Problem/Motivation
Unauthenticated users send a POST request on http://mysite.com/entity/user get a 403, and rightfully so because creating users in an administrative task.
That being said registering a user should be allowed if the site permits.
Proposed resolution
Create a user registration resource that allows users to be registered into the system following the settings on admin/config/people/accounts.
This means anonymous users can register an account just as if they could on a regular drupal form.
A workaround would be to login as an admin and create a user the regular way.
Remaining tasks
- Land blockers:
Get patch to RTBC- Security Review
User interface changes
None
API changes
None
Data model changes
None
Original report by [username]
I have enabled /entity/user REST end point for POST request.
I have give anonymous user permission "Access to POST on user entity"
I have also enable "visitor" to create an account on my Drupal site.
My rest.setting has an entry as shown below
'entity:user':
GET:
supported_formats:
- hal_json
- json
supported_auth:
- basic_auth
POST:
supported_formats:
- hal_json
- json
supported_auth:
- basic_auth
I tried a POST request on http://mysite.com/entity/user
with headers
Content-Type : application/hal+json
and with body
{
"_links":{"type":{"href":"http://tntfoss-vivekvpandya.rhcloud.com/rest/type/user/user"}},
"name":{
"value":"ronak1"
},
"mail":{
"value":"ronak1.patel@gmail.com"
},
"pass":{
"value":"ronaK123"
}
}
It give me 403 forbidden.
If I pass credential in Authorization header it works for me.
It should also work for anonymous user because always visitor(anonymous) user will try to create account on the site.
I need review from community is it a bug ?
Comment | File | Size | Author |
---|---|---|---|
#242 | rest_resources_for-2291055-240.patch | 3.09 KB | lslinnet |
Capture.PNG | 41.19 KB | vivekvpandya | |
#2 | AdditionalInfo.png | 90.68 KB | vivekvpandya |
#10 | Screen Shot 2014-12-24 at 10.40.08.png | 182.16 KB | marthinal |
#10 | 2291055-10.patch | 760 bytes | marthinal |
Comments
Comment #1
klausiI think that giving the permission to create user accounts to the anonymous user could be dangerous. Did you debug the access check? I could imagine that it requires "administer users" or similar to create an account. UserAccessController does not implement checkCreateAccess(), so the implementation from EntityAccessController is used. And that facilitates the admin permission as far as I can see, which is "administer users".
So the question is if we should change the permission required to create user accounts. We would need proper field access implemented in #2029855: Missing access control for user base fields, so that people cannot give themselves admin user roles for example.
The second approach would be to create a separate user registration resource, which is only responsible for registering new users as anonymous. So instead of POSTing to /entity/user you would post to something like /user/register. There are a couple things involved here, for example many sites require email verification before user can log in. Having an API that allows you to create accounts without verification is a paradise for spambots that want to create accounts on your site.
Comment #2
vivekvpandya CreditAttribution: vivekvpandya commentedA credential set for a authenticated user other than "administrator" is not working. I have checked it.
I suggest to stick with /entity/user POST method.
And for other concerns like email verification before login , it will be good if we can include all settings related to user creation from admin/config/people/accounts
I have attached a sample settings snapshot.
Comment #3
clemens.tolboom@klausi why should there be a different endpoint for creating a user?
I'm in favor of keeping in sync with other REST endpoint so using /entity/user or according to Change Record https://www.drupal.org/node/2199185 /user #2293697: EntityResource POST routes all use the confusing default: use entity types' https://www.drupal.org/link-relations/create link template if available
Changing the list of entities in \Drupal\rest\test\CreateTest to use user gives a 500 error. (No entity aka user created).
@vivekvpandya maybe you can work from that test towards a patch?
Comment #4
klausiPerforming write operations on the user entity resource is usually an administrative task. Only administrators are allowed to create/update/delete arbitrary user accounts.
User registration is a special case where an unprivileged consumer can create their own account (and no other write operation!). To me that sounds like a different use case than user entity manipulation, therefore the idea to make it separate.
Comment #5
clemens.tolboom@klausi thanks for the elaboration.
I had two use cases in mind: an App and a LDAP Rest client.
- The web app can easily use user/register as it's endpoint. (role: anonymous)
- The LDAP Rest client needs to set roles and other stuff for it's users too. (role: administer users)
Both do the same thing (creating a user) but have access to different fields.
Can't we solve this on field permission level?
Comment #6
klausiWe might, although a couple of settings come into play with anonymous user registration (blocking user until enabled by an admin, email confirmation etc.).
Comment #7
vivekvpandya CreditAttribution: vivekvpandya commentedklausi is right as we have to include all those settings while creating a user.
Comment #8
vivekvpandya CreditAttribution: vivekvpandya commentedbut one thing I would like to add here it while creating a user with /entity/user end point if we pass "status":{ "value":"0" } explicitly then created user would be in blocked state . So I am thinking that we can impose certain setting while creating a user by supplying information with in JSON body for request.
Comment #9
clemens.tolboom@vivekvpandya please your use case to the issue. It seems you are in need for an App with approval. But how about an Android App without approval? My LDAP sync will never work :-(
Maybe @klausi is right to have registration done by /entity/user/register and my LDAP sync by /entity/user
[Stock response from Dreditor templates and macros.]
Please update the issue summary by applying the template from http://drupal.org/node/1155816.
Comment #10
marthinal CreditAttribution: marthinal commentedI'm working to port DrupalGap module. Using the RestClient I have a 403 when I try to create a new user using Basic Auth as admin. I found that the field name is missing. Patch attached.
1) I'm not sure why I can create an entity user from php code but using the same admin user I cannot create a new user from rest. From php code the field name is enough.
2) So, we need to create a new endpoint (entity/user/register) and should be added to Rest module, right?
Thanks!
Comment #11
marthinal CreditAttribution: marthinal commentedThis is a first attempt. I'm using the patch from #1964034: Pass entity_type into Serializer via context because it was not possible to denormalize without entity_type into the context.
At this point I can register new users as anonymous.
I'm using this hal+json from FOO/entity/user/register
I have no errors on my logs but I'm not sure why the rest client never finish the operation but I can verify that the user is created and 201 seems to be received as expected.
Image attached about that.
Missing filter that only mail, name and pass should be saved for this entity.
I hope that this is the good direction. :)
Comment #12
klausiSo this looks dangerous. Where do you check field access so that unpriviledged users such as anonymous users cannot assign them arbitrary user roles?
Same for the status field on the user object, shouldn't they be blocked by default?
Please study the usual Drupal core user registration flow with forms and which settings are applied there, we basically need to do the same here.
Comment #13
marthinal CreditAttribution: marthinal commented@klausi thanks for reviewing.
I continue working on it.
Comment #14
marthinal CreditAttribution: marthinal commentedIt is now more integrated with the user settings form.
IMO the same validation should be added to the entity creation because for the moment if a username exists we receive a 500.
Comment #15
BerdirWe should rely on $user->validate() instead. If this does not cover this at the moment, then that is simply a bug there.
