Do not disclose Decidim version through the API

mainio · Aug 7, 2024 · a62cb6b · a62cb6b
1 parent 2596f59
commit a62cb6b
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 3 deletions.
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -74,7 +74,19 @@ You can read more about this change on PR [#XXXX](https://github.com/decidim/dec
 
 ## 5. Changes in APIs
 
-### 5.1. [[TITLE OF THE CHANGE]]
+### 5.1. Decidim version number no longer disclosed through the GraphQL API by default
+
+In previous Decidim versions, you could request the running Decidim version through the following API query against the GraphQL API:
+
+```graphql
+query { decidim { version } }
+```
+
+This no longer returns the running Decidim version by default and instead it will result to `null` being reported as the version number.
+
+If you would like to re-enable exposing the Decidim version number through the GraphQL API, you may do so by setting the `DECIDIM_API_DISCLOSE_SYSTEM_VERSION` environment variable to `true`. However, this is highly discouraged but may be required for some automation or integrations.
+
+### 5.2. [[TITLE OF THE CHANGE]]
 
 In order to [[REASONING (e.g. improve the maintenance of the code base)]] we have changed...
 

diff --git a/decidim-api/lib/decidim/api.rb b/decidim-api/lib/decidim/api.rb
@@ -24,6 +24,10 @@ module Api
       15
     end
 
+    config_accessor :disclose_system_version do
+      %w(1 true yes).include?(ENV.fetch("DECIDIM_API_DISCLOSE_SYSTEM_VERSION", nil))
+    end
+
     # This declares all the types an interface or union can resolve to. This needs
     # to be done in order to be able to have them found. This is a shortcoming of
     # graphql-ruby and the way it deals with loading types, in combination with

diff --git a/decidim-core/lib/decidim/api/types/decidim_type.rb b/decidim-core/lib/decidim/api/types/decidim_type.rb
@@ -6,8 +6,12 @@ module Core
     class DecidimType < Decidim::Api::Types::BaseObject
       description "Decidim's framework-related properties."
 
-      field :version, GraphQL::Types::String, "The current decidim's version of this deployment.", null: false
+      field :version, GraphQL::Types::String, "The current decidim's version of this deployment.", null: true
       field :application_name, GraphQL::Types::String, "The current installation's name.", null: false
+
+      def version
+        object.version if Decidim::Api.disclose_system_version
+      end
     end
   end
 end
diff --git a/decidim-core/spec/types/decidim_spec.rb b/decidim-core/spec/types/decidim_spec.rb
@@ -28,8 +28,18 @@
     it "has decidim" do
       expect(response["decidim"]).to eq({
                                           "applicationName" => "My Application Name",
-                                          "version" => Decidim::Core.version
+                                          "version" => nil
                                         })
     end
+
+    context "when disclosing system version is enabled" do
+      before do
+        allow(Decidim::Api).to receive(:disclose_system_version).and_return(true)
+      end
+
+      it "discloses the version number" do
+        expect(response["decidim"]).to include("version" => Decidim::Core.version)
+      end
+    end
   end
 end