The PUT line here is working:
curl -X PUT --user ws_user1:xxxxxx --header "Content-Type: application/xml" --data @test1.xml "http://www.example.com/node/65"
with the xml file containing:
<?xml version="1.0" encoding="utf-8"?>
<node>
<body><value>test node init body...</value>
<format>filtered_html</format>
</body>
<title>TEST 3 - edited</title>
<promote>1</promote>
<status>1</status>
<sticky>0</sticky>
<type>page</type>
<author>1</author>
</node>
However, to create a node I need to use
curl -X POST --user ws_user1:xxxxxx --header "Content-Type: application/xml" --data @test1.xml "http://www.example.com/node/1"
or that could be node/2, node/65 etc.
I'm trying to create a node of type 'page' - so according to the docs I should be POSTing to "http://www.example.com/page" but this returns a Drupal page containing
...
<div class="content">
The requested page "/page" could not be found. </div>
</div>
...
Trying with "http://www.example.com/node" gives me a '403 Forbidden' - which is strange because if I'm logged into the site via a browser as that user then I can view "http://www.example.com/node" fine.
Comment | File | Size | Author |
---|---|---|---|
#126 | creating_nodes_with-1720602-126.patch | 12.41 KB | btopro |
#118 | creating_nodes_with-1720602-116.patch | 12.37 KB | robertwb |
#114 | creating_nodes_with-1720602-114.patch | 12.3 KB | robertwb |
#112 | creating_nodes_with-1720602-112.patch | 12.5 KB | robertwb |
#110 | creating_nodes_with-1720602-110.patch | 11.37 KB | robertwb |
Comments
Comment #1
bailey86 CreditAttribution: bailey86 commentedI'm raising the level for this bug as it feels quite important to me.
To create a node I can use:
$ curl -X POST --user icmsws:xxxxxx --header "Content-Type: application/xml" --data @test2.xml "http://www.example.com/node/76"
providing node 76 is the same type of node as the node I'm creating. Any other type of node will not work - and I can't find any other URL which works.
I have the LDAP authentication module installed. And also the Field permissions module.
The XML file contains:
Comment #2
sepgil CreditAttribution: sepgil commentedTo create a node you need to "POST" to "http://www.example.com/node" without any id. You can't specify the id...
Comment #3
bailey86 CreditAttribution: bailey86 commentedOK - thanks.
If you've got that working could you post up the exact curl command (or whatever was used) and any sample XML/JSON used to create a node.
Currently, POSTing to /node produces a 403 error for me - maybe it's an authentication module bug - or a clash with another module.
Comment #4
sepgil CreditAttribution: sepgil commentedYour command is correct...
curl -u restws_user:xxxx --header "Content-Type: application/xml" --data @test1.xml http://www.example.com/node
..but your username isn't. I assume you want to use the included Basic authentication login module, and in order for it to work, you have to use the prefix 'restws' on your user name your trying to log in with.
You can find more details in the Readme.
Comment #5
bailey86 CreditAttribution: bailey86 commentedThanks for the comment.
The username is correct in my case - I've made the setting in the settings.php file RE
$conf['restws_basic_auth_user_regex'] = '/^web_service.*/';
and changed to to match our requirements.
Interestingly - it does look from the user log that most of the time the user is being reported as anonymous - even if we're using the correct username.
Comment #6
bailey86 CreditAttribution: bailey86 commentedRemoved. Posted to wrong thread.
Comment #7
kamkam CreditAttribution: kamkam commentedHello bailey86, Were you able to resolve this issue? I am seeing the same "403 Forbidden" error when I do a POST
Is there an example of POST with XML payload that works?
Thanks.
Kamran
Comment #8
bailey86 CreditAttribution: bailey86 commentedNope - not resolved.
The node creation *will* work - but you have to use a URL of an existing node - which is not how it should work. But - as I say - it does work. This is the POST request:
curl -X POST --user ws_user1:xxxxxx --header "Content-Type: application/xml" --data @test1.xml "http://www.example.com/node/1"
and this is the example test1.xml file:
Further details are at the beginning of this post.