I just checked and we have UserNameUnique and UserMailUnique validation plugins registered on the respective field definitions, so that is supposed to work...
Comment #16
marthinal CreditAttribution: marthinal commented@Berdir now it works. The problem is when I try to create a new user entity from /entity/user using basic auth (as admin user) because I cannot create "pass" field.
here is the exception:
But this is a problem with the entity creation and not for registering new users. Maybe another issue?
Comment #17
BerdirAs discussed in IRC, the usage of 'create' here is IMHO wrong. fields don't use create/update, they only use edit.
Comment #18
marthinal CreditAttribution: marthinal commentedCreated new issue about user entities creation(#2405091: Cannot create user entities - {"error":"Access denied on creating field pass"} ). The current issue is about user registration.
For restui module we need a path too when no canonical path exists. (https://www.drupal.org/node/2359245#comment-9490089)
Comment #19
marthinal CreditAttribution: marthinal commentedI think that the current resource should extends ResourceBase but we are using exactly the same validate method for EntityResource. Is it correct to duplicate this method here?
Comment #20
marthinal CreditAttribution: marthinal commentedComment #21
clemens.tolboomPatch needed reroll on #19 failed "core/modules/serialization/src/Normalizer/EntityNormalizer.php"
Comment #22
clemens.tolboomNo newline at end of file
This is taken from #1964034: Pass entity_type into Serializer via context? That patch has
Not sure that's not already done somewhere already.
Is print_r common practice?
Does $context contain insecure data?
Comment #23
marthinal CreditAttribution: marthinal commented1) Done
2) Well, this value is necessary. Otherwise we have this problem :
EntityNormalizer::denormalize()
3) Debugging purposes :)
Thanks!
Comment #24
marthinal CreditAttribution: marthinal commentedFor the moment we can add users without control using this resource. I've added the flood control for the Login Cookie resource here #2403307: RPC endpoints for user authentication: log in, check login status, log out.
I think we need to try the same here. More info https://www.drupal.org/node/2403307#comment-9624037
Comment #25
BerdirI assume we're good, but I wanted to explicitly mention https://www.drupal.org/node/2344389 again, which was a services SA related to creating users, which generated weak passwords. I checked it off in #2419941: Check every Drupal 7 contrib SA that may affect Drupal 8 core modules as not relevant yet, but this issue will add it, so we need to make sure to not have the same problem. Which I assume we don't.
Comment #26
klausiOptions available? What options? Did you mean "Context settings that will be passed to the serializer"?
Should be "Contains ...", see https://www.drupal.org/coding-standards/docs#file
Can we be a little less generic like "Register a new user account on POST requests."?
why $entity? Shouldn't this always be a user entity, thus $user or $account?
Should be less generic like "No user account data for registration received."
why do we need to check the entity type? I thought this can only be user entities? I think we can just hard-code "entity:user" here and don't need to look at serialization_context?
too generic, exception should be "Only new user accounts can be registered." Comment should also be adapted.
don't use \Drupal in classes where possible, the setting should be injected in the constructor. See RestPermissions.php with the create() method for an example.
what do you mean by cannot exist? Should the comment be "Make sure that user name and email are valid and allowed."?
The String class is gone, you need to use SafeMarkup instead.
Comment #27
m1r1k CreditAttribution: m1r1k at Propeople (now part of FFW) for Propeople (now part of FFW) commentedI will jump on it (need it for the project): reroll, phpunit and web test.
Comment #28
m1r1k CreditAttribution: m1r1k at Propeople (now part of FFW) for Propeople (now part of FFW) commentedComment #29
vivekvpandya CreditAttribution: vivekvpandya as a volunteer commentedI applied the latest patch by @m1r1k and then tried to create user as show in comment #11
But I am getting 406 .
Please some one suggest how to test this.
Comment #30
klausiWhat options are available? Please be more specific.
This should be the User entity class. And is the serialization context necessary? It will always be the user entity type.
Why is this @see reference here, there seems to be no relation to that derivative?
That comment is too generic, should be something like "Responds to user registration POST request and saves new user account entities."
That can be removed, once we only deserialize to the User entity.
Should be "... can be registered."
What does that comment mean? We cannot add extra user roles here or the client cannot submit additional user roles?
Why do you check for the anonymous role here, that role should never be added?
Comments should wrap at 80 characters.
Why do we login the user here? I thought this resource would only register accounts? And this will only work for session cookie authentication, right?
Comment doc block should be {@inheritdoc}.
We only have one route, so we don't need the foreach loop and the switch statement in there.
This is missing the $violations->filterByFieldAccess(); same as in EntityResource.
I think we should also have an integration test for this, so that we make sure this works with real HTTP requests.
@vivekvpandya: you can test this with a POST request similar to https://www.drupal.org/node/2098511
Comment #31
droti CreditAttribution: droti commentedIs this currently working for you guys? I have applied the patch and I have enabled "User Registration" in the REST UI, then checked the permissions for "access POST on User resource" and I still keep getting a 403. I can create a user just fine if I'm actually logged in but I can't do it from an Anonymous user. Am I missing a step here?
Comment #32
vivekvpandya CreditAttribution: vivekvpandya as a volunteer commented@droti Are you making a POST request on /entity/user ? If yes then the behavior you mentioned is the same for me . But I think after applying this patch there should be a separate path for RESTful user registration.
Comment #33
droti CreditAttribution: droti commentedI am making a POST on /entity/user, I'll have to fish around me and see if I'm missing something and try and figure out if what the other path should be. Thanks.
Comment #34
droti CreditAttribution: droti commentedActually I am able to make a post to /entity/user/register and it create a user successfully, but it returns a 500 Internal Server Error
Uncaught PHP Exception LogicException: "The controller result claims to be providing relevant cache metadata, but leaked metadata was detected. Please ensure you are not rendering content too early. Returned object class: Drupal\rest\ResourceResponse." at drupal/core/lib/Drupal/Core/EventSubscriber/EarlyRenderingControllerWrapperSubscriber.php line 160
It appears like it is being caused by this line: _
user_mail_notify('register_no_approval_required', $entity);
In UserRegistrationResource.phpComment #35
vivekvpandya CreditAttribution: vivekvpandya as a volunteer commented@droti Is 'post to /entity/user/register' working with anonymous user ?
Comment #36
droti CreditAttribution: droti commentedYes, I am now able to to post to '/entity/user/register' and create a user. However I had to comment out that line
_user_mail_notify('register_no_approval_required', $entity);
in UserRegistrationResource.php to stop it from returning a 500 error.Comment #37
marthinal CreditAttribution: marthinal commentedI've created a new issue about this error.
Comment #38
klausiThat response is missing chachability metadata, same as done in EntityResource post() for example.
Comment #39
marthinal CreditAttribution: marthinal commented@klausi many thanks for your help. :)
Adding cacheability metadata.
Missing review #30
Comment #40
marthinal CreditAttribution: marthinal commentedComment #41
marthinal CreditAttribution: marthinal commentedEmails are not working as expected. Working on it.
