Skip to content

Commit

Permalink
Merge branch '4' into 5.0
Browse files Browse the repository at this point in the history
  • Loading branch information
GuySartorelli committed Oct 16, 2023
2 parents 7566305 + 15b381a commit 28ad128
Show file tree
Hide file tree
Showing 16 changed files with 696 additions and 714 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -198,15 +198,16 @@ A couple things to note here:

* By assigning a value of `true` to the field, we defer to the model to infer the type for the field. To override that, we can always add a `type` property:

```yaml
MyProject\Models\Product:
fields:
onSale:
type: Boolean
```
```yaml
MyProject\Models\Product:
fields:
onSale:
type: Boolean
```

* The mapping of our field names to the `DataObject` property is case-insensitive. It is a
convention in GraphQL APIs to use lowerCamelCase fields, so this is given by default.

[/notice]

### Bulk loading models
Expand All @@ -233,9 +234,9 @@ elemental: # An arbitrary key to define what these directives are doing
load:
inheritanceLoader:
include:
- DNADesign\Elemental\Models\BaseElement
- DNADesign\Elemental\Models\BaseElement
exclude:
- MyApp\Elements\MySecretElement
- MyApp\Elements\MySecretElement
# Add all fields and read operations
apply:
fields:
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
title: Recursive or complex queries
summary: Protecting against potentially malicious queries
---

# Security & best practices

[CHILDREN asList]

## Recursive or complex queries

GraphQL schemas can contain recursive types and circular dependencies. Recursive or overly complex queries can take up a lot of resources,
and could have a high impact on server performance and even result in a denial of service if not handled carefully.

Before parsing queries, if a query is found to have more than 500 nodes, it is rejected. While executing queries there is a default query depth limit of 15 for all schemas with no complexity limit.

You can customise the node limit and query depth and complexity limits by setting the following configuration:

**app/_config/graphql.yml**

```yaml
---
After: 'graphql-schema-global'
---
SilverStripe\GraphQL\Schema\Schema:
schemas:
'*':
config:
max_query_nodes: 250 # default 500
max_query_depth: 20 # default 15
max_query_complexity: 100 # default unlimited
```
[info]
For calculating the query complexity, every field in the query gets a default score 1 (including ObjectType nodes). Total complexity of the query is the sum of all field scores.
[/info]
You can also configure these settings for individual schemas. This allows you to fine-tune the security of your custom public-facing schema without affecting the security of the schema used in the CMS. To do so, either replace `'*'` with the name of your schema in the yaml configuration above, or set the values under the `config` key for your schema using preferred file structure as defined in [configuring your schema](../getting_started/configuring_your_schema/). For example:

**app/_graphql/config.yml**

```yaml
max_query_nodes: 250
max_query_depth: 20
max_query_complexity: 100
```

### Further reading

[CHILDREN]
130 changes: 72 additions & 58 deletions en/05_Contributing/00_Issues_and_Bugs.md
Original file line number Diff line number Diff line change
@@ -1,96 +1,110 @@
---
title: Bug Reports
summary: Report bugs or problems with SilverStripe, feature requests or other issues.
title: Issues and Bug Reports
summary: Report bugs or problems with Silverstripe CMS, feature requests or other issues.
icon: bug
---

# Contributing Issues and Opinions
# Issues and Bug Reports

## Reporting Bugs

[alert]
If you think you've found a security issue, please use [the specific process](#reporting-security-issues) for those. Do _not_ raise a security issue in GitHub.
[/alert]

If you have discovered a bug in Silverstripe CMS, we'd be glad to hear about it -
well written bug reports can be half of the solution already!

Silverstripe CMS uses [GitHub](https://github.com/) to manage bug reports. If you
want to report a bug, you will need to [create a GitHub account](https://docs.github.com/en/get-started/onboarding/getting-started-with-your-github-account)
and log in.