Comment #9
aalamaki CreditAttribution: aalamaki commentedHi,
My guess is that it is related to the issue which I'm facing as well when doing CURL from PHP code, using the latest Drupal core and latest dev snapshot of Restws. My code is the following, the code is taken from http://www.barnettech.com/content/restful-webservices-module-restws with slight modifications:
What happens is the user authentication in the first step passes fine with HTTP 200 but when saving the node, it returns response "403 Access Denied: CSRF validation failed".
If I change the url into an existing node url, it will not give the 403 but node is not created either. This behavior is to be expected though as it is supposed to take in only PUT when an existing node url is given.
On a bit of debugging the result, I realized that printing out the $token returns 1 instead of the hash; it appears also as the X-CSRF-Token in the code output.
Comment #10
bailey86 CreditAttribution: bailey86 commentedHmmm...
So what we're saying is that this functionality is still not correct - or is now not working at all. The key problem I came across was that to create a *new* node it was necessary to POST to an *existing* node of the same content type - where it should be POSTed to a simpler URL (such as /page) to create a new node.
My worry is that as this module is now going to be part of D8 core the dev focus has moved away from the D7 version. We have a production site using this module and so thanks for the warning - I'll be extra careful if the site is being upgraded.
What I'll do is bump this up to 'critical' to see if it gets the dev's attention - I get the feeling that it wouldn't take long for one of the devs to sort this out.
My feeling is that this issue is to do with when the module switched around to using POST instead of PUT and PUT instead of POST. See https://drupal.org/node/1472634 - this was the core reason for the 2.x release.
This could be a bigger problem than the devs realise - the stats currently show a huge number of downloads (10,468) but to me it looks like a relatively low number of sites reporting using the module (608). Maybe people a hitting this problem and then not using the module.
Comment #11
aalamaki CreditAttribution: aalamaki commentedDid some debugging on the code and it is actually working as expected; the curl_exec returns boolean true/false and in this case, it returns the 1 for success.
The authentication and token retrieval both return HTTP 200 with response "1" on curl_exec() so they obviously get returned correctly but after this when trying to access the url /node for adding new node with POST, it is giving me the 404.
The module sets HTTP status in a few different situations and tried to debug the 404's there but doesn't seem that it's the module which sets the 404 in this case.
Sidenote to my Drupal installation for this case, I'm using Panopoly with Drupal core 7.19.
Comment #12
bailey86 CreditAttribution: bailey86 commentedThat's what I was getting. But if I POSTed to /node/123 where 123 was an existing node the new node would be created (with a nice new ID).
However, the /node page can be accessed from a browser.
So - wild guess - is there a hook which is causing the issue?
Anyway - were you able to get your code working if you POSTed to an existing node?
BTW - Panopoly usage looks curious - only 1 reported current site - any idea why only 1?
Comment #13
klausiAs you can see in the simpletests of this module POST for creating nodes is working as expected.
This is wrong:
curl_exec() does not return the contents, you need to set CURLOPT_RETURNTRANSFER, see the PHP documentation about that.
Please try that and report back here.
Comment #14
aalamaki CreditAttribution: aalamaki commentedHi,
Yes that was actually in my last test, missed it first but added it there. The code now is:
What happens now is it returns HTTP 200 for the authentication and for the token; also the token gets set correct. However, now when it tries to add the node, it gives me HTTP 403 Forbidden. The user has full admin rights to the system. Paste of the $ret:
Comment #15
klausiLooks like you are populating the cookie on your client:
But you should of course use the cookie that is returned by the server.
Comment #16
aalamaki CreditAttribution: aalamaki commentedHmm, I don't think it is that one because I just ran it on my home server on a different Drupal installation but same d-core 7.19 and it worked perfect as-is, didn't change a thing except for adding CURLOPT_USERPWD right on the beginning of the code after curl_init because that's needed to get on the server. Will have to continue investigating...
Comment #17
klausiCURLOPT_COOKIE is definitely wrong, since the docs say that this sets the cookie header. But yeah, you are using it on the login request, where it does not make a difference. You can just remove it.
Comment #18
aalamaki CreditAttribution: aalamaki commentedHi,
Yeah I guess so...will get rid of it, going to check on the other drupal installation tomorrow and try debug why it still gives the 403 there.
Another thing, I just tried to create a Scald Atom for the scald file provider but it gives me again that 403 when trying to create, even tried using the uid 1 of drupal for login and creation.
