Release 4.6.29 update by mnocon · Pull Request #3144 · ibexa/documentation-developer

mnocon · 2026-04-16T12:51:20Z

There were many things broken about the GraphQL code samples - I've fixed some of them, but also deleted the code sample that was "stolen" from a public repo - it shouldn't be here in the first place, this way we avoid getting this file out of sync.

Doc for:

https://github.com/ibexa/installer/pull/207
the GraphQL issue

github-actions · 2026-04-16T12:51:53Z

Preview of modified files

Preview of modified Markdown:

mnocon · 2026-04-16T12:52:28Z

-use Ibexa\Contracts\GraphQL\Schema\Domain\Content\Mapper\FieldDefinition\FieldDefinitionMapper;
-use Ibexa\GraphQL\Schema\Domain\Content\Mapper\FieldDefinition\DecoratingFieldDefinitionMapper;
-
-class MyCustomFieldDefinitionMapper extends DecoratingFieldDefinitionMapper implements FieldDefinitionMapper


Redundant, because MyFieldDefinitionMapper.php exists

mnocon · 2026-04-16T12:52:41Z


        $isMultiple = $this->isMultiple($fieldDefinition) ? 'true' : 'false';

-        return sprintf('@=resolver("DomainRelationFieldValue", [field, %s])', $isMultiple);


The actual change related to the release

mnocon · 2026-04-16T13:26:03Z

+        return $this->nameMyFieldInputType($contentType, $fieldDefinition);
+    }
+
+    private function nameMyFieldInputType(ContentType $contentType, FieldDefinition $fieldDefinition): string


This is a change about which I'm not 100% sure - I've based this on https://github.com/ibexa/fieldtype-matrix/blob/main/src/lib/GraphQL/Schema/MatrixFieldDefinitionMapper.php#L67-L74
and https://github.com/ibexa/fieldtype-matrix/blob/main/src/lib/GraphQL/Schema/NameHelper.php#L28-L37

adriendupuis · 2026-04-16T13:43:56Z

+
+#### Implement other countermeasures
+
+If updating the GraphQL packages isn't possible right now, for example because the project is using PHP 7.4 where the fix is not available, review the security issue carefully and asses the danger.


🍑⚠️ "asses the danger" 🤣

Suggested change

If updating the GraphQL packages isn't possible right now, for example because the project is using PHP 7.4 where the fix is not available, review the security issue carefully and asses the danger.

If updating the GraphQL packages isn't possible right now, for example because the project is using PHP 7.4 where the fix is not available, review the security issue carefully and assess the danger.

[PHP 7.4 imposes an old version v0.14.x of `overblog/graphql-bundle`](https://github.com/overblog/GraphQLBundle/blob/v0.14.4/composer.json#L31) which [depends on old unfixed version v14.x of `webonyx/graphql-php`](https://github.com/overblog/GraphQLBundle/blob/v0.14.4/composer.json#L46). To have [the fix coming with `webonyx/graphql-php` v15.31.5](https://github.com/webonyx/graphql-php/security/advisories/GHSA-68jq-c3rv-pcrr), you must be at least on PHP 8.0 or above.

Thank you 🙈

adriendupuis · 2026-04-16T13:44:31Z

+"config": {
+    "audit": {
+        "ignore": {
+            "GHSA-68jq-c3rv-pcrr": "Description of the countermeasures you've implemented."


I wouldn't be generic here, real reason instead of a placeholder that might not be filed:

Suggested change

"GHSA-68jq-c3rv-pcrr": "Description of the countermeasures you've implemented."

"GHSA-68jq-c3rv-pcrr": "Ignore DoS risk on old graphql-bundle and graphql-php"

I don't want to suggest that people should ignore this 😄

In (my) ideal world, the entry here would say something like:

"We ignore this CVE because even though we use an outdated package, the graphql endpoint is blocked by our firewall - name of the firewall rule - to make sure nobody has access to it."

Suggested change

"GHSA-68jq-c3rv-pcrr": "Description of the countermeasures you've implemented."

"GHSA-68jq-c3rv-pcrr": "We shouldn't ignore this but…"

So, maybe we should give countermeasures examples like

not using graphql and ensure it can't be accessed

using graphql being a strategy ensuring it's only accessed by trusted third parties

…

Added some examples, maybe that helps

konradoboza

Looks good, thanks @mnocon!

adriendupuis

Nice!
Just a weird grammar and a vale suggestion.