Comment #42
marthinal CreditAttribution: marthinal commentedWorking on #30
1. Removed.
2. Using User entity class.
3. Done.
4. Done.
5. Done.
6. Done.
7. Done.
8. Avoid to add roles other than anonymous or authenticated. IMHO this is correct. Anyways anonymous is added by default.
9. This comment was removed when refactoring this part.
10. I agree! Done
11. Done.
12. Done.
13. Missing integration tests.
I've rewritten the part where we send emails to the user and now:
1. If Visitors(no approval required) register a user and email verification is not required then we create the account but the user needs to log in or use basic_auth for example... Also if notifications when activating an account is enabled then the user receives an email predefined by default.
2. If Visitors(no approval required) register a user and email verification is required an email will be sent to the user with the link to activate the account.
3. If Visitors register a user and administrator approval is required then Welcome (awaiting approval) email will be sent to the user.
I've created a module where we send a code to the user email and this code is required when registering the account.
https://github.com/marthinal/registration_code
https://www.drupal.org/sandbox/marthinal/2559393
Comment #45
marthinal CreditAttribution: marthinal commentedOk let's try again.
Comment #46
klausiHm, copy and paste error?
And can we have an integration test, meaning something extending WebTestBase like the other tests in REST module?
Comment #47
marthinal CreditAttribution: marthinal commented@klausi Yes, sure. I can continue working on it this weekend during the sprints.
Comment #48
andypostComment #49
marthinal CreditAttribution: marthinal commentedAdding integration test.
Comment #51
marthinal CreditAttribution: marthinal commentedComment #52
klausi"loggery"? Shouldn't this be called $logger as in the parent class?
I don't think we need the whole config factory here. We only need user.settings, right? So you should get that in create() and set that as instance variable on the class.
The method summary should only be one line (shorter than 80 characters).
I think we are missing a check here that the current user is anonymous. Only anonymous users are allowed to register accounts, so we should inject the current user and check that.
Comments should be shorter than 80 characters, see https://www.drupal.org/coding-standards/docs#drupal
Before validation we need to make sure that the user is allowed to submit all the fields that have been submitted. See the field access checks in EntityResource::post(). This is currently a security issue in the patch. When we do the field access checking we also don't need the role checks you are doing, since that is also covered by field access.
Do not call out to the global \Drupal, inject the renderer service instead.
Do not set the status field manuall, call ->activate() instead.
I think this response it not cachable at all, so we should not have to call the addCacheableDependency() method. If we get an exception then we should file a separate issue that fixes responses which didn't specify cachability.
And the Location should be an absolute URL, see EntityResource.
There is no colon in the plugin ID, so this is not necessary.
The POST suffix is not necessary here since we only have one route here.
In this case we have a User entity, so we should use that for type hinting.
That should not be necessary for this patch, we are not using the resource_id anywhere?
Let's use the short array syntax in new tests.
Can we make this fit on one line?
short array syntax
I think that is not necessary. We can make a DB query to ensure that the user was created and is there.
This should only be defined if the constant is not already defined. Can happen if you run the phpunit tests from the UI.
Comment #53
marthinal CreditAttribution: marthinal commented1. Done
2. Done
3. Done
4. Done
5. Done
6. Done. Trying to unit test the field access I found #2456257: [PP-1] Normalizers must set $entity->_restSubmittedFields for entity POSTing/PATCHing to work.
7. Done.
8. Done
9. @TODO open new issue.
10. Done.
11. Done.
12. Done.
13. Removed. Done!
14. Done.
15. Done.
16. Done
17. Done.
18. So should be added? Otherwise the unit test will fail.
Comment #54
marthinal CreditAttribution: marthinal commentedComment #55
marthinal CreditAttribution: marthinal commentedAs discussed with @WimLeers and @klausi, we need to cache only GET requests. When sending the email and replacing tokens we get an exception (rendering content too early).
Let's try this patch.
Comment #58
marthinal CreditAttribution: marthinal commentedNow should work. I'm using the ResourceResponseTrait but maybe we could avoid the trait like this:
This is not the current structure used for the patch but not sure if the trait is the best option here.
Comment #60
marthinal CreditAttribution: marthinal commentedRerolled
Comment #61
kylebrowning CreditAttribution: kylebrowning commentedIve tested this, I don't think there isn't a reason to call this RTBC.
Comment #62
kylebrowning CreditAttribution: kylebrowning commentedComment #63
klausithis line be removed?
should be ImmutableConfig, that is what the config factoy returns.
so there renderer service is unused and should be removed?
but it returns a UncachanleResourceResponse, right?
indentation errors.
why do we save the account twice? can't we activate the user before the first save with the if() statement?
the location should use a generated URL, see EntityResource::post() for an example.
why do we have to set the path again? shouldn't the getBaseRoute() call do it already?
looks like this change is not needed?
but we should serialize CachableResourceResponses as well as UncachableResourceRespones. Those two should have a common interface that we should check here, something like "ResourceResponseInterface".
missing newline after the last method closer.
missing newline at the end of file.
Comment #64
kylebrowning CreditAttribution: kylebrowning commented#1. Fixed
#2. Fixed
#3. the rendered is used, did I miss something?
#4. Fixed.
#5. Fixed.
#6. Looks like the `$account->save` is needed to because of the $account->block() up above.
#7. Fixed.
#8. Not Sure, I left this alone.
#9. It looks like it isn't, removed.
#10. Uhh. Left this alone.
#11. Fixed.
#12. Fixed.
So to recap, #3, #6, #8, and #10 need review.
Comment #66
marthinal CreditAttribution: marthinal commentedAs commented on #55
I think at least this is a Major. I know we have to different issues here but we are fixing the problem here...
#3 Done (Removed).
#6 Yes. Added comment. We need to save the changes when the account is active.
#8 Yes, we don't need to setPath() again. The constructor of Route class does the same.
#10 Done
Let's take a look at test results! :-)
Comment #68
marthinal CreditAttribution: marthinal commentedHardcoded Base url . Fixed.
Comment #69
klausiwrong class name.
I think this can be done in the usual test setUp() method?
why do we need the entity:user resource here? I think it is not needed, we are only testing user registration?
let's use example.com as test domain.
don't use \Drupal here, use $this->container->get('serializer'); instead.
same here, don't use \Drupal in classes where possible.
newline at the end of file missing.
this constants should be defined conditionally, since it might already be defined by user.module.
should use @coversDefaultClass
docs missing for those variables.
use LoggerInterface::class instead of the class string. Also elsewhere.
docs missing.
docs missing.
Comment #70
marthinal CreditAttribution: marthinal commented1. Done
2. Done.
3. Yep. I think we wanted to request for the user from REST but we're using the API.
4. Done.
5. Done.
6. Done.
7. Done.
8. Done.
9. Done.
10. Done.
I cannot continue today...
Comment #71
marthinal CreditAttribution: marthinal commentedAnd the last three
11. Done
12. Done
13. Done
Comment #72
kylebrowning CreditAttribution: kylebrowning commentedTested again, still working.
