Graphql-engine: System-wide default paging/row limit

Created on 22 Oct 2019 · 5Comments · Source: hasura/graphql-engine

Hi,

is there a way to define default/implicit paging limits some way? Because if I have a database with a million records and a client sends a query like:

query {
    publication {
        id
        title
    }
}

.. it would return a million items as result. It would be great if I could set an overall limit or a per table limit on the number of elements that can be returned in a single query. Let's say I set the max paging limit to 100, with that setting a query without an explicit limit would become

query {
    publication(limit: 100) {
        id
        title
    }
}

Also this would prevent malicious clients setting too big limits. So, even if the query is

query {
    publication(limit: 50000) {
        id
        title
    }
}

it would become:

query {
    publication(limit: 100) {
        id
        title
    }
}

Is there such a mechanism in Hasura?

server easy ideas medium

Source

beepsoft

👍1

Most helpful comment

This should be fairly trivial to add (buildSelPermInfo has to change), the behaviour should be as follows: if the global_limit is set, it is used when limit is not specified in select permission definition, however if limit is specified in a select permission definition, it takes precedence over global_limit.

0x777 on 28 Oct 2019

👍2 ❤1

All 5 comments

Hi. There is no way to set a blanket value for this setting across all queries. But https://docs.hasura.io/1.0/graphql/manual/auth/authorization/permission-rules.html#row-fetch-limit would be of help. You can set the limit for a table / role tuple. This will provide you with a more granular control over what roles can fetch how much data of a particular type in a single request

rikinsk on 22 Oct 2019

👍1

@rikinsk Thanks, that will suffice! A system wide default row limit would be just handy to prevent big result sets in case the role/action based limit is not set.

beepsoft on 22 Oct 2019

0x777 on 28 Oct 2019

👍2 ❤1

I'd like to implement this feature, but aren't really sure where to start inside the permissions. Is there any docs about how the codebase works or could anyone point me in the right direction?

DeMoorJasper on 14 Jan 2020

Hi, @DeMoorJasper—we are unfortunately gravely lacking in internal documentation at the moment, though we’re trying to do better. We do have a small explanation of the server code architecture on the wiki, but it’s a little out of date, and it’s missing a lot of details.

All that said, a great way to help us improve in that respect is to give it a try and ask plenty of questions! You can ask us here, or in the #contrib channel of our Discord server. I’ll do my best to answer whatever questions you might have and point you in the right direction.

One thing there’s no way around: the server is written in Haskell, so if you’re not familiar with Haskell, there may be a bit of a language barrier. But if you’re feeling adventurous, by all means: take a look at server/CONTRIBUTING.md to get an environment set up, and try to take a look at the buildSelPermInfo function @0x777 mentioned in the Hasura.RQL.DDL.Permission module.

Definitely don’t hesitate to ask questions, even simple ones! We’d like to make the codebase more accessible to contribute to, and we recognize it isn’t right now, but people trying and getting stuck is exactly what we need to know about to improve things.