Co-authored-by: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com>

github-actions · 2026-04-17T10:31:24Z

code_samples/ change report

Before (on target branch)	After (in current PR)
`code_samples/api/graphql/config/services.yaml`	`code_samples/api/graphql/config/services.yaml`
	docs/api/graphql/graphql_custom_ft.md@52:```yaml `docs/api/graphql/graphql_custom_ft.md@53:[[= include_file('code_samples/api/graphql/config/services.yaml') =]]` docs/api/graphql/graphql_custom_ft.md@54:``` `001⫶services:` `002⫶ App\GraphQL\Schema\MyFieldDefinitionMapper:` `003⫶ decorates: Ibexa\GraphQL\Schema\Domain\Content\Mapper\FieldDefinition\DecoratingFieldDefinitionMapper` `004⫶ arguments:` `005⫶ $innerMapper: '@.inner'`
`code_samples/api/graphql/src/GraphQL/Schema/MyCustomFieldDefinitionMapper.php`	`code_samples/api/graphql/src/GraphQL/Schema/MyCustomFieldDefinitionMapper.php`
docs/api/graphql/graphql_custom_ft.md@66:``` php `docs/api/graphql/graphql_custom_ft.md@67:[[= include_file('code_samples/api/graphql/src/GraphQL/Schema/MyCustomFieldDefinitionMapper.php') =]]` docs/api/graphql/graphql_custom_ft.md@68:```	`code_samples/api/graphql/src/GraphQL/Schema/MyFieldDefinitionMapper.php` docs/api/graphql/graphql_custom_ft.md@62:``` php `docs/api/graphql/graphql_custom_ft.md@63:[[= include_file('code_samples/api/graphql/src/GraphQL/Schema/MyFieldDefinitionMapper.php', 0, 16) =]][[= include_file('code_samples/api/graphql/src/GraphQL/Schema/MyFieldDefinitionMapper.php', 36, 37) =]]` docs/api/graphql/graphql_custom_ft.md@64:```
`001⫶<?php declare(strict_types=1);` `002⫶` `003⫶namespace App\GraphQL\Schema;` `004⫶`	`001⫶<?php declare(strict_types=1);` `002⫶` `003⫶namespace App\GraphQL\Schema;` `004⫶`
`005⫶use Ibexa\Contracts\GraphQL\Schema\Domain\Content\Mapper\FieldDefinition\FieldDefinitionMapper;` `006⫶use Ibexa\GraphQL\Schema\Domain\Content\Mapper\FieldDefinition\DecoratingFieldDefinitionMapper;` `007⫶` `008⫶class MyCustomFieldDefinitionMapper extends DecoratingFieldDefinitionMapper implements FieldDefinitionMapper` `009⫶{` `010⫶ protected function getFieldTypeIdentifier(): string` `011⫶ {` `012⫶ return 'my_custom_field_type';` `013⫶ }` `014⫶}`	`005⫶use Ibexa\Contracts\Core\Repository\Values\ContentType\ContentType;` `006⫶use Ibexa\Contracts\Core\Repository\Values\ContentType\FieldDefinition;` `007⫶use Ibexa\Contracts\GraphQL\Schema\Domain\Content\Mapper\FieldDefinition\FieldDefinitionMapper;` `008⫶use Ibexa\GraphQL\Schema\Domain\Content\Mapper\FieldDefinition\DecoratingFieldDefinitionMapper;` `009⫶use Symfony\Component\Serializer\NameConverter\CamelCaseToSnakeCaseNameConverter;` `010⫶` `011⫶class MyFieldDefinitionMapper extends DecoratingFieldDefinitionMapper implements FieldDefinitionMapper` `012⫶{` `013⫶ protected function getFieldTypeIdentifier(): string` `014⫶ {` `015⫶ return 'my_field_type';` `016⫶ }` `017⫶}` docs/api/graphql/graphql_custom_ft.md@77:```php `docs/api/graphql/graphql_custom_ft.md@78:[[= include_file('code_samples/api/graphql/src/GraphQL/Schema/MyFieldDefinitionMapper.php', 19, 22, remove_indent=True) =]]` docs/api/graphql/graphql_custom_ft.md@79:``` `The following line doesn't include file correctly: [[= include_file('code_samples/api/graphql/src/GraphQL/Schema/MyFieldDefinitionMapper.php', 19, 22, remove_indent=True) =]]` docs/api/graphql/graphql_custom_ft.md@101:```php `docs/api/graphql/graphql_custom_ft.md@102:[[= include_file('code_samples/api/graphql/src/GraphQL/Schema/MyFieldDefinitionMapper.php') =]]` docs/api/graphql/graphql_custom_ft.md@103:```

