MIME types restriction not working properly about controller HOT 6 CLOSED

Hey folks, after a few days I came back to take a look on this.

But before I code anything, I think we should first define what is the expected behavior.

At this moment, what the controller is doing is: when receive a request, it checks what Accept header the client passes and if it's not a whitelisted one (using the ::accept method on controller definition) it responds with status code 406.

In a certain perspective, this is right. But imo it's not the more semantic way to handle this.

HTTP Accept header is used by the client to inform the server which type of return it accepts. For example, it only accept json and xml as responses, so it inform this to the server and the server should give a response in the correct format to the client.

One other way to handle this would be check the content-type, so the controller would see which content-type the client is using to figure out if it should serve or not a response. This is the way that rails approaches the problem.

What do you think?

@brennovich @joneslee85 @jodosha

from controller.

@carloslopes Hello Carlos, thanks for reporting this 😄

Can you please provide a failing example? For instance, what does your action accepts? What's the HTTP_ACCEPT header that makes this feature to fail? Thank you. 👍

from controller.

@carloslopes Did you got something to share with us?

from controller.

Hey @jodosha, sorry about the delay, work is really taking all my time!

The feature isn't failing, this is just something that appear when @brennovich and I were take a looking at this issue #118 and we figured out that when we request something passing a Content-Type header instead of the Accept one, the controller doesn't filter out that request.

And like a said, I don't know if Accept is the right header to use for this purpose. If it is, no problem at all, but this is not the convention that other frameworks use (rails and sinatra per example)

from controller.

@carloslopes Thanks for your reply.

Quoting RFC 2616 (HTTP/1.1):

14.1 Accept

The Accept request-header field can be used to specify certain media types which are acceptable for the response.

Accept is for requests..

14.17 Content-Type

The Content-Type entity-header field indicates the media type of the entity-body sent to the recipient

..while Content-Type is for responses.

This is the reason why we have named that filter .accept and why it ignores Content-Type. 😄

from controller.

Yes, but like it's wrote Accept is what the client is expecting, it doesn't have anything related to the server behavior (what the server is accepting from the client).

At least this is my understanding, but these RFCs sometimes are totally related to interpretation

from controller.