From 5d24b51421aaf69c3b06910bffb26df582dd138d Mon Sep 17 00:00:00 2001
From: Jake Barnby <jakeb994@gmail.com>
Date: Mon, 19 Jan 2026 19:26:17 +1300
Subject: [PATCH] Allow separately enabling graphql introspection

---
 .env                            | 3 ++-
 app/config/variables.php        | 9 +++++++++
 app/controllers/api/graphql.php | 5 ++++-
 app/views/install/compose.phtml | 1 +
 docker-compose.yml              | 1 +
 5 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/.env b/.env
index c301c53123..c7ee93e12a 100644
--- a/.env
+++ b/.env
@@ -106,6 +106,7 @@ _APP_INTERVAL_CLEANUP_STALE_EXECUTIONS=300
 _APP_USAGE_STATS=enabled
 _APP_LOGGING_CONFIG=
 _APP_LOGGING_CONFIG_REALTIME=
+_APP_GRAPHQL_INTROSPECTION=enabled
 _APP_GRAPHQL_MAX_BATCH_SIZE=10
 _APP_GRAPHQL_MAX_COMPLEXITY=250
 _APP_GRAPHQL_MAX_DEPTH=4
@@ -127,4 +128,4 @@ _APP_WEBHOOK_MAX_FAILED_ATTEMPTS=10
 _APP_PROJECT_REGIONS=default
 _APP_FUNCTIONS_CREATION_ABUSE_LIMIT=5000
 _APP_STATS_USAGE_DUAL_WRITING_DBS=database_db_main
-_APP_TRUSTED_HEADERS=x-forwarded-for
\ No newline at end of file
+_APP_TRUSTED_HEADERS=x-forwarded-for
diff --git a/app/config/variables.php b/app/config/variables.php
index 653e959101..36f691e534 100644
--- a/app/config/variables.php
+++ b/app/config/variables.php
@@ -1285,6 +1285,15 @@ return [
         'category' => 'GraphQL',
         'description' => '',
         'variables' => [
+            [
+                'name' => '_APP_GRAPHQL_INTROSPECTION',
+                'description' => 'Enable or disable GraphQL introspection. Set to \'enabled\' to allow schema introspection, or \'disabled\' to block it. The default value is \'enabled\'.',
+                'introduction' => '',
+                'default' => 'enabled',
+                'required' => false,
+                'question' => '',
+                'filter' => ''
+            ],
             [
                 'name' => '_APP_GRAPHQL_MAX_BATCH_SIZE',
                 'description' => 'Maximum number of batched queries per request. The default value is 10.',
diff --git a/app/controllers/api/graphql.php b/app/controllers/api/graphql.php
index e0cc4181db..c577b3bc3e 100644
--- a/app/controllers/api/graphql.php
+++ b/app/controllers/api/graphql.php
@@ -224,8 +224,11 @@ function execute(
     $flags = DebugFlag::INCLUDE_DEBUG_MESSAGE | DebugFlag::INCLUDE_TRACE;
     $validations = GraphQL::getStandardValidationRules();
 
-    if (System::getEnv('_APP_OPTIONS_ABUSE', 'enabled') !== 'disabled') {
+    if (System::getEnv('_APP_GRAPHQL_INTROSPECTION', 'enabled') === 'disabled') {
         $validations[] = new DisableIntrospection();
+    }
+
+    if (System::getEnv('_APP_OPTIONS_ABUSE', 'enabled') !== 'disabled') {
         $validations[] = new QueryComplexity($maxComplexity);
         $validations[] = new QueryDepth($maxDepth);
     }
diff --git a/app/views/install/compose.phtml b/app/views/install/compose.phtml
index 80d4e5e2d6..16af33ca3a 100644
--- a/app/views/install/compose.phtml
+++ b/app/views/install/compose.phtml
@@ -165,6 +165,7 @@ $enableAssistant = $this->getParam('enableAssistant', false);
       - _APP_MAINTENANCE_RETENTION_SCHEDULES
       - _APP_SMS_PROVIDER
       - _APP_SMS_FROM
+      - _APP_GRAPHQL_INTROSPECTION
       - _APP_GRAPHQL_MAX_BATCH_SIZE
       - _APP_GRAPHQL_MAX_COMPLEXITY
       - _APP_GRAPHQL_MAX_DEPTH
diff --git a/docker-compose.yml b/docker-compose.yml
index c5b88a2174..afab358018 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -200,6 +200,7 @@ services:
       - _APP_MAINTENANCE_RETENTION_SCHEDULES
       - _APP_SMS_PROVIDER
       - _APP_SMS_FROM
+      - _APP_GRAPHQL_INTROSPECTION
       - _APP_GRAPHQL_MAX_BATCH_SIZE
       - _APP_GRAPHQL_MAX_COMPLEXITY
       - _APP_GRAPHQL_MAX_DEPTH