`code_samples/api/graphql/src/GraphQL/Schema/MyFieldDefinitionMapper.php`	`001⫶<?php declare(strict_types=1);` `002⫶` `003⫶namespace App\GraphQL\Schema;` `004⫶` `005⫶use Ibexa\Contracts\Core\Repository\Values\ContentType\ContentType;` `006⫶use Ibexa\Contracts\Core\Repository\Values\ContentType\FieldDefinition;` `007⫶use Ibexa\Contracts\GraphQL\Schema\Domain\Content\Mapper\FieldDefinition\FieldDefinitionMapper;` `008⫶use Ibexa\GraphQL\Schema\Domain\Content\Mapper\FieldDefinition\DecoratingFieldDefinitionMapper;` `009⫶use Symfony\Component\Serializer\NameConverter\CamelCaseToSnakeCaseNameConverter;` `010⫶` `011⫶class MyFieldDefinitionMapper extends DecoratingFieldDefinitionMapper implements FieldDefinitionMapper` `012⫶{` `013⫶ protected function getFieldTypeIdentifier(): string` `014⫶ {` `015⫶ return 'my_field_type';` `016⫶ }` `017⫶` `018⫶ public function mapToFieldValueInputType(ContentType $contentType, FieldDefinition $fieldDefinition): ?string` `019⫶ {` `020⫶ if (!$this->canMap($fieldDefinition)) {` `021⫶ return parent::mapToFieldValueInputType($contentType, $fieldDefinition);` `022⫶ }` `023⫶` `024⫶ return $this->nameMyFieldInputType($contentType, $fieldDefinition);` `025⫶ }` `026⫶` `027⫶ private function nameMyFieldInputType(ContentType $contentType, FieldDefinition $fieldDefinition): string` `028⫶ {` `029⫶ $converter = new CamelCaseToSnakeCaseNameConverter(null, false);` `030⫶` `031⫶ return sprintf(` `032⫶ '%s%sInput',` `033⫶ $converter->denormalize($contentType->identifier),` `034⫶ $converter->denormalize($fieldDefinition->identifier)` `035⫶ );` `036⫶ }` `037⫶}`

Download colorized diff

sonarqubecloud · 2026-04-17T10:32:00Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

glye · 2026-04-17T10:37:07Z

+"config": {
+    "audit": {
+        "ignore": {
+            "GHSA-68jq-c3rv-pcrr": "Description of the countermeasures you've implemented causing this one to be safe to ignore."


Good stuff! Very good advice in this section.

@mnocon

* Added doc for TaxonomyNoEntries & TaxonomySubtree (#3082) * Added doc for TaxonomyNoEntries * Added doc for Taxonomy subtree * Fixed CS * Apply suggestions from code review Co-authored-by: julitafalcondusza <117284672+julitafalcondusza@users.noreply.github.com> Co-authored-by: Tomasz Dąbrowski <64841871+dabrt@users.noreply.github.com> * Apply suggestion from @mnocon * Rebuild --------- Co-authored-by: julitafalcondusza <117284672+julitafalcondusza@users.noreply.github.com> Co-authored-by: Tomasz Dąbrowski <64841871+dabrt@users.noreply.github.com> * Product tour (#3065) * Product tour doc skeleton * Review feedback * Vale * Review feedback - part 2 * Added doc for the new config * Review feedback * Adjusted includes * Wording * Specified button name * Removed TODO * Help Center and Product tour enabled by default * Added images and interactive demo * Apply suggestions from code review Co-authored-by: Tomasz Dąbrowski <64841871+dabrt@users.noreply.github.com> Co-authored-by: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> * Manual changes * [TMP] Fix build * Fixed build * Reworded --------- Co-authored-by: Tomasz Dąbrowski <64841871+dabrt@users.noreply.github.com> Co-authored-by: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> * Added doc for additional parameter for ibexa_render (#3043) * Added doc for additional parameter for ibexa_render * Added update sections * Update docs/update_and_migration/from_5.0/update_from_5.0.md Co-authored-by: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> * Reworked RN drafts * Update docs/release_notes/ibexa_dxp_v4.6.md Co-authored-by: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> * Removed RN entries --------- Co-authored-by: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> * Release 4.6.29 fixes (#3139) * Highlight and wording fixes * Added mention of Product Tour to 4.6 * search_api.md: Minor fixes * Release 4.6.29 update (#3144) * Extracted GraphQL samples to separate files * Fixed GraphQL code samples * Updated GraphQl sample * DB update added * Added description * Added GrpahQL Security issue to ignore list * Added regenration mention * Selfreview * Ignore security warning conditionally * Simplified the examples * Wording * Apply suggestions from code review Co-authored-by: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> --------- Co-authored-by: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> --------- Co-authored-by: julitafalcondusza <117284672+julitafalcondusza@users.noreply.github.com> Co-authored-by: Tomasz Dąbrowski <64841871+dabrt@users.noreply.github.com> Co-authored-by: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com>