My question is, has this ever been tested with Scald entities? The code that I'm using is the same as before with just the exception that I changed the following:
curl_setopt($ch, CURLOPT_URL, '<drupal_site>/node');
into
curl_setopt($ch, CURLOPT_URL, '<drupal_site>/scald_atom');
Also changed the $node array into the following:
As far as I know, the above should be more than enough for Scald atom creation so don't really see that this could be the reason for the 403.
Comment #19
giorgio79 CreditAttribution: giorgio79 commentedThx aalamaki for your code at #14, it worked for me as a simple restws php client :)
Comment #20
oceanos CreditAttribution: oceanos commentedHas anyone solved the 403 issue already? I constantly get 403 - forbidden when trying to POST a new node to /node. POSTing to /node/1 (an existing node of the same content type) to create a NEW node works as described in #8, but this doesn't make sense.
When setting the permissions for the logged in user to "Bypass content access control", POSTing to /node works, but I don't want to give the user that permission.
Interestingly, when giving the anonymous user access to the REST resource "node" and giving him the permission to create nodes, POSTing to /node works fine, even when the "Bypass content access control" is NOT set for the anonymous user.
This is really a show stopper for this otherwise great module.
Comment #21
klausiWhat does the 403 error message say? Looks like you are not sending the CSRF token as authenticated user?
Did you try restws_basic_auth where you don't need the CSRF token?
Comment #22
oceanos CreditAttribution: oceanos commentedYes, I send the CSRF-Token along in the header. Therefore, PUT and DELETE work as they should, and POST also works, but only to node/* instead of to /node. If I did not send the token, neither of that would work.
The return is just '403 - forbidden'. If I omitted the token, it would say '403 - Access Denied: CSRF validation failed'. But that is not the case.
In the Drupal logs the corresponding message is just "access denied".
BTW: I'm testing using Chrome and the Dev http Client plugin.
Comment #23
klausiIt is required that the user POSTing the node has the "bypass node access" permission, because entity_metadata_no_hook_node_access() has no other way of granting access on creation. There might be an Entity API issue somewhere to fix that for the create operation.
Comment #24
oceanos CreditAttribution: oceanos commentedI tried both restws_basic_auth that comes with restws and the session based authentication that comes with the Services module. With both methods, authentication works flawlessly, but I can't POST a new node to the /node URI without attaching the nid of an existing node.
Comment #25
klausiThere it is: #1780646: entity_access() fails to check node type specific create access
Comment #26
oceanos CreditAttribution: oceanos commentedI applied patch #136 to the Entity API module as suggested in the thread you pointed to, but with no effect. Could you give some more details?
Thanks very much for your support so far!
Comment #27
klausiNo further ideas - you need to debug the cause of the 403. What else is registered on /node on your site? Does the request arrive at RESTWS if you enable logging?
Comment #28
oceanos CreditAttribution: oceanos commentedThe /node path is actually a drupal system path pointing to the the default front page of each drupal installation. Each node that has the "promoted to frontpage" setting is shown on that page.
It is possible to set another page (or view etc.) as the frontpage in the drupal settings, but the /node URL and the corresponding system page still live in the background. So maybe the attempt to POST something to the /node URL interferes with the drupal core itself?
Can you reproduce the behaviour?
Comment #29
oceanos CreditAttribution: oceanos commentedI enabled logging and the request arrives at restws. The logfile says:
I think something's going wrong in restws.entity.inc after line 286:
Why? When I set "Bypass content access control" for authenticated users in the permission settings, POSTing to /node works fine.
Comment #30
GuyPaddock CreditAttribution: GuyPaddock commentedI am also seeing this issue.
The problem is that
restws_entity_node_access()
expects a node to be passed-in, but it's getting aNULL
instead. That function is actually called indirectly through theentity_access()
function (it's the access callback registered on the node entity), which is in turn being called byRestWSEntityResourceController::access()
, which is providingNULL
for the node parameter when the$id
arg isNULL
.So, the call chain looks like this:
restws_handle_request()
calls$resource->access()
with aNULL
for$id
.RestWSEntityResourceController::access()
callsentity_access()
with aNULL
for$entity
.entity_access()
callsrestws_entity_node_access()
with aNULL
for$node
.The
isset()
check inrestws_entity_node_access()
looks wrong...Comment #31
GuyPaddock CreditAttribution: GuyPaddock commentedHmm, nope, wasn't the
isset()
... It looks like it always needs a node to be passed in to know what type it should be. The question is, how do we get an empty node to pass in? I'm thinking the issue is inrestws_handle_request()
.Comment #32
GuyPaddock CreditAttribution: GuyPaddock commentedHmm, an even larger problem -- how does the
/node
endpoint know the content type of the node that is being created? I mean, it can be specified in the JSON, but... it seems like that's too late. All the security checking ofhandle_request()
happens by the time we're digging into the request content.Comment #33
GuyPaddock CreditAttribution: GuyPaddock commentedOops, didn't mean to set NR on the last comment; meant to set it on this one.