Comment #75
kylebrowning CreditAttribution: kylebrowning commentedComment #76
claudiu.cristeaOnly code standards and nits.
Remove extra line.
Maybe this exception message needs to be more clear, explaining that an ID has been passed?
Wrapping inconsistency: "submitted by" can go on the first line. Rearrange next lines.
We are using "E-mail", not "email".
Seems that the 1st line can hold one more word?
Let's use square brackets for array represenatation.
Let's use
[]
format for array.Add en empty line at the end of the file.
[] instead of array()
[$entity] instead of array($entity)
It would be nice to add a description to this docblock.
Same, needs few words as description.
Comment #77
kylebrowning CreditAttribution: kylebrowning commented1. Done.
2. Done
3. This is actually taken from Entity resource, line 96, but Ive fixed it.
4. Done.
5. This is from line 114 and 121 from ResourceBase.php, but Ive fixed it.
6. This is actually taken from ResourceBase.php as well, lines 116 and 123. But Ive Fixed it.
7. Fixed. Again, taken from other places.
8. Fixed.
9. All over Drupal 8 this line exists, It doesn't look like we've set a standard on array() versus []. I left this one alone unfortunately because of that.
10. Fixed.
I left 11 and 12 alone as I dont have the knowledge on what some of those are doing.
Comment #78
kylebrowning CreditAttribution: kylebrowning commentedComment #82
marthinal CreditAttribution: marthinal commentedFixed problems with test + #76.11 and #76.12
Comment #83
heykarthikwithuShould have "
@param \Psr\Log\LoggerInterface $logger
" as parameter type.Comment #84
marthinal CreditAttribution: marthinal commented@heykarthikwithu thanks :)
Comment #85
kylebrowning CreditAttribution: kylebrowning commentedI think all the nits are covered. Marking as RTBC.
Comment #86
kylebrowning CreditAttribution: kylebrowning commentedComment #87
dawehnerCan someone update the issue summary for example with the implemented solution?
Comment #88
dawehnerIMHO its pretty confusing that POST on /entity/user could not be extended to provide the same kind of functionality as our new endpoint does.
Comment #89
kylebrowning CreditAttribution: kylebrowning commentedCreating a user is different than registering one.
Comment #90
dawehnerWell yeah this is why I'm asking for an issue summary :)
Comment #94
kylebrowning CreditAttribution: kylebrowning commentedOkay updated.
Comment #95
kylebrowning CreditAttribution: kylebrowning commentedRemoving leftover example text.
Comment #96
clemens.tolboomIn #3 I asked the same about /user.
Now the summary says
I still don't get that but OK do we have /user/register but this patch uses /entity/user/register. Why?
The summary could definitely need some steps to test.
Comment #97
kylebrowning CreditAttribution: kylebrowning commented@clemens.tolboom I believe they were separated because they are two different things.
Admins can create users whether site registration is turned on or off.
Users can register users if site reg is turned on.
How would you propose we incorp that into `/user`
Comment #98
marthinal CreditAttribution: marthinal commentedComment #99
marthinal CreditAttribution: marthinal commented@kylebrowning thanks for updating the summary
Comment #100
alexpottI can't see how this is a bug - but I can see how this will be useful. It is a new bc compatible feature, for me, and so can only go in 8.1.x. I have not reviewed the patch yet.
Comment #101
kylebrowning CreditAttribution: kylebrowning commentedUpdating title based on new category.
Comment #102
marthinal CreditAttribution: marthinal commented@alexpott Yes, we have the feature + the bug described in #55
Comment #103
alexpott@marthinal I'm asking this question without fully understanding the issue - but is there anyway that the bug fix and the feature can be separated? Looking at #55 and the issue summary it is not particular clear what bug is being fixed.
Comment #104
marthinal CreditAttribution: marthinal commented@alexpott I agree that probably we should separate in 2 different issues. At at DCon we decided to fix the bug here...
Basically when creating the user we send an email. Building this email we replace the placeholders and don't remember 100% the place but we are rendering, and then we always receive this error:
I was searching for a solution with @Wim Leers and @klausi and the conclusion was that we don't need to cache POST, DELETE and PATCH requests.
So, if you agree I can create a new issue with a new integration test where for example I render an array from a new REST Resource to reproduce the problem.
Using something like "\Drupal::service('renderer')->render($render_array);". And then remove ResourceResponse and add the new responses(Uncacheable...). Well... remove this part from the current patch :)
Comment #105
alexpott@marthinal I think we should fix the caching of POST, DELETE and PATCH requests before adding this feature. That way other features or bugs that need the same fix can get it earlier.
Setting to "needs work" to get a new issue created for the bug fix. ONce that is done, this issue should be postponed on the new issue.
Comment #106
marthinal CreditAttribution: marthinal commentedI've created the new issue #2626298: REST module must cache only responses to GET requests
Comment #107
marthinal CreditAttribution: marthinal commentedWe need to fix #2626298: REST module must cache only responses to GET requests before run the testbot here. Removing UncacheableResource response, etc...
Comment #108
droti CreditAttribution: droti commented302 Redirect
Guys I have a wierd problem, I have this workign on my local machine but on my staging server I run into a wierd problem. When I do the post to /entity/user/register I get a 302 redirect and it changes my POST to a GET. You can see the error below:
MLHttpRequest cannot load http://staging.server/entity/user/register. The request was redirected to 'http://staging.server/entity/user/register', which is disallowed for cross-origin requests that require preflight.
Has anyone seen anything like this before? I can't seem to figure out how to get this to stop.
I should note my webapp is on the same domain as the Drupal site, but they are on separate ports (I don't know if that matters).
Comment #109
droti CreditAttribution: droti commentedActually I found the problem, I had a double // and it was redirecting to remove it.
Comment #110
droti CreditAttribution: droti commentedHas anyone tried this with the latest drupal update 8.04? After updating I can no longer register users, I get a 415 error returned to me. "Response for preflight has invalid HTTP status code 415"
Comment #112
cloudbull CreditAttribution: cloudbull commentedNot working here too.
Tried
POST /user (Access denied)
POST /user/register (Access denied)
POST /entity/user (Access denied)
POST /entity/user/register (Access denied)
While in log message, it shows the user is admin for those access denied report.
In RESTUI, cannot found user registration resource, only USER GET/POST/Delete
this screenshot's user register path not found. https://www.drupal.org/files/issues/Screen%20Shot%202015-01-07%20at%2015...
Using 8.0.5
thanks
Keith
Comment #113
vivekvpandya CreditAttribution: vivekvpandya as a volunteer commented@cloudbull If you are using any REST client I think you should use http basic_auth instead of cookie method for authentication. Also you need to give enough permission to POST on user registration resource, which will be available if patch for this issue is applied correctly.
Comment #114
cloudbull CreditAttribution: cloudbull commented@vivekvpandya the log show current user is admin, so i think the basic auth is applied. Im using postman and applied basic auth.
the admin user is uid1, so i think no other permission need to set ?
