Hey @jcsrb, I am able to reproduce this issue locally. This is a bug and should be fixed. "remove" = {} should have no effect on the update mutation. Both must be equivalent.
Hi @jcsrb, At first look it looks like a bug.
But after investigation I find out that this is expected behavior. remove {} gets translated to remove * and delete everything for the predicate that is in filter.
Thanks for reporting it, we will make changes in our docs to reflect this.
I just stumbled upon this issue and I would like to suggest reconsidering this as an intentional behavior.
The GraphQL schema already provides the deleteX mutation in order to delete one or more nodes, it is in my opinion dangerous and unexpected that an update with remove set to {} completely obliterates the node. This could result in disasters very, very easily.
Let’s consider as an example a Golang client generated from a GraphQL schema and used to update an item (the way we found out about this behavior):
If you look closely you will notice that Remove is initialized beforehand to be populated later, but what happens if you don’t set any value in the Remove struct is not that the value gets ignored, but the whole node gets wiped.
It is also worth mentioning that this behavior makes the @auth rule for delete operation meaningless as you can achieve deletion without being authorized to perform a delete just by executing an update with an empty remove object. This is by definition a security breach and a very important one, as delete is normally allowed to be performed only by system administrators.
I think there was another post on this and it was accepted to change this behaviour. I thought, but now can’t locate it, idk. I agree that this behavior is not what is expected if not very well documented.
Hi all, we are also having an internal discussion regarding it. I have reopened the ticket and will discuss and change this behavior.
Thanks for your critical responses.