Attached is a patch that address this issue. It's a bit of a larger change than I was hoping for -- I had to change how the security check is being done so that we can detect the bundle type from the incoming request.
With this patch applied, Rest WS seems to now work as expected for the "create" case.
Comment #35
GuyPaddock CreditAttribution: GuyPaddock commentedUmmm... pretty sure, my patch didn't break those tests... were they passing previously?
Comment #36
GuyPaddock CreditAttribution: GuyPaddock commentedNope... looks like I *did* break them. It was subtle, but lethal.
Attached is a re-roll with additional concerns addressed. :: fingers crossed ::
Comment #38
GuyPaddock CreditAttribution: GuyPaddock commentedHow about.... this one?
Comment #40
klausiFirst we need to know the actual problem. As you can see in the test cases creating nodes with POST works fine, so we need to know what goes wrong with your request.
Comment #41
GuyPaddock CreditAttribution: GuyPaddock commentedActually, the tests *don't* show that. They pass because the logged-in user has permission to bypass the access checks...
I explained the actual problem in #30. The request is not at fault.
Comment #42
GuyPaddock CreditAttribution: GuyPaddock commentedComment #43
GuyPaddock CreditAttribution: GuyPaddock commentedPS Here's a sample request to /node that fails unless the user has a role with the "bypass content permissions" permission:
{"type": "article", "title": "This will fail"}
The CSRF header is being passed in, along with the session cookie. Saving works normally with my patch applied.
So... yeah, it's NOT the request.
As was noted earlier in the thread, though, if I create a dummy node (say, nid "2"), and then use the endpoint "/node/2" instead of "node", it works -- for the reasons I explained previously. The code is flawed.
Comment #44
GuyPaddock CreditAttribution: GuyPaddock commentedLet's see if this works...
Comment #46
klausiAha, so this is a feature request that nodes should be working not only with the "bypass node access" permission.
So we already have restws_entity_node_access() as custom access callback for nodes. Now the question is if it gets called correctly from entity_access() and what happens on create.
I don't think we have to change that much code, it is just a matter of correctly invoking restws_entity_node_access().
Also the issue summary is now completely wrong, could you fix that as well?
Comment #47
GuyPaddock CreditAttribution: GuyPaddock commentedOkay, several issues:
1. This isn't a feature request. It *is* a bug. The docs indicate that if the user has the appropriate permissions to create the type of content that they're trying to create, they should be able to do so by posting to "/node" with appropriate headers set.
2. The issue summary is *not* completely wrong. It is accurate -- the OP was a symptom of the same problem.
3. As far as I know, the Drupal community takes security very seriously. If we have to give a system account permission to completely bypass all security on all content types just to be able to create one or two posts of a given type, this does not seem to be in line with community expectations.
Comment #48
bailey86 CreditAttribution: bailey86 commentedHave we not drifted off the point here?
Say I want to create a new 'Basic page' - I should be POSTing to /page - not to /node. That was the main point of this post.
What I found originally was that POSTing to /page would not work - but if I POSTED to /node/123 - or node/124 - or any existing node (of type page) then the new node of type page would be created.
(The XML posted contains a field type - i.e. page)
So why are we talking about POSTing to /node? The module is supposed to create a new node by POSTing to /[content type] i.g. /page.
For reference again - here is part of my original post with some samples etc:
The PUT line here is working:
curl -X PUT --user ws_user1:xxxxxx --header "Content-Type: application/xml" --data @test1.xml "http://www.example.com/node/65"
with the xml file containing:
However, to create a node I need to use
curl -X POST --user ws_user1:xxxxxx --header "Content-Type: application/xml" --data @test1.xml "http://www.example.com/node/1"
or that could be node/2, node/65 etc.