Update: I can enable REST user register resource, but that is access denied.
the message is
You are not authorized to access this page. while the return is html instead of json.
Comment #115
cloudbull CreditAttribution: cloudbull commentedSorry, one more question.
I checked the patch, it will say
// The current resource only allows anonymous users to register users.
if (!$this->currentUser->isAnonymous()) {
throw new AccessDeniedHttpException('Only anonymous users can register users.');
}
But REST need basic auth to access anyway.
How can i get passed this line of code?
If comment
// The current resource only allows anonymous users to register users.
// if (!$this->currentUser->isAnonymous()) {
// throw new AccessDeniedHttpException('Only anonymous users can register users.');
// }
user can create but 500 error responded. Debug line by line and found the 500 from this
$response = new UncacheableResourceResponse(NULL, 201, ['Location' => $url->getGeneratedUrl()]);
Comment #116
vivekvpandya CreditAttribution: vivekvpandya as a volunteer commented@cloudbull Actually purpose for this REST endpoint is to provide a way for Anonymous user to create their account that is why I suggest you to grant permission to anonymous user and then try with out any credentials.
If you want to create user with admin credentials then you have use POST on user resource. That is the same thing as an admin creates an account for user with the Drupal's Admin panel. if you want error in JSON format you may try Accept: application/json.
Comment #117
cloudbull CreditAttribution: cloudbull commentedif changing to ResourceResponse, the error is changed. Is that not possible to use ResourceResponse in user register ?
The website encountered an unexpected error. Please try again later.LogicException: The controller result claims to be providing relevant cache metadata, but leaked metadata was detected. Please ensure you are not rendering content too early. Returned object class: Drupal\rest\ResourceResponse. in Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->wrapControllerExecutionInRenderContext() (line 159 of core/lib/Drupal/Core/EventSubscriber/EarlyRenderingControllerWrapperSubscriber.php).
Comment #118
vivekvpandya CreditAttribution: vivekvpandya as a volunteer commentedsorry @cloudbull I can't help you further. You need help from some one who is actually working/ has worked on this issue.
Comment #119
marthinal CreditAttribution: marthinal commented@cloudbull This is a reroll using NonCacheableResourceResponse. So you should apply #2626298: REST module must cache only responses to GET requests and then I can confirm that you can register users.
Comment #120
droti CreditAttribution: droti commented@Marthinal, I just updated drupal and applied your latest patch but I get "Type /drupal/rest/type/user/user does not correspond to an entity on this site." in response. Now I wasn't able to apply the latest patch from NonCacheableReoursce because I get this error:Edit: Ignore all of that - It looks like the issue was related to be changing the domain (form an ip address), I'm still having problems, but I'm working them out.
Comment #121
Wim LeersThis is blocked on both
Updating issue title & summary.
Comment #122
Wim LeersTurns out #2403307: RPC endpoints for user authentication: log in, check login status, log out is blocked on #2419825: Make serialization_class optional.
Comment #123
Wim LeersThis will also need a change record.
Comment #124
Wim LeersBetter title, that also is in line with #2403307: RPC endpoints for user authentication: log in, check login status, log out's title, so that it's clearer why this one should land after that one: because without the other one: A) being able to register is pointless, B) this has fewer related resources to be in line with.
Comment #125
Wim LeersHere's the actual better title.
Comment #126
clemens.tolboomWhat does PP mean and the numbers PP-1 PP-2 etc?
Comment #127
Wim Leers"PP" = PostPoned
"PP-1" = PostPoned on 1 issue.
"PP-2" = PostPoned on 2 issues.
…
"PP-N" = PostPoned on N issues.
In other words, this allows us to see at a glance when browsing the REST module issue queue (https://www.drupal.org/project/issues/drupal?component=rest.module) which issues are blocked and how many issues must be resolved before we can fix these. This helps us to determine what to work on next, and to hopefully guide multiple people towards the same issues, so those issues actually get fixed, rather than many issues getting worked on small ways that are insufficient to resolve them.
Comment #128
clemens.tolboomThanks for the explanation. Good to know.
Comment #129
dawehnerWell, there is already a workaround for logging in and logging out. Its just really unpleasant to encode the login form data. Given that its conceptually something one could work on already
Comment #130
Wim Leers#129: but the approach for this patch was in line with the previous approach for #2403307: RPC endpoints for user authentication: log in, check login status, log out. Now that that approach has changed, this one should too. That's why I postponed this issue on that one: to avoid unnecessary work here.
Comment #131
dawehnerGiven that
/user/register
is an actual REST operation, as you post an entire user, with various bits and pieces, and for that, you can actually use other formats etc., I think there is much less of a discussion about it.Comment #132
Wim LeersOk, cool! Happy to be wrong!
Comment #133
dawehnerSorry for my harsh words ... So yeah this is not blocked at all, cool!
Comment #134
marthinal CreditAttribution: marthinal commentedReplacing NonCacheableResourceResponse with our new ModifiedResourceResponse.
Comment #135
dawehnerJust a quick review ...
Does this makes sense conceptually? Admin users can create new users at the moment already
urlInfo is deprecated already, let's use toUrl instead
I guess we want to use
/user/register
now?Nitpick: two empty lines
Let's use a public function, otherwise we need to convert it to a public once we use a
BrowserTestBase
I could imagine that using prophecy based mocking might make things much better here in general.
Comment #137
marthinal CreditAttribution: marthinal commentedThank you @dawehner
1) Ok I see what you mean but... IMHO the admin user should use the User resource. I mean, we have Content, User, File resources... so probably this message makes sense in that context(an anonymous user wants to register a new user account).
Probably it is a little bit confusing I agree.
Only administrators can register users
could be replaced withYou cannot register a new user account
or something like that...2) Done.
3) Done.
4) Done.
5) Done.
6) Done.
Comment #139
marthinal CreditAttribution: marthinal commentedAdding the uri_paths(Annotation) should be enough.
Comment #140
dawehnerJust another quick review.
That's a good idea!
Can we leverage the enableService helper method for that?
IMHO it would be nice to also have tests for the access permission test.
Comment #141
Wim LeersThis is looking great already :) Lots of nits, and a few small refactor things that will make the code more maintainable:
Nit: s/rest_user_registration/user_registration/
Nit: s/User Registration/User registration/
Should be
\Drupal\Core\Config\ImmutableConfig
.Nit:
The current user.
Let's list the specific exceptions.
Nit: 80 cols.
This is copy/pasted from
EntityResource
.Rather than duplicating the code, which means we have to keep both up-to-date and in sync, it'd be better to put this in a trait that both resources can use.
Nit: inconsistent spelling of "e-mail".
These can be combined.
Also, let's do a 200 response and send the created user object back.
So:
Just use
</code>{@inheritdoc}
.Let's not use globals.
Comment #142
dawehnerThat's indeed something also jsonapi for example can use.