mnocon added 5 commits April 16, 2026 13:48

Extracted GraphQL samples to separate files

63d6110

Fixed GraphQL code samples

02c73c8

Updated GraphQl sample

416a03c

DB update added

c9e8ed9

Added description

b6d99c7

mnocon commented Apr 16, 2026

View reviewed changes

mnocon added 3 commits April 16, 2026 15:04

Added GrpahQL Security issue to ignore list

0aeddab

Added regenration mention

ef23af5

Selfreview

89980ff

mnocon commented Apr 16, 2026

View reviewed changes

Ignore security warning conditionally

1d47f00

adriendupuis requested changes Apr 16, 2026

View reviewed changes

mnocon added 2 commits April 16, 2026 15:59

Simplified the examples

52fc096

Wording

5aade29

mnocon added the Needs DEV review label Apr 17, 2026

mnocon requested review from adriendupuis, alongosz, glye, konradoboza and micszo April 17, 2026 08:03

konradoboza approved these changes Apr 17, 2026

View reviewed changes

micszo approved these changes Apr 17, 2026

View reviewed changes

adriendupuis approved these changes Apr 17, 2026

View reviewed changes

Comment thread docs/update_and_migration/from_4.6/update_from_4.6.md Outdated

Apply suggestions from code review

05fb051

Co-authored-by: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com>

mnocon added Needs DOC review and removed Needs DEV review labels Apr 17, 2026

mnocon merged commit b02b90f into release-4.6.29 Apr 17, 2026
9 checks passed

mnocon deleted the release-4.6.29-update branch April 17, 2026 10:31

glye reviewed Apr 17, 2026

View reviewed changes


		$isMultiple = $this->isMultiple($fieldDefinition) ? 'true' : 'false';

		return sprintf('@=resolver("DomainRelationFieldValue", [field, %s])', $isMultiple);


		#### Implement other countermeasures

		If updating the GraphQL packages isn't possible right now, for example because the project is using PHP 7.4 where the fix is not available, review the security issue carefully and asses the danger.

	If updating the GraphQL packages isn't possible right now, for example because the project is using PHP 7.4 where the fix is not available, review the security issue carefully and asses the danger.
	If updating the GraphQL packages isn't possible right now, for example because the project is using PHP 7.4 where the fix is not available, review the security issue carefully and assess the danger.
	[PHP 7.4 imposes an old version v0.14.x of `overblog/graphql-bundle`](https://github.com/overblog/GraphQLBundle/blob/v0.14.4/composer.json#L31) which [depends on old unfixed version v14.x of `webonyx/graphql-php`](https://github.com/overblog/GraphQLBundle/blob/v0.14.4/composer.json#L46). To have [the fix coming with `webonyx/graphql-php` v15.31.5](https://github.com/webonyx/graphql-php/security/advisories/GHSA-68jq-c3rv-pcrr), you must be at least on PHP 8.0 or above.

	"GHSA-68jq-c3rv-pcrr": "Description of the countermeasures you've implemented."
	"GHSA-68jq-c3rv-pcrr": "Ignore DoS risk on old graphql-bundle and graphql-php"

	"GHSA-68jq-c3rv-pcrr": "Description of the countermeasures you've implemented."
	"GHSA-68jq-c3rv-pcrr": "We shouldn't ignore this but…"

Conversation

mnocon commented Apr 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented Apr 16, 2026

Preview of modified files

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

konradoboza left a comment

Choose a reason for hiding this comment

Uh oh!

adriendupuis left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

github-actions Bot commented Apr 17, 2026

code_samples/ change report

Uh oh!

Uh oh!

sonarqubecloud Bot commented Apr 17, 2026

Quality Gate passed

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

mnocon commented Apr 16, 2026 •

edited

Loading