Remove "And", "Or", and Relationships as valid OrderByInput types. (#2625)

aaronburtle · Aniruddh25 · web-flow · commit 4d7207e5fb21 · 2025-03-26T14:11:32.000-07:00
## Why make this change? Closes #2286 ## What is this change? The `InputTypeBuilder` class holds a function called `GenerateOrderByInputTypeForObjectType`, which is responsible for populating the GraphQL Schema with the valid OrderByInput types. It was mistakenly adding in "and", "or", and columns that are in entities associated through relationships as valid OrderByInput types. "and" and "or" will never be valid input types, and we do not yet support order by using columns from related entities. ## How was this tested? Manually verified that the correct error was returned when trying to use the incorrect orderBy queries, and manually verified that we no longer have them in the schema. Added regression test to verify we get an error when attempting these queries. ## Sample Request(s) These are some example graph QL queries that are invalid but were showing as valid in our schema without this fix. >publishers (first: 5 orderBy: {books: { title: DESC }}){ > items { > id > books { > items { > title > } > } > } > } >books(orderBy: { or: { id: ASC, title: ASC } }) { items { id } } --------- Co-authored-by: Aniruddh Munde <anmunde@microsoft.com>
diff --git a/src/Service.GraphQLBuilder/Queries/InputTypeBuilder.cs b/src/Service.GraphQLBuilder/Queries/InputTypeBuilder.cs
@@ -24,16 +24,25 @@ IDictionary<string, InputObjectTypeDefinitionNode> inputTypes
         {
             List<InputValueDefinitionNode> inputFields = GenerateFilterInputFieldsForBuiltInFields(node, inputTypes);
             string filterInputName = GenerateObjectInputFilterName(node);
-
-            GenerateInputTypeFromInputFields(inputTypes, inputFields, filterInputName, $"Filter input for {node.Name} GraphQL type");
+            GenerateFilterInputTypeFromInputFields(inputTypes, inputFields, filterInputName, $"Filter input for {node.Name} GraphQL type");
         }
 
         internal static void GenerateOrderByInputTypeForObjectType(ObjectTypeDefinitionNode node, IDictionary<string, InputObjectTypeDefinitionNode> inputTypes)
         {
             List<InputValueDefinitionNode> inputFields = GenerateOrderByInputFieldsForBuiltInFields(node);
             string orderByInputName = GenerateObjectInputOrderByName(node);
 
-            GenerateInputTypeFromInputFields(inputTypes, inputFields, orderByInputName, $"Order by input for {node.Name} GraphQL type");
+            // OrderBy does not include "and" and "or" input types so we add only the orderByInputName here.
+            inputTypes.Add(
+                orderByInputName,
+                new(
+                    location: null,
+                    new NameNode(orderByInputName),
+                    new StringValueNode($"Order by input for {node.Name} GraphQL type"),
+                    new List<DirectiveNode>(),
+                    inputFields
+                    )
+                );
         }
 
         private static List<InputValueDefinitionNode> GenerateOrderByInputFieldsForBuiltInFields(ObjectTypeDefinitionNode node)
@@ -53,27 +62,12 @@ private static List<InputValueDefinitionNode> GenerateOrderByInputFieldsForBuilt
                             new List<DirectiveNode>())
                         );
                 }
-                else
-                {
-                    string targetEntityName = RelationshipDirectiveType.Target(field);
-
-                    inputFields.Add(
-                        new(
-                            location: null,
-                            field.Name,
-                            new StringValueNode($"Order by options for {field.Name}"),
-                            new NamedTypeNode(GenerateObjectInputOrderByName(targetEntityName)),
-                            defaultValue: null,
-                            new List<DirectiveNode>())
-                        );
-                }
-
             }
 
             return inputFields;
         }
 
-        private static void GenerateInputTypeFromInputFields(
+        private static void GenerateFilterInputTypeFromInputFields(
             IDictionary<string, InputObjectTypeDefinitionNode> inputTypes,
             List<InputValueDefinitionNode> inputFields,
             string inputTypeName,
diff --git a/src/Service.Tests/SqlTests/GraphQLQueryTests/GraphQLQueryTestBase.cs b/src/Service.Tests/SqlTests/GraphQLQueryTests/GraphQLQueryTestBase.cs
@@ -2146,6 +2146,62 @@ public virtual async Task TestInvalidFilterParamQuery()
             SqlTestHelper.TestForErrorInGraphQLResponse(result.ToString());
         }
 
+        [TestMethod]
+        public virtual async Task TestInvalidOrderByQueryUsingAnd()
+        {
+            string graphQLQueryName = "publishers";
+            string graphQLQuery = @"{
+              books(orderBy: { and: { id: ASC, title: ASC } }) {
+                items {
+                  id
+                }
+              }
+            }";
+
+            JsonElement result = await ExecuteGraphQLRequestAsync(graphQLQuery, graphQLQueryName, isAuthenticated: false);
+            SqlTestHelper.TestForErrorInGraphQLResponse(result.ToString());
+        }
+
+        [TestMethod]
+        public virtual async Task TestInvalidOrderByQueryUsingOr()
+        {
+            string graphQLQueryName = "publishers";
+            string graphQLQuery = @"{
+              books(orderBy: { or: { id: ASC, title: ASC } }) {
+                items {
+                  id
+                }
+              }
+            }";
+
+            JsonElement result = await ExecuteGraphQLRequestAsync(graphQLQuery, graphQLQueryName, isAuthenticated: false);
+            SqlTestHelper.TestForErrorInGraphQLResponse(result.ToString());
+        }
+
+        [TestMethod]
+        public virtual async Task TestInvalidOrderByQueryUsingRelationship()
+        {
+            string graphQLQueryName = "publishers";
+            string graphQLQuery = @"{
+              publishers (first: 5 orderBy:  {books:  {
+                title: DESC
+              }
+              }){
+                items {
+                  id
+                  books {
+                    items {
+                      title
+                    }
+                  }
+                }
+              }
+            }";
+
+            JsonElement result = await ExecuteGraphQLRequestAsync(graphQLQuery, graphQLQueryName, isAuthenticated: false);
+            SqlTestHelper.TestForErrorInGraphQLResponse(result.ToString());
+        }
+
         /// <summary>
         /// Test to check that sourceFields and targetFields for relationship provided in the config
         /// overrides relationship fields defined in DB.