Comment #143
marthinal CreditAttribution: marthinal commented140
Ok! Now the response contains You cannot register a new user account
140.1 Done
140.2 Done
141.1 Done
141.2 Done
141.3 Done
141.4 Done
141.5 Done.
141.6 Done.
141.7 Done.
141.8 Done.
141.9 Done. Ok so probably we should change the EntityResource response
new ModifiedResourceResponse($entity, 201, ['Location' => $url->getGeneratedUrl()]);
??141.10 Done.
141.11 Done.
Thanks!!
Comment #145
marthinal CreditAttribution: marthinal commentedFixed unit tests.
Comment #146
Wim LeersUnnecessary whitespace changes.
Nit: s/as resource/as a resource/
The second comment is wrong.
===
Nit: This whitespace didn't exist yet, let's not introduce it here.
Let's throw \Symfony\Component\HttpKernel\Exception\UnprocessableEntityHttpException instead.
I'd call this
checkFieldAccess
.Also: typehint is missing.
Nit.
Tests user registration.
Nit: s/Add/Grant/
Weird sentence.
s/JSON/HAL+JSON/
I'd keep the first comment, remove the comment in the middle, and remove all blank lines. Because this whole sequence represents one test. And the comment in the middle is not entirely accurate.
The first comment is also not entirely accurate, this would be better:
This comment is also not entirely accurate. Let's make it consistent with the one above:
// Verify that an anonymous user can register.
Nit: trailing spaces.
Let's just change this to:
Nit: unnecessary whitespace.
Again:
Nit.
Hah, great catch :D
Comment #147
f0ns CreditAttribution: f0ns commentedThank you for your work on this, I will try and test this patch this week. Good job so far!
Comment #148
marthinal CreditAttribution: marthinal commented1. Done.
2. Done.
3. Done.
4. Done.
5. Done.
6. Done.
7. Done.
8. Done
9. Done.
10. Done.
11. Done.
12. Done.
13. Done.
14. Done.
15. Done.
16. Done.
17. Done.
18. Done.
19. Done.
20. Yeahh :D
Thank you @Wim!
Comment #150
Wim LeersYou forgot to update this, hence the fails :)
Nit: actually these comments don't seem valuable at all? I think we can remove them.
Much clearer!
Except now that I think about it, we granted authenticated users the permission to register new users, above in
setUp()
. So why exactly is this the expected behavior?Comment #151
marthinal CreditAttribution: marthinal commented1. Oops!! Sorry
2. Done.
3. Yes. Because we want to verify that only anonymous users can register new user accounts and... authenticated users could have access to the "registration resource".
thanks!
Comment #152
Wim Leers#151.3: Hm I don't fully understand that.
Can we then change
to:
Comment #153
yasin-ali CreditAttribution: yasin-ali as a volunteer commenteduser error
Comment #154
Wim LeersComment #155
marthinal CreditAttribution: marthinal commentedThis resource should be used by anonymous users to register a new account.
For CRUD operations we should use the User resource.
This is my humble opinion.
@Wim I can add this comment... but I prefer to wait for your opinion.
Comment #156
Wim LeersYour explanation makes sense. But it's not clearly reflected in the comment.
I think this is clearer:
And I now see where the logic determining this behavior lives:
I think the comment there should be changed to:
Then both the logic implementing it and the test expectations are clearly documented. I think that will be better for long-term maintenance.
Thanks for your clear explanations and patience!
Comment #158
marthinal CreditAttribution: marthinal commentedSure, makes sense to improve these comments.
Ok, Done.
Thank you for your great reviews and your help!
Comment #159
Wim LeersComment #161
Wim LeersThis needs a reroll because #2308745: Remove rest.settings.yml, use rest_resource config entities landed.
I created a change record: https://www.drupal.org/node/2752071.
Comment #162
Wim LeersThis only needs a trivial reroll :)
Comment #163
jlbellidoRerolled #158
Comment #164
Wim LeersThanks!
Comment #165
jjcarrionRestoring the right devdays tag.
Comment #166
Wim LeersOops — sorry!
Comment #167
alexpottThis is looking good.
The name of the trait and this method are a mismatch - not sure what to do here.
The best practice has recently changed https://thephp.cc/news/2016/02/questioning-phpunit-best-practices
Unrelated change.
Comment #168
marthinal CreditAttribution: marthinal commented1. I've created a new trait
2. Done
3. I've created #2755667: Fix typo error in WebTestBase
Comment #169
alexpottLet's add an @throws here.
Coding standards that need fixing.
Comment #170
marthinal CreditAttribution: marthinal commented1. IMHO the method should be
::checkCreateFieldAccess()
instead of::checkFieldAccess()
.throw new AccessDeniedHttpException("Access denied on creating field '$field_name'.");
2. Done
3. Done
4. Done
5. Done
Comment #171
Wim Leers#170.1: disagreed. See
\Drupal\Core\Entity\EntityAccessControlHandlerInterface::access()
vs\Drupal\Core\Entity\EntityAccessControlHandlerInterface::createAccess()
. It's specifically creation that's a special case. But that's exactly not what we have here:So, if anything, it should be
checkEditFieldAccess()
, notcheckCreateFieldAccess()
.I think
ResourceFieldEditAccessTrait
would be more accurate?Using the term "create" here is wrong.
Comment #172
marthinal CreditAttribution: marthinal commented1) +1 ::checkEditFieldAccess()
2) IMHO the class name could be correct. At this moment it is probably not the case but maybe in the future we need to add a new method... I mean if we want to check access in the future but not only for edit permissions. is it ok for you @Wim?
3)
throw new AccessDeniedHttpException("Access denied on updating field '$field_name'.");
Done!
Thanks!
Comment #174
marthinal CreditAttribution: marthinal commentedOops :)
Comment #175
Wim LeersGreat work, and thank you so much!
Comment #176
Snehal Brahmbhatt CreditAttribution: Snehal Brahmbhatt at AddWeb Solution Pvt. Ltd. commentedOne more resource added i.e User Registration but path seems missing, please find the attached screenshot.
Apart from this, there is my configuration for new resource i.e User Registeration. Please find the attached screenshot.
Now, while I am trying to execute the below code using Postman:
Example CURL Code:
It shows me the below response:
Additionally, Here’s the attached screenshot for my users permission to access RESTful APIs.
Please need some quick help. Also do let me know if anything missing from my end too.
Thanks!
Comment #177
marthinal CreditAttribution: marthinal commented@snehal.brahmbhatt
I'm not 100% sure about the reason.
But... some interesting points to review in your case:
1)
Should be HAL+JSON
2) If you are using RESTUI with D8.2.x then apply this patch #2758563: Handle core 8.2.x changing REST configuration to use configuration entities
3) If you want to register a new user, you don't need to use BASIC AUTH or the cookie session here. This resource is to register a new user. To create a new user you need to have permissions of course.
4) Please check the Integration test for more info (core/modules/rest/src/Tests/RegisterUserTest.php)
I hope it helps.
Comment #178
Snehal Brahmbhatt CreditAttribution: Snehal Brahmbhatt at AddWeb Solution Pvt. Ltd. commentedThanks for your prompt response Marthinal.