Before submitting a bug:

* Ask for assistance in our [community channels](https://www.silverstripe.org/community) if you're unsure if it's really a bug.
* Search for similar, existing tickets.
* Search for similar, existing issues.
You can [list all issues across modules](https://www.silverstripe.org/community/contributing-to-silverstripe/github-all-core-issues),
then add your search phrase at the start of the existing search filters (for example [all issues with label "type/ux"](https://www.silverstripe.org/community/contributing-to-silverstripe/github-all-open-ux-issues))
* Is this a security issue? Please follow our separate reporting guidelines below.
* Which modules does this issue belong to? Each one has its own issue tracker.
If you are unsure, [create an issue](https://github.com/silverstripe/silverstripe-framework/issues/new) on the the "framework" repository.
* Note that [documentation issues](https://github.com/silverstripe/developer-docs/issues) are tracked in the "developer-docs" repository.
* Try to reproduce your issue on a [clean installation](/getting_started/composer#using-development-versions), maybe the bug has already been fixed on an unreleased branch?
* The bugtracker is not the place to discuss enhancements, please use
the ["feature ideas" forum category](https://forum.silverstripe.org/c/feature-ideas) and our [community channels](https://www.silverstripe.org/community).
Only log enhancement tickets if they gather a large interest in the community
and the enhancement is likely to be implemented in the next couple of months.
* Is this a security issue? Please follow our [security reporting guidelines](#reporting-security-issues) below.
* Try to reproduce your issue on a [clean installation](/getting_started/composer#create-a-new-site) to rule out bugs in your own code.

If the issue does look like a new bug:

* Create an issue on the right module repository in GitHub
* Describe the steps required to reproduce your issue, and the expected outcome. Unit tests, screenshots and screencasts can help here.
* Describe your environment as detailed as possible: SilverStripe version, Browser, PHP version, Operating System, any installed SilverStripe modules.
* *(optional)* [Submit a pull request](/contributing/code/#step-by-step-from-forking-to-sending-the-pull-request) which fixes the issue.

Lastly, don't get your hopes up too high. Unless your issue is a blocker
affecting a large number of users, don't expect SilverStripe developers to jump
onto it right way. Your issue is a starting point where others with the same
problem can collaborate with you to develop a fix.
* If you are unsure, [create an issue](https://github.com/silverstripe/silverstripe-framework/issues/new) on the the "framework" repository.
* Note that [documentation issues](https://github.com/silverstripe/developer-docs/issues) are tracked in the "developer-docs" repository.
* Describe the steps required to reproduce your issue, and the expected outcome. Example code, screenshots, and videos can help here.
Be as clear as you can, but don't miss any steps out. Simply saying "create a page" is less useful than guiding us through the steps you're taking to create a page, for example.
* If the bug is too complex to reproduce with some short code samples, please reproduce it in a public repository and provide a link to the repository along with steps for setting up and reproducing the bug using that repository.
A repository like this should only contain code that is required to set up and reproduce the bug.
* Describe your environment in as much detail as possible. Include the versions of relevant modules, the PHP version, webserver, and operating system used to run the project, the browser(s) you see the issue in, etc.
* If part of the bug includes an error or exception, please provide a full stack trace. Be wary that stack traces may contain sensitive information, and if that is the case, be sure to redact them prior to posting your stack trace.
* You are strongly encouraged to [submit a pull request](/contributing/code/#step-by-step-from-forking-to-sending-the-pull-request) which fixes the issue. Bug reports which are accompanied with a pull request are a lot more likely to be resolved quickly.

Lastly, don't get your hopes up too high. Unless your issue is a blocker
affecting a large number of users, don't expect Silverstripe developers to jump
onto it right way. Your issue is a starting point where others with the same
problem can collaborate with you to develop a fix. If this bug is a blocker
for you, then [submitting a pull request](/contributing/code/#step-by-step-from-forking-to-sending-the-pull-request)
is the best way to ensure it gets fixed.

## Feature Requests

[warning]
Please don't file "feature requests" as Github issues. If there's a new feature
you'd like to see in SilverStripe, you either need to write it yourself (and
[submit a pull request](/contributing/code/#step-by-step-from-forking-to-sending-the-pull-request) or convince somebody else to
write it for you. Any "wishlist" type issues without code attached can be
Please don't file feature requests as Github issues. If there's a new feature
you'd like to see in Silverstripe CMS, you either need to write it yourself (and
[submit a pull request](/contributing/code/#step-by-step-from-forking-to-sending-the-pull-request)) or convince somebody else to
write it for you. Any "wishlist" type issues without code attached can be
expected to be closed as soon as they're reviewed.
[/warning]

In order to gain interest and feedback in your feature, we encourage you to
In order to gain interest and feedback in your feature, we encourage you to
present it to the community through the [community channels](https://www.silverstripe.org/community).

