://webonyx.github.io/graphql-php/security/#query-complexity-analysis
+        max_query_complexity: 500
+
         collection:
             pagination:
                 enabled: true
@@ -545,6 +551,12 @@ return [
 
         // The nesting separator used in the filter names.
         'nesting_separator' => '_',
+
+        // The maximum query depth. Set to 0 to disable it. Look at https://webonyx.github.io/graphql-php/security/#limiting-query-depth
+        'max_query_depth' => 20,
+
+        // The maximum query complexity. Set to 0 to disable it. Look at https://webonyx.github.io/graphql-php/security/#query-complexity-analysis
+        'max_query_complexity' => 500,
 
         'collection' => [
             'pagination' => [

diff --git a/core/graphql.md b/core/graphql.md
@@ -254,6 +254,68 @@ return [
 ];
 ```
 
+## Change Max Query Depth
+
+For security reason, the max query depth should be limited to avoid deep queries. **It's set to 100 by default**.
+
+### Symfony config to change the Max Query Depth
+
+If you need to change it, it can be done in the configuration:
+
+```yaml
+# api/config/packages/api_platform.yaml
+api_platform:
+  graphql:
+    max_query_depth: 7
+# ...
+```
+
+### Laravel config to change the Max Query Depth
+
+If you need to change it, it can be done in the configuration:
+
+```php
+<?php
+// config/api-platform.php
+return [
+    // ....
+    'graphql' => [
+        'max_query_depth' => 7,
+    ],
+];
+```
+
+## Change Max Query Complexity
+
+For security reason, the max query complexity should be limited to avoid complex queries. **It's set to 100 by default**.
+
+### Symfony config to change the Max Query Complexity
+
+If you need to change it, it can be done in the configuration:
+
+```yaml
+# api/config/packages/api_platform.yaml
+api_platform:
+  graphql:
+    max_query_complexity: 50
+# ...
+```
+
+### Laravel config to change the Max Query Complexity
+
+If you need to change it, it can be done in the configuration:
+
+```php
+<?php
+// config/api-platform.php
+return [
+    // ....
+    'graphql' => [
+        'max_query_complexity' => 50,
+    ],
+];
+```
+
 ## Request with `application/graphql` Content-Type
 
 If you wish to send a [POST request using the `application/graphql` Content-Type](https://graphql.org/learn/serving-over-http/#post-request),

diff --git a/core/upgrade-guide.md b/core/upgrade-guide.md
@@ -116,7 +116,7 @@ For new users we recommend to use
 event_listeners_backward_compatibility_layer: false
 ```
 
-This allows API Platform to not use http kernel event listeners. It also allows you to force options like `read: true` or `validate: true`. This simplifies use cases like [validating a delete operation](/docs/v3.2/guides/delete-operation-with-validation/)
+This allows API Platform to not use http kernel event listeners. It also allows you to force options like `read: true` or `validate: true`. This simplifies use cases like [validating a delete operation](https://api-platform.com/docs/v3.2/guides/delete-operation-with-validation/)
 Event listeners will not get removed and are not deprecated, they'll use our providers and processors in a future version.
 
 ### Inflector

diff --git a/laravel/filters.md b/laravel/filters.md
@@ -153,6 +153,33 @@ This allows to query multiple `isbn` values with a `q` query parameter: `/books?
 
 TODO -->
 
+### BooleanFilter
+
+The `BooleanFilter` allows to filter using an `WHERE` clause on a boolean field with (`true`, `false`, `0`, `1`):
+
+```php
+// app/Models/Book.php
+
+use ApiPlatform\Laravel\Eloquent\Filter\BooleanFilter;
+
+#[ApiResource]
+#[QueryParameter(key: 'published', filter: BooleanFilter::class)]
+class Book extends Model
+{
+    use HasUlids;
+
+    public function author(): BelongsTo
+    {
+        return $this->belongsTo(Author::class);
+    }
+}
+```
+Examples:
+- `/books?published=true`
+- `/books?published=1`
+- `/books?published=false`
+- `/books?published=0`
+
 ### PropertyFilter
 
 Note: We strongly recommend using [Vulcain](https://vulcain.rocks) instead of this filter. Vulcain is faster, allows a better hit rate, and is supported out of the box in the API Platform distribution.