I'm trying to create a node of type 'page' - so according to the docs I should be POSTing to "http://www.example.com/page" but this returns a Drupal page containing
Comment #49
muschpusch CreditAttribution: muschpusch commentedOk the entity API issue from #25 got solved but this problem still persists. So #46 is pending or after having a quick look at code.: Can we just remove that access check below and entity API will be smart enough to manage the access control by itself? Of course we would need to set an entity API dependency to the latest version.
Comment #50
plachThe attached patch solves the issue here and might pass tests: it basically moves the access check for the create op after populating the entity object and before saving it.
Comment #51
plachComment #52
plachSorry, wrong format
Comment #54
klausiwe should not handle this in the global restws_handle_request() function but rather in the access() method of the RestWSEntityResourceController. We should also add a comment why we are making an exception for the create operation.
And we should update our node creation test case, it should work now without the bypass node access permission.
Comment #55
mariacha1 CreditAttribution: mariacha1 commentedIn this patch I've moved the check for access to the access() method with a note.
Because the patch at #52 passes an entity wrapper to the access() function instead of a string, I've also updated the text on the interface class.
I've also removed all reference to "bypass node access" permissions in the tests. This might be totally wrong, and probably should be done more discriminately. I'm interested to see if they pass! :)
Patch and interdiff between this and 50_0 attached.
Comment #57
mariacha1 CreditAttribution: mariacha1 commentedAhh, of course. Well, I'll keep looking at that later!
Comment #58
friedjoff CreditAttribution: friedjoff commentedThis patch is based on #55 and updates the permissions in the tests. A new test which creates a node with missing permission has been added. Also the access() method will only allow empty entity wrapper, otherwise the create X content permissions is not checked.
Comment #59
Media Crumb CreditAttribution: Media Crumb commentedWas this patch push live? It seem like a fairly large scale issue to just leave open. Giving a user full bypass access means they can have control to delete, edit, any other users content. I'm not sure why this is ok given the huge security issues it opens up. To @GuyPaddock point the docs state that the REST server will properly give access to roles that are granted, but this isn't the case. I spent the better half of 2 days trying to figure this out before coming to find this thread.
Comment #60
opdaviesThe patch in #58 works for me.
My API user has the "Access the resource node" permission from restws, and the "Create {node type} content" from node module, but not "bypass node access" and I'm able to successfully create a node via a POST request.
Comment #61
opdaviesI think that this should be higher.
Comment #62
Media Crumb CreditAttribution: Media Crumb commentedAgreed. this should be reviewed and rolled into dev
Comment #63
opdaviesAfter applying the patch in #58, I still got a 403 error on occasion with my API user. After querying the response from the API, I was getting a
message, and the same for the language property.
After I stopped trying to set these properties, the POST worked fine.
Comment #64
bailey86 CreditAttribution: bailey86 commentedSo - I need to create Drupal entities via REST.
Is this still an issue with restws? Maybe this module is best for reading data - and services would be best used for adding data. I wonder if they can be used at the same time.
Comment #65
opdaviesI'm successfully POSTing nodes into Drupal using the restws module and the patch in #58, as well as the configuration in #60 and #63.
Comment #66
Media Crumb CreditAttribution: Media Crumb commenteddid something change is 2.4 release? Just tried to apply patch but im getting errors
EDIT: it looks like its conflicting with https://www.drupal.org/node/2090177
Comment #67
opdaviesMedia Crumb, It applies cleanly for me. How are you applying the patch?
Comment #68
Media Crumb CreditAttribution: Media Crumb commentedYeah opdavies, the issue was having already patched for the other bug with taxonomy terms. Really with these fixes would get rolled into dev soon
Comment #69
opdaviesAh, OK. Yes, hopefully they will get merged in soon.
Comment #70
lokapujyashould this variable still be called $id if it's not always an id?
Comment #71
itamair CreditAttribution: itamair as a volunteer commentedthis patch didn't passed the test
Comment #72
itamair CreditAttribution: itamair as a volunteer commentedComment #74
itamair CreditAttribution: itamair as a volunteer commentedThis corrects the #71 patches ... (making it test passing)
Comment #75
itamair CreditAttribution: itamair as a volunteer commentedPatch in #58 allows the correct creation of the new node (without bypass node access permission), but still misses the properties settings task.
