Releases for RESTful Web Services

Release notes

See also SA-CONTRIB-2013-003

This release comes with a major API change for clients. A security token has been introduced to guard against CSRF attacks. This change only affects you if

* your client uses cookie-based user authentication and
* your client performs write operations (POST, PUT or DELETE).

Clients that only read data (GET requests) still work the same. Clients that use other authentication mechanisms (like restws_basic_auth) remain unaffected as well.

In order to still write to your Drupal installation those cookie-using clients need to add an X-CSRF-Token header to their HTTP requests. The token can be retrieved from http://example.com/restws/session/token (replace the URL with your site accordingly). You can also generate the token yourself and deliver it with JavaScript settings on the HTML page if you are calling back to the web service interface from JavaScript. That avoids an additional HTTP request just to get the token:

An example for the usage of the X-CSRF-Token header with PHP's cURL can be found in the Simpletests.

Changes since 7.x-2.0-alpha3:

Release notes

Fixes a CSRF security issue. SA-CONTRIB-2012-162 - RESTful Web Services - Cross site request forgery (CSRF)

API change: The format extension in URL paths only works for GET requests now.
Example that still works:

Release notes

This release introduces querying support for entities. You can retrieve a list of entities now and even filter it with the power of EntityFieldQuery. See the Querying and Meta controls section in the README.txt. Big thanks to sepgil for implementing all this during Google Summer of Code!

Changes since 7.x-2.0-alpha1:

Release notes

First release of the new 2.x branch. The new branch was created because of an important API change: the HTTP request methods for create and update operations have been swapped (see #1472634: HTTP PUT / POST Reversed for CRUD CREATE / UPDATE Operations). The 7.x-1.x branch is now frozen and will get security fixes only. If you want to start a new project with RESTWS use the 2.x branch. If you are running 1.x versions of RESTWS do not upgrade to 2.x without prior testing/adoption of your clients.

This release also contains the first improvements achieved from our GSoC project.

Changes since 7.x-1.0-beta2:

• #1506190 by sepgil: Fixed Don't allow to create Entities without Bundles.
• #1472634 by sepgil: Reversed HTTP PUT / POST methods for create/update operations.
• #1451952 by sepgil: Fixed XML output for complex data in EntityValueWrapper.

Release notes

Very minor maintenance release. This is the last release before our Google Summer of Code changes will be started.

Changes since 7.x-1.0-beta1:

• #1343816: Fixed altering of menu paths and made sure that RESTWS runs last on hook_menu_alter().
• HTTP_ACCEPT might not be set in $_SERVER, added checks for that.
• Added a user name filter to restws_basic_auth to avoid unecessary login attempts for human users on HTTP auth protected sites.
• Fixed the update function message.
• Fixed some code style errors reported by Drupal Code Sniffer.
• #1242270 by garethsprice, Amitaibu: Fixed content type header detection for POST/PUT requests.