restful-drupal / restful Goto Github PK
View Code? Open in Web Editor NEWRESTful best practices for Drupal
Home Page: https://drupal.org/project/restful
RESTful best practices for Drupal
Home Page: https://drupal.org/project/restful
Using drupal_json_output
as our delivery callback overwrites the Content-Type
header hardcoding it to application/json
. We want it to respect our custom Content-Type
headers as long as it's of type json (application/hal+json
, application/problem+json
, …).
This is a follow up for #49
This might be in the realm of a contributed add-on, but it would be great to implement an HMAC authentication provider to give a more secure option than HTTP basic authentication or session-based authentication. Acquia recently released an open-source library to facilitate implement such a system at https://github.com/acquia/hmac-request.
Thanks in advance for your consideration,
Chris
PUT
was a mistake I meant PATCH
;)
This will possibly also be the first time to introduce Hateoas - where we'll add links for the previous/ next links
Imagine a client calling a non existing resource (e.g. api/v1/article -- instead of articles).
Currently the result is HTML with a 404.
I would expect RESTful to take control and return a proper JSON response.
Move everything that is not entity related to RestfulBase
.
@mateu-aguilo-bosch I'm thinking out loud. Should we keep the advanced help -- currently the docs are a todo, which is fine, I just wonder if they'll ever be something that would be valuable for users.
Maybe if it was easy to assign a customisable link so they would direct to help.example.com?
field_uuid
information taken from getPublicFields()
does not include property
.
It includes only callback
.
// Skip fields that doesn't have property configures, such as UUID field.
if (!isset($info['property'])) {
continue;
}
$property_name = $info['property'];
If the access callback of the menu item returns FALSE, then the output would be 3 (which is actually MENU_ACCESS_DENIED
) with status code 200.
We should call drupal_deliver_html_page()
in case of int values.
We already using the Entity validate module in OpenScholar. I think this can be good addition. Dependent PR: Gizra/entity_validator#8
I'd like to play with the idea of a completely decoupled register.
Instead of the entity itself. Like we do for RestfulEntityBase::entityValidate()
In order to keep thinks self-contained move the response header stuff into the formatter (maybe RestfulBase
?).
This depends on: #132
Related to #129.
The idea is to have some extra configuration for the image fields (maybe also think of a generic way to have extra config for fields with nice helper methods) that will list an array of image styles.
That way we can output different image urls for different sizes. I think this is important b/c client apps usually are not great at resizing images and also there's bandwidth to consider.
So when we build the return array for an entity that contains an image field we output the url to the original image and all image styles listed for that field instance for that particular endpoint.
Since this module does not have a stable release on drupal.org yet I think it is fine to report security issues in public (see our policy https://www.drupal.org/security-advisory-policy ).
I have not looked to closely at the code and have not tried to exploit this yet, but I think there could be a CSRF vulnerability on write operations such as POST, PUT and DELETE requests when using session cookie authentication.
This happened in the past to other Drupal REST server solutions:
RESTWS: https://www.drupal.org/node/1890222 and http://cgit.drupalcode.org/restws/commit/?id=dae7e2e
Services: https://www.drupal.org/node/2012982
Drupal 8 core: https://www.drupal.org/node/1891052
Maybe I overlooked something, do you already handle this case somehow?
When using the patch() or put() methods to update an entity there's no way to empty a field's value in case of a field with cardinality of 1. In the function setProperyValues()
we check:
if (!isset($request[$public_property]))
And if we send a value of NULL we skip this property and we get an exception later on.
Note that for fields that are multiple this works fine by sending array(NULL)
in the request for that property.
file_save_upload()
isn't API friendly. The errors are sent via drupal_set_message()
.