This new patch fixes that, allowing the settings of the "status" and "language" properties too.
Comment #76
itamair CreditAttribution: itamair as a volunteer commentedComment #77
lokapujyaComment #80
itamair CreditAttribution: itamair as a volunteer commentedThis new patch fixes that, allowing the settings of the "status" and "language" properties too.
I don't know why this fails testing. It apply correctly (to me) to the current 7.x-2.x-dev
Comment #81
itamair CreditAttribution: itamair as a volunteer commentedComment #83
lokapujya23:25:35 RESTWS Basic Auth 15 passes, 1 fail, and 0 exceptions
23:25:35
23:25:35 Fatal error: Call to a member function attributes() on a non-object in /var/www/html/sites/all/modules/restws/restws.test on line 280
Comment #84
itamair CreditAttribution: itamair as a volunteer commentedLast try. This new patch just amends two lines from the #58 one (fixing and allowing the settings of the "status" and "language" properties too)
In the /restws.entity.inc file:
- // Get the ID and bundle property names.
- $entity_keys = array_intersect_key($entity_info['entity keys'], array('id' => 1, 'bundle' => 1));
+ // Get the entity keys properties.
+ $entity_keys = array_merge($entity_info['entity keys'], ['status' => 'status']);
It passes all "RESTful web services tests" Simpletests in my local environment.
Comment #85
itamair CreditAttribution: itamair as a volunteer commentedComment #87
itamair CreditAttribution: itamair as a volunteer commentedThis new patch fixes the same problem both for creation and update operations, calibrating the entity properties update (language, status, etc.) on the user entity_access permissions ...
Comment #88
robertwb CreditAttribution: robertwb commentedConfirming that the patches in 84+ resolve issues with adding and updating entities via REST. My case was using 3 different types of custom entities, and provided that the permissions were implemented properly (I had to work through a veil of ignorance first!), this goes nicely. Not sure why the testbot keeps crapping out...
Anyhow - goods stuff @itamair !!
Comment #89
robertwb CreditAttribution: robertwb commentedComment #91
robertwb CreditAttribution: robertwb commentedThis patch fails testbot due to a problem with restws.test code in:
Fatal error: Call to a member function attributes() on a non-object in /var/www/html/sites/all/modules/restws/restws.test on line 280
Adding a modification to the user creation, and some additional test lines to attempt to diagnose.
Comment #92
robertwb CreditAttribution: robertwb commentedTriggering testbot
Comment #94
robertwb CreditAttribution: robertwb commentedFurther testbot testing.
Comment #96
robertwb CreditAttribution: robertwb commentedRe-enabling bypass to determine if it is indeed a permissions failure (the perms set here work on my own system).
Comment #98
robertwb CreditAttribution: robertwb commentedTesting is failing due to the following message "Fatal error: Call to a member function attributes() on a non-object " (line 280 in patch #87). The error tells me that the simplexml_load_string() call is failing to produce a result.
My first thought was that this was a permissions issue but I added "bypass node create" back into the permissions in Patch #95, but it failed testing with the same error. (also tried to get it to throw a proper testbot error with assertTrue but didn't make a diff).
This makes me conclude that perhaps it is the XML insert itself is malformed in some way rather than the permission. One last test of permissions here by re-adding "access content" and then will explore tweaking the XML for insert.
Comment #99
robertwb CreditAttribution: robertwb commentedChanging status to trigger test.
Comment #101
robertwb CreditAttribution: robertwb commentedPatch #98 also failed, so it seems to me that this is NOT an issue with perms, but something else that is preventing the completion of the XML insert. Trying a simpler xml here (in case it is a case of malformed taxonomy data). If this does not resolve it, I will file a bug report on the restws.test.
Comment #103
robertwb CreditAttribution: robertwb commentedTrying a modified test of smlx insert, asserting only that a 201 code is returned under the assumption that the problem is the result loading by simplexml_load_string().
Comment #105
robertwb CreditAttribution: robertwb commentedLast patch certainly managed to get some fails ... re-testing.
