Remove dependency on Zend

Same applies to POST requests using the REST module (service access granted to anonymous and authenticated users + key and/or sessid required) .
This could be serious security risk as it would be easy to write a script to look for a REST server on any Drupal 6 site and get unlimited access to any service enabled.

The problem is that REST server does not call services_method_call function to check for required arguments...

Reassigned as issue with rest server

This is my take on REST server - it does not require Zend Framework (uses SimpleXML instead) and checks for session id and api key. I don't have time to test it and make it pretty but it's a good starting point if you really need it. My modifications apply to all files so I zipped them up into one archive.

Made it into a patch, testing would be appreciated.

Could we make a similar patch for 5.x, i'm going to look through it but any pointers on what would need to be changed? FYI, I tried just applying the 6.x patch on the 5.x instance but no dice.

Here is a patch for 5. I made only 2 changes from the prior patch:
- added a 'default' case in rest_server_server() so that int arguments (and others) get passed along to the method call.
- added a drupal_set_header('Content-type: text/xml') so that browser pretty prints XML and devel module knows to stay quiet.

Since these are pretty small changes compared to what the patch nonsie did, I'll mark this RTBC.

Edit: added a forgotten patch file.

This patch is a bit better. It makes sure that xmlwriter does not create tags whose names are numeric. Thats invalid.

Very nicely done, Moshe! Should we also remove the dependency on Zend in rest_server.info? I've split it into two patches because of the different uses of dependency declarations between Drupal 5 and 6. This looks committable to me.

Yes - that dependency should go away. That removal was in the original patch but I lost it during reroll.

Thanks, Moshe. I meant to get to 5.x version but never found time for it

Forgot to attach rest_xml_writer.inc in the patch. I'll give it a try tonight.

Hiya,
Any sign of the rest_xml_writer.inc for d5? Tried to work it out myself but not sure I'm managing.
Cheers,
Kehan

@moshe, referring to #7, I can't find the bit which stops the numeric XML tags. Just wondering what you called them - I'm trying to redo it and I've been calling them .
Thanks,
Kehan

Hi,

Also interested in the rest_xml_writer.inc for d5.
Otherwise, the patch for drupal 5 doesn't seem to work.
Thanks
Geraud

Hi, I've improved xml generation a bit and turned it into a function.

Array with numeric keys now creates children as 'item' nodes with 'id' attributes set to 'key'. E.g. <roles><item id="2">authenticated user</item></roles>. Also, improved how errors are generated and returned and did some code cleanup.

Patch is for version 5.

If som eone gives this a good review, I'd love to commit it! Would also be good to get into the Drupal 6 branch.

Just realized my last patches don't add 'status' = 'success' to the response.

What do you think? Is this really necessary?

Maybe we can just change 'status' = 'error' to 'error' = 'error message' when error occurs?

Here is a streamlined patch that adds back 'status' = 'success'.

Testing the module with a request to node.get didn't give a result. Reason was that the switch ($argument['#type']) needs a default clause for non-array and non-string parameters like the nid parameter of node.get:

  default:
    // parameters of other types
    $args[] = $request[$argname];
    break;

In noticed that with unknown methods, the method name did not appear in the error message. The attached code addresses this by setting $method_name before the foreach loop in rest_server_server().

@jpulles, It taken a while to guess your changes... this is the CVS version of your patch.

Blessings!

This fixes a dependancies problem in previous patch.

Blessings!

Sanitized by coder :)

here the right version (in the right path)

Patch in #24 works for D5

Sanitized by coder.

Patch in #28 has been tested for D6

Committed to both Drupal 5 and Drupal 6. Thanks all! Great work! Any additional problems with it can be filled out through new issues. Thanks again!