I have checked with provide points.
For Point 1: HAL + JSON: still gives me same response.
Point 2: Ok
Point 3: This donot allows me to create new register user without BASIC AUTH or Cookie session. PFA screenshot.
Point 4: Ok
Comment #179
marthinal CreditAttribution: marthinal commentedFrom RegisterUserTest
I mean you don't need to be authenticated. Well RESTUI requires an authentication provider so try with cookie for example...
Comment #180
Wim LeersThis is not a support issue. The tests prove this works. Let's not let this issue grow even bigger, we're already almost at 200 comments!
Comment #182
kylebrowning CreditAttribution: kylebrowning commentedI think this failed because of something unrelated?
Comment #183
alexpottDoing this twice.
This is different from the logic in AccountForm... which is:
I think this means we should block everyone and then only unblock if
$config->get('register') == USER_REGISTER_VISITORS
- yes core only has the 3 modes but it is possible to add more. So we should keep the behaviour the same.Should use the constants
Comment #184
marthinal CreditAttribution: marthinal commentedNo time to work on it this week. Unassigning the issue so anyone can feel free to work on it.
Comment #185
tedbowThis is patch addresses review in #183
1. Added the test coverage.
2. fixed
3. blocking now if USER_REGISTER_VISITOR
4. fixed
5. no problem! thanks for reviewing!
Also moved the logic to decide whether to block the user based on emails to before the user is saved. This way you don't have to save the user twice.
Comment #186
alexpottThis can be written with less logic. Like so...
Comment #187
tedbow@alexpott whoops. fixed
Comment #188
dawehnerThis small refactoring could be out of scope of this issue, but well ...
From a pure refactoring point of view, I would have moved these guards into its own helper method, so the overall code of the
post()
function becomes easier to read.Do we use camelCase variables now?
Also moving this into its own method would increase the readability:
$this->sendEmailNotifications($account)
Should we typehint for
FieldableEntityInterface
here, because this is what the function actually needs? both for->get()
and->validate()
Comment #189
tedbow@dawehner thanks for review
1. oh well
2. refactored
3. no we are not ;). fixed
4. refactored
5. yes thats a good idea. changed
post() is much more readable now!
Comment #190
Wim LeersThanks, @tedbow, @dawehner and @alexpott! :)
Comment #191
kylebrowning CreditAttribution: kylebrowning at Acquia commentedSo close!
Comment #192
xjmThis RTBC issue probably has a beta deadline, so tagging for visibility.
Comment #193
alexpott#25 has never been definitively answered on the issue and given that this will allow users to be created I think we need a sec review before committing. Setting back to "needs review" to get that.
Comment #194
dawehnerWhat about returning a 201 here?
maybe adding some helpful information would be nice
Comment #195
Wim Leers#194.1++, great nitpick!
#193: excellent, excellent point! I dug into the commit history, and determined that http://cgit.drupalcode.org/services/commit/resources/user_resource.inc?h... contains the fix. The culprit was these two lines (that were removed in the fix):
In other words, an "account" object was POSTed, and if no password was specified, then the password was set to the empty string. That is of course preposterously unsafe.
Also note that if you look at the
/user/register
HTML form, you'll see that you can only provide a password if the "require e-mail verification" setting is turned off. Otherwise, the password is e-mailed.So, let's see what happens if we don't POST a password when registering. It should complain no password was provided when the "require e-mail verification" setting is turned off. In the other case, it should ignore it.
As you can see, the test fails. So, if no password is provided, then the empty password is set. Just like in https://www.drupal.org/node/2344389. But we don't set the empty password explicitly, it happens automatically.
I suspect we'll need to fix some of the logic deep in
User
andPasswordItem
.Also: For the HTML form, it's
\Drupal\user\RegisterForm::submitForm()
that always generates a password in case of a "require e-mail verification" being turned on, so that even violates my assumption above. It seems to be setting a temporary password, that is then overridden when the user has clicked the e-mail verification link.Comment #196
Wim LeersForgot the patch I wanted to attach. This should contain exactly one fail, and that one fail proves that https://www.drupal.org/node/2344389 applies to this also.
Comment #198
tedbowOk this patch:
Comment #200
kylebrowning CreditAttribution: kylebrowning at Acquia commentedExcellent depiction in #195.
Sorry the commit message is so vague, the security team made me do it!
Comment #201
tedbowSetting to "Needs Review". First time failed was for FieldUI test which I am sure is a test problem. Retested and passed!
Comment #202
kylebrowning CreditAttribution: kylebrowning at Acquia commentedAll nits.
Should read '// Only activate new users if visitors are allowed to register and no email'
This is only the ability to register a single user, so `Only anonymous users can register a user.`
No period at the end here.
Comment #203
kylebrowning CreditAttribution: kylebrowning at Acquia commentedFor clarification, its ready besides those nits.
Tested locally from an iOS app too, not that the tests don't prove this works. :P
Comment #204
tedbow@kylebrowning thanks for the review!
This patch addresses nits #202
Comment #205
kylebrowning CreditAttribution: kylebrowning at Acquia commentedComment #206
xjmHas the security review been fully addressed? I think @Wim Leers and @tedbow and @kylebrowning addressed one issue that was discovered, but I do not see any other comments from the security team on the issue since it was tagged.
Comment #207
kylebrowning CreditAttribution: kylebrowning at Acquia commented#25 concerns have been addressed, but have not heard from Security team here.
Comment #208
effulgentsia CreditAttribution: effulgentsia at Acquia commentedI haven't reviewed the full patch yet, but the following jumped out at me so far:
Won't this break config entities? Since in HEAD, if
_restSubmittedFields
is empty, then the loop is skipped, but with the patch, we'd get an error due to the typehint?And this too? Since this is changing a no-op return into an error due to the typehint?
Comment #209
effulgentsia CreditAttribution: effulgentsia at Acquia commentedSome minor stuff, but still not a complete review:
Earlier in the post() method, we require that it only operate for entity creation, so does changing the wording to "updating" make sense? If we don't like "creating field" for some reason, would something like "setting value for field" be more appropriate than either "creating" or "updating"?
Nice!
In which case, why not make these use
UnprocessableEntityHttpException
as well?Comment #210
effulgentsia CreditAttribution: effulgentsia at Acquia commentedI'm not on the security team, other than as a maintainer, but FWIW, I don't see any security problems with the patch.
Comment #211
dawehnerGreat catch! I think we should have a test in general which is a non fieldable non config entity.
Comment #212
Wim LeersWe should just revert all of those changes.
The point of those changes was that we move some of those protected helpers on EntityResource to a trait, so that the user registration resource could also use them.
Modifying while moving is unnecessarily complicating things.
Comment #213
Wim LeersAll of these changes are just reverting to HEAD's behavior/logic. I didn't realize that the "split this off into a separate helper method on a trait so both X (
EntityResource
) and Y (UserRegistrationResource
) can use it" rule had not been respected. Sorry for missing that.Since this is just moving existing logic to a different place, this should not have to introduce additional test coverage IMHO. It's unfortunate that the REST module has less comprehensive test coverage than we'd like, but we have #2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method to solve that. I'll take "comprehensive test coverage" on during the 8.2 beta phase.