Comment #107
robertwb CreditAttribution: robertwb commentedAt the risk of being completely spurious, it seems that the testing for CRUD without bypass has many fails. The simplexml error in previous versions seemed to mask the other errors - now 12 errors are reported all but one having to do with permissions (cache poisoning in auth sub-module also fails). The attached patch tries to resolve a single issue in testCRUD().
Comment #108
robertwb CreditAttribution: robertwb commentedComment #110
robertwb CreditAttribution: robertwb commentedTesting CRUD part 2
Comment #112
robertwb CreditAttribution: robertwb commentedAttempting to fix errors in method testResourceArray() by checking only for code 200 and 201 - this may not be a robust fix, but it seems that the technique that was used in many of these MAY BE inserting/updating successfully, but failing on node retrieval.
Comment #114
robertwb CreditAttribution: robertwb commentedMore tests.
Comment #115
robertwb CreditAttribution: robertwb commentedComment #117
robertwb CreditAttribution: robertwb commentedLast test got close - xml update seemed to pass, but xml insert failed. REtesting with insert disabled.
Comment #118
robertwb CreditAttribution: robertwb commentedComment #120
robertwb CreditAttribution: robertwb commentedFinally some progress. #118 managed to pass testResourceArray() by avoiding the XML update. I also suspect that the json insert was faulty,but that was not directly screened. XML update seemed to pass, but more rigorous testing (assertequal on something like a field or property) is needed.
This patch to the module works in practice (at least on one install for me) -- seems like the testing is in need of work.
Comment #121
itamair CreditAttribution: itamair as a volunteer commentedThank you #robertwb for this in deep review ;-)
Comment #122
robertwb CreditAttribution: robertwb commentedYeah @itaimar - sorry to trigger so many tests -- I am fairly ignorant of the testbot workings so it took a while. Your enhancements really make secure REST in D7 a reality - I can now verify proper function on 2 systems with fine grained control of access to content/entity types and controlled access to functions.
I will keep at it but try to be a bit more efficient now that I get the gist.
Comment #123
lokapujyaAt some point, it might be help reviewers if someone can post a diff from #107 (where we had the CI error) to where we are now.
Comment #124
robertwb CreditAttribution: robertwb commentedAgreed @lokapujya, but I would point out that the last patch to pass all tests was #58, and we have had CI errors since #75. Note also that I believe that the testbot changed between those two patches, so not sure if that impacts the test failures or not.
So, in short, I would resubmit #58 to see if it passes, then figure out what's up with the testing from there.
Comment #125
btopro CreditAttribution: btopro commentedThis needs tweaked I think. In our testing, $id wasn't empty, it was an empty value object. The following helped account for this use-case
Comment #126
btopro CreditAttribution: btopro commentedpatch from what was mentioned in 125
Comment #127
lokapujyaComment #129
bramface CreditAttribution: bramface commentedAlso eager for resolution ... second pilot project begins in two weeks, depends on this fix as far as we can tell.
Comment #130
fweiss6 CreditAttribution: fweiss6 commentedI'm trying to use this great module to automate content creation via my organization's delivery pipeline. I get 403 when POST /node unless the user's role has "bypass node access" permission. I'm trying to create a node of type swaggerdoc (custom type), so should only need the "create swaggerdoc content" permission.
Looking into the entity_access bug linked by klausi at #25, I tried a little patch which gave me some joy, the following change in restws.entity.inc:
It's not perfect, but solved my immediate problem. Perhaps this will inspire the maintainers and contributors to fix this bug.
Comment #131
misjao CreditAttribution: misjao commentedThe patch above in #130 is not safe.
With this patch users with access to 'swaggerdoc' can create any type of node.
The patch only checks if the user has access to swaggerdoc, not if the node the user is trying to create is also of the type 'swaggerdoc'.
Comment #132
robertwb CreditAttribution: robertwb commentedIs this issue still valid? Is it related to the recent security patches? I mean, it seems like a security bug to have "bypass permissions" anytime... https://www.drupal.org/sa-core-2019-003
Comment #133
btopro CreditAttribution: btopro commentedit is not related. The recent core / contrib fix is related to sanitization of fields. This is a logic centric issue. If you have no problem giving bypass (say to a super admin / non-user web service account) then sure. If you need to bypass for normal users (and that causes problems given that normal users are not super users in your setup) then you shouldn't use this.
Comment #134
robertwb CreditAttribution: robertwb commentedThanks @btopro