## Reporting Security Issues

[warning]
If you think a bug may have security implications, do not create a GitHub issue for it. This may lead to a zero-day vulnerability.
[/warning]

Report potential security issues to [[email protected]](mailto:[email protected]).
See our "[Release Process](/contributing/release_process/#security-releases)" documentation for more info, and
read our guide on [how to write secure code](/developer_guides/security/secure_coding/).
Report potential security issues to [[email protected]](mailto:[email protected]). Emails sent to that address are
forwarded to a private mailing list and kick off a specific security process.

Silverstripe CMS does not operate a *bug bounty* program.
If you have any doubts or are unsure whether the bug you've found has security implications or not, please err on the side of caution
and email us about it.

Review our [Managing Security Guidelines](managing_security_issues) guidelines to understand what happens once a vulnerability is reported.
Review our [Managing Security Issues](managing_security_issues) process to understand what happens once a vulnerability is reported.

Silverstripe CMS aims to ship security patches at pre-defined intervals when those issues are not actively exploited in the wild.

Review the [Security patch windows](../Project_Governance/Minor_release_policy#security-patch-windows) section of our minor release policy for more details.

## Sharing your Opinion

* [forum.silverstripe.org](https://forum.silverstripe.org): Forums on silverstripe.org
* [All issues across modules](https://www.silverstripe.org/community/contributing-to-silverstripe/github-all-core-issues)

## Identifying issues and pull request relevant to your own project {#identifying-issues}

Our [issue browser](https://silverstripe-github-issues.now.sh/) can be helpful to identify known issues and pending pull requests in
[supported modules](/project_governance/supported_modules/).
But you're usually only running some of these modules, and others
from the [wider module ecosystem](https://addons.silverstripe.org).

In order to only show issues and pull requests relevant to your project,
we've written a little [composer utility](https://github.com/silverstripe/silverstripe-github-issue-search-composer-util)
which inspects your own `composer.lock` file dependencies,
and searches across all Silverstripe CMS modules in there.

After [installing the composer utility](https://github.com/silverstripe/silverstripe-github-issue-search-composer-util),
use this command to pass through a lock file, and get a URL to open in your favourite browser.

```
cat /my/project/composer.lock | ss-issue-search get-url
```

Protip: You can further filter to certain [issue labels](code#labels)
such as `label:impact/high` to make the results more relevant.
Silverstripe CMS does not operate a _bug bounty_ program.

## GitHub Labels {#labels}

The current GitHub labels are grouped into five sections:

1. *Impact* - What impact does this issue have, does it break a feature completely, is it just a side effect or is it trivial and not a big problem (but a bit annoying), etc. Impact is evaluated in the context of the CMS as a whole, rather than against the individual module the issue is raised on.
2. *Complexity* - What level of technical proficiency is required to address this issue?
3. *Type* - The type of solution required to address this issue
4. *Affects* - The release line this issue is relevant to
5. *RFC* - The issue is a request-for-comment

| Label | Purpose |
| ----- | ------- |
| impact/critical | Website breaking issue with no workarounds. Reserved only for bugs. Bugfix's will target all supported minor release lines. |
| impact/high | Affects a major usage flow. Broken functionality with no obvious workarounds available, or an enhancement that provides a clear benefit to users |
| impact/medium | When affecting a major usage flow, for bugs there is a workaround available and for enhancements there would be a reasonable benefit to users. For a less common usage flow there is broken functionality and for enhancements there is a clear benefit to users. |
| impact/low | A nuisance but doesn't break any functionality (typos, etc). For enhancements there would only be a limited benefit to users. |
| complexity/low | Someone with limited Silverstripe CMS experience could resolve |
| complexity/medium | Someone with a good understanding of Silverstripe CMS could resolve |
| complexity/high | Only an expert with Silverstripe CMS could resolve |
| type/bug | Does not function as intended, or is inadequate for the purpose it was created for |
| type/enhancement | New feature or improvement for either users or developers |
| type/api-break | An API-breaking change requiring a new major release |
| type/ux | Impact on the CMS user interface |
| type/docs | A docs change |
| type/userhelp | A userhelp documentation change |
| affects/* | Issue has been observed on a specific CMS release line |
| rfc/draft | [RFC](/project_governance/request_for_comment) under discussion |
| rfc/accepted | [RFC](/project_governance/request_for_comment) where agreement has been reached |
Loading

0 comments on commit 28ad128

Please sign in to comment.