We could copy file_save_upload() and run the validations ourself, so when we hit a validation error we'll have better error messages.
restful_token_auth
that will provide an endpoint to login/ register/ retrieve password via CURL.token_auth
entity that will have the token info, along with the user it's related to, and the created/ expire info.Once we have this we can create an example repo of a completely decoupled AngularJs webapp talking with a completely RESTful Drupal. Which is pretty awesome ;)
Class names are getting crazy lately. Maybe we should start thinking about adding a root namespace \Restful
and then use
it everywhere. Deeper nesting can also provide some clarity.
Maybe we'll need to depend on xhautoload, but I think that would be an overkill at this point.
@amitaibu thoughts?
Resources from entity type "taxonomy" need a separate taxonomy base class because the base class of "Node" have a property condition of status
to expose only published nodes which taxonomy doesn't have.
Cool module.
One recommendation is to consider adopting the IETF API-Problem specification for error messages. There is a good blog post at https://www.mnot.net/blog/2013/05/15/http_problem that gives an overview of why this is useful, and there is some tooling in PHP at https://github.com/Crell/ApiProblem to help facilitate rendering spec-compliant messages.
Thanks!
Chris
I'm looking into integrating oauth2_server and Restful.
Problem #1
Restful's fancy error handling.
oauth2_server_verify_access() likes to do that by itself (output 401 + the json body with additional info), that comes from the underlying library mostly.
Now, there are only a few possible errors, so I could translate that into what a restful user would expect, but it wouldn't be consistent with the errors that the oauth2 endpoints (oauth2/authorize, oauth2/token) are throwing
(those are completely outside restful so they can't be affected + the list is huge)
So the question is whether to be inconsistent, or inconsiderate (by throwing our own errors and doing a drupal_exit() inside the authorization plugin)
Problem #2
Scopes. I need to have a way to specify a needed scope per action ("get" requires "view" but "post" requires "administration view" for example). I can add some settings to the plugin metadata, but it feels like there should be a way to describe the actions (what's in $controllers + authorization info, for starters)
See here
Follow up for #79
Currently our rate limit is per resource.
It would be nicer to be able to say, like Github has, you may access any resource up to 5000 in total.
@mateu-aguilo-bosch
I'd like to suggest an approach for getting release/ RC/ Beta or whatever we decide to call it out:
I've added a "release blocker" label, so both you and I can mark freely the issues we want to tackle.
Let's time-box the effort by setting a soft limit to the end of Sep (i.e. the beginning of DrupalCon Amsterdam).
Que pensas?
This should be done probably only after we've reached an alpha -- which I feel we're pretty close.
I'm just putting a name here. not implying anything. @fubhy :)
For clients that don't have PATCH/ PUT
$request = array(
'sort' => 'id',
'filter' => array('value' => '1,2', 'operator' => 'IN'),
);
cause they are needed :)
Would be nice to have something as @larowlan did for D8's REST https://www.drupal.org/project/rest_api_doc
For example, if we have a node that reference a new term, currently you need 2 requests: one to create the term, and the other to create the node that references it.
Since RESTful already has an option to map a resource to an entity-reference field, we could save that extra request.
This one is a little hard, as if one entity isn't valid, it should fail the others, so we might opt for a db_transaction()
here.
@mateu-aguilo-bosch thoughts?
@mateu-aguilo-bosch
Currently the new image_styles will work only if one would implement something similar to \RestfulExampleArticlesResource__1_5::imageProcess()
.
Maybe we should move imageProcess()
to the base class as-well?
Entity validator is a new (and still under lots of development) module we work on in Gizra, that I can think compliment RESTful, when it comes to validating a created/ updated entity.
cc @mateu-aguilo-bosch
I think RESTful should be opinionated about the output format. A variation of JSON API is my preferred format and I'd like to see the module following that. The only I'd like to have with it is that I think that when getting a specific single item we should not be returning an array with only one item but an object. I also like having "data"
as a common object key for … well, data.
Having an output plugin and defining our default one (json_api_custom
) will allow module integrators to easily have APIs in YML, other JSON structures, or $deity
forbids… XML.
Maybe this is worth some reading/talks.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.