A REST export view should be configurable to declare which formats should be allowed. Example: the view should allow XML and JSON-LD, but it should forbid HTML, JSON and Drupal JSON-LD.
The new routing system can handle that config for us: routes can be restricted to only support certain formats given in the HTTP Accept headers. So we need to move the registration of routes from views_menu_alter() to a proper route subscriber in Views module. I think we should open an issue to convert Views to the new Routing system first.
You can find an example of restricting routes to specific formats in #1850734: Make serialization formats configurable.
Comment | File | Size | Author |
---|---|---|---|
#31 | 1891202-31.patch | 11.31 KB | damiankloip |
#31 | interdiff-1891202-31.txt | 1.27 KB | damiankloip |
#26 | RestExportTest.txt | 2.17 KB | dawehner |
#25 | 1891202-25.patch | 11.28 KB | damiankloip |
#25 | interdiff-1891202-25.txt | 932 bytes | damiankloip |
Comments
Comment #1
dawehnerWe should certainly wait until the the CMF routing is in, though didn't it had the problem that you needed yml files which are kind of static?
Comment #2
klausiOf course you can also add dynamic routes, REST module does that already: http://drupalcode.org/project/drupal.git/blob/refs/heads/8.x:/core/modul...
Would be a pretty bad routing system for drupal if you could not add run-time/config dependent routes ...
Comment #3
dawehnerThank you for that information!
Comment #4
xjmComment #5
damiankloip CreditAttribution: damiankloip commentedJust tracking some work here, This patch just adds options for the style plugin pretty much.
Comment #6
klausi#options are automatically protected against XSS, see http://api.drupal.org/api/drupal/core!includes!form.inc/function/theme_f...
Comment #7
damiankloip CreditAttribution: damiankloip commentedGood point, I will bear that in mind when I work on this next. Lucky it's just a wip ;)
Comment #8
klausiThanks, I was just curious about the patch and thought I can leave feedback while I'm reading over it anyway :-)
Comment #9
dawehnerAlso just providing feedback :) We could filter that on a validateOptionsForm method.
Comment #10
damiankloip CreditAttribution: damiankloip commentedRerolled to include the feedback so far. I think this should just wait on #1800998: Use route system instead of hook_menu() in Views for the time being.
Comment #11
damiankloip CreditAttribution: damiankloip commentedok, now that #1800998: Use route system instead of hook_menu() in Views is in we can use routes and finish this issue. A 406 response will be returned by the routing system for invalid formats.
Comment #12
klausi"use" should be lower case
So you disabled this test method? Leftover from development? ;-)
Comment does not match implementation? 406 should be indeed returned?
Same here
Comment #13
Anonymous (not verified) CreditAttribution: Anonymous commentedI tested this manually. After enabling both formats, I could access both. Turning one off resulted in a 406. Turning unchecking all formats made it possible to access all of them again.
This matches the behavior we talked about, so once the code review is done I think this can be RTBCed.
Comment #14
damiankloip CreditAttribution: damiankloip commentedThanks for the reviews/testing. Much appreciated. Have made those changes.
Comment #15
klausiLooks RTBC to me, I only fixed a typo in the comment.
Comment #16
dawehnernothing is also NULL :)
It feels wrong that getFormats() doesn't return the formats
Should we check for formats?
You know we can inject stuff now?
@inheritdoc all the things.
Please let's us open a follow up to convert that function.
We agreed to split the tests into UI and the rest
Comment #17
damiankloip CreditAttribution: damiankloip commentedDone everything except splitting up the tests. Just running out of time.
Comment #18
damiankloip CreditAttribution: damiankloip commentedI think we should have a follow up now for the decoupling of tests. Seems slightly too far for this issues scope. Created #2004670: Split Views style serializer tests in to UI and functional tests
Comment #19
klausi@inheritdoc here too, so I fixed that as well.
Everything else looks good, so RTBC again?
Comment #20
damiankloip CreditAttribution: damiankloip commentedI would say so :) Also, just opened #2004798: Replace drupal_map_assoc with a utility class method
Comment #21
damiankloip CreditAttribution: damiankloip commentedMe and Alex had a chat on IRC about this. As we cannot properly do content negotiation yet, we need to keep the 'fallback' format selection for html as we had before. When we improve the content negotiation, we can fix this.
I have added some @todo's in the code, as well as some additional test assertions for browser headers.
Comment #22
damiankloip CreditAttribution: damiankloip commentedComment #24
dawehnerWhat is firefow ;)
Comment #25
damiankloip CreditAttribution: damiankloip commentedYou are seriously behind the times if you aren't using the firefow browser yet!
Comment #26
dawehnerManual testing worked fine.
Just in case someone is interested, here is a try to write a proper unit test ... still not possible.
Comment #28
damiankloip CreditAttribution: damiankloip commented#25: 1891202-25.patch queued for re-testing.
Comment #29
dawehnerReRTBC
Comment #30
alexpottThe assertion messages here are incorrect. We're not requesting HTML - we're requesting something and saying we'll take anything :)
Comment #31
damiankloip CreditAttribution: damiankloip commentedOK, how about this? As it's just a comment change, assigning to you Alex.
Comment #32
dawehnerSeems fine for me.
Comment #33
alexpottCommitted 1c61a22 and pushed to 8.x. Thanks!
Comment #34
alexpottComment #35
alexpottUnassigning...
Comment #36.0
(not verified) CreditAttribution: commentednot postponed anymore