Comment #215
dawehnerThis doesn't help. In HEAD we check that there is a fieldable entity passed in ... and now not longer anymore. I think this was the point of @effulgentsia
See #208.2
Comment #216
effulgentsia CreditAttribution: effulgentsia at Acquia commentedPer #215. Also removed some no longer necessary comments, since the class name of the exception is already sufficiently clear.
Comment #217
effulgentsia CreditAttribution: effulgentsia at Acquia commentedSeems to me we should move this to user.module, no?
But these traits don't implement access and validation logic for generic resources, only for entities. So I think we should rename them to
EntityResource(Access|Validation)Trait
. And perhaps also move them into theDrupal\rest\Plugin\rest\resource
namespace?Comment #218
tedbowOk this patch address #217 renames the 2 traits and moves the registration resource to the user module.
hope I got it right but you know as they say "there are 2 hard things in computer science, renaming things"
Comment #219
Wim Leers#215+#216: sorry for the slight misinterpretation.
#217++ — I can't believe I didn't notice that before!
My only final remark: I think it may be best to mark both of those traits as
@internal
for now. We can consider making it non-internal in 8.3, once REST is more fully fleshed out, and in particular once we have full Config Entity CRUD support (#2300677: JSON:API POST/PATCH support for fully validatable config entities), which would ensure these traits are indeed as universally applicable as their names convey.So, did that.
#206:
I see four reasons why it's okay for me to remove the
tag:Given the beta deadline, and given that everything since #208 was minor to very minor stuff, moving back to RTBC.
Comment #220
effulgentsia CreditAttribution: effulgentsia at Acquia commentedAdding review credit to @claudiu.cristea.
Comment #221
effulgentsia CreditAttribution: effulgentsia at Acquia commentedAnd to @heykarthikwithu.
Comment #223
effulgentsia CreditAttribution: effulgentsia at Acquia commentedPushed to 8.3.x. Thanks!
I discussed this with @alexpott and @xjm about whether to push to 8.2.x (i.e., change this from "beta deadline" to "beta target"). We're not sure yet. We'd feel better about doing that if it got some additional security review, despite the excellent points in #219, so restoring that tag, and setting to "Needs review". If that doesn't happen by beta2, then we can leave this as an 8.3-only feature, in which case, it'll sit around in a non-production branch for 6 more months, which will provide an opportunity for security issues to surface without compromising live sites.
Comment #224
Wim LeersThanks! That sounds like a very reasonable compromise.
/me waves at security team members.
Comment #225
kylebrowning CreditAttribution: kylebrowning at Acquia commentedComment #227
effulgentsia CreditAttribution: effulgentsia at Acquia commentedStill eligible for 8.2.x if it can be security reviewed in time, per #223.
Comment #228
pwolanin CreditAttribution: pwolanin as a volunteer commentedI'll try to add a review of this. I did a quick look at the patch and it doesn't seem like we are using the same code path for user registration via form submission and via REST? In general I think having the validation and save code be different for form vs. api (REST, etc) can lead to security bugs if they diverge accidentally in terms of behavior.
Comment #229
dawehner@pwolanin
We always had issues with that. For example the login logic is duplicated in multiple places, see #2431357: Extract a reusable UserAuthFlood service and reuse it in UserLoginForm and BasicAuth and UserAuthenticationController, so I think doing that in a follow up, see #2783635: Centralize the logic of \Drupal\user\Plugin\rest\resource\UserRegistrationResource::ensureAccountCanRegister and \Drupal\user\Access\RegisterAccessCheck::access is okay.
Comment #230
pwolanin CreditAttribution: pwolanin as a volunteer commented@dawhner - a follow-up plan to normalize those code paths seems very necessary, at a minimum.
Are there other places these new traits will be used? Seems like only 1 in this patch.
I realize this code is just moved, but it's pretty ugly to have such a property. Should we look at entity API improvements in a follow-up to support generically listing edited fields when processing an entity submission?
Comment #231
kylebrowning CreditAttribution: kylebrowning at Acquia commentedIm all for followups, It would be really nice if this made it into 8.2, otherwise for 6 months we have to wait for external applications to have a real way to register account on a supported Drupal version
Comment #232
xjmFollowing up on #223, @effulgentsia, @alexpott, and I discussed this issue and decided that it is not eligible for the beta at this time (see also: https://www.drupal.org/core/d8-allowed-changes#beta). This issue is already fixed in 8.3.x (hooray!) so moving back to that branch.
Comment #233
kylebrowning CreditAttribution: kylebrowning at Acquia commented:(
It would have been nice to have been included in that discussion. This was the final ticket to finish Fully decoupled Drupal #2721489: REST: top priorities for Drupal 8.2.x, im disappointed we now have to wait 6 months to use it.
Comment #234
alexpottThis patch introduced a "risky" test - see #2787657: \Drupal\Tests\rest\Unit\EntityResourceValidationTraitTest::testValidate
Comment #235
Wim LeersConsidering which REST issues have been tagged with
, I think this one will definitely qualify for . So, tagging as such.Comment #237
ruloweb CreditAttribution: ruloweb at Media.Monks commentedI was wondering... why this endpoint was created as a RestResource but login/logout are common ControllerBase methods defined in user.routing.yml ?
Comment #238
Wim Leers@ruloweb: Because registering is the creation of a new
User
entity. But logging in and out does not correspond to the reading/creating/updating/deleting of anything… it's just "using" something. This is discussed in detail #2403307: RPC endpoints for user authentication: log in, check login status, log out.Comment #239
hubobbb CreditAttribution: hubobbb as a volunteer commentedd8.3.2 here has a good article works for me .
https://areatype.com/blog/register-user-drupal-8-rest-api
data format
{
"_links": {
"type": {
"href": "http://yoursite.com/rest/type/user/user"
}
},
"name": [
{
"value": "test3"
}
],
"mail": [
{
"value": "test+3@test.com"
}
],
"pass": [
{
"value": "test"
}
]
}
or see the doc .
https://www.drupal.org/docs/8/core/modules/rest/javascript-and-drupal-8-restful-web-services
,above two methods work ok.
Comment #240
lastlink CreditAttribution: lastlink as a volunteer commentedRegistering for anonymous users has a major permissions fix for persistency. If you use the email module you can require users to verify their account before they can login. However in the admin/config/people/accounts the "Visitors" option (not Visitors, but administrator approval is required) doesn't work if you register a user through rest. Basically when you register a user through rest and they get the verification message it says access denied. Registering an anonymous use w/ "require email verification" disabled and just passing the password does work through rest.
Comment #241
lastlink CreditAttribution: lastlink commentedThe "Visitors, but administrator approval is required" and
"Require email verification when a visitor creates an account" have conflicts in a rest register post. You can't register a user through REST and have the email verification work w/ admin approval turned off. You