diff --git a/CHANGELOG.md b/CHANGELOG.md index a03927a1fa..8edae24b64 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,32 @@ CHANGELOG ========= +0.257.0 - 2025-01-09 +-------------------- + +The common `node: Node` used to resolve relay nodes means we will be relying on +is_type_of to check if the returned object is in fact a subclass of the Node +interface. + +However, integrations such as Django, SQLAlchemy and Pydantic will not return +the type itself, but instead an alike object that is later resolved to the +expected type. + +In case there are more than one possible type defined for that model that is +being returned, the first one that replies True to `is_type_of` check would be +used in the resolution, meaning that when asking for `"PublicUser:123"`, +strawberry could end up returning `"User:123"`, which can lead to security +issues (such as data leakage). + +In here we are introducing a new `strawberry.cast`, which will be used to mark +an object with the already known type by us, and when asking for is_type_of that +mark will be used to check instead, ensuring we will return the correct type. + +That `cast` is already in place for the relay node resolution and pydantic. + +Contributed by [Thiago Bellini Ribeiro](https://github.com/bellini666) via [PR #3749](https://github.com/strawberry-graphql/strawberry/pull/3749/) + + 0.256.1 - 2024-12-23 -------------------- diff --git a/RELEASE.md b/RELEASE.md deleted file mode 100644 index c28e496da1..0000000000 --- a/RELEASE.md +++ /dev/null @@ -1,21 +0,0 @@ -Release type: minor - -The common `node: Node` used to resolve relay nodes means we will be relying on -is_type_of to check if the returned object is in fact a subclass of the Node -interface. - -However, integrations such as Django, SQLAlchemy and Pydantic will not return -the type itself, but instead an alike object that is later resolved to the -expected type. - -In case there are more than one possible type defined for that model that is -being returned, the first one that replies True to `is_type_of` check would be -used in the resolution, meaning that when asking for `"PublicUser:123"`, -strawberry could end up returning `"User:123"`, which can lead to security -issues (such as data leakage). - -In here we are introducing a new `strawberry.cast`, which will be used to mark -an object with the already known type by us, and when asking for is_type_of that -mark will be used to check instead, ensuring we will return the correct type. - -That `cast` is already in place for the relay node resolution and pydantic. diff --git a/pyproject.toml b/pyproject.toml index 00099cdb89..412b146c31 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,7 +1,7 @@ [tool.poetry] name = "strawberry-graphql" packages = [ { include = "strawberry" } ] -version = "0.256.1" +version = "0.257.0" description = "A library for creating GraphQL APIs" authors = ["Patrick Arminio "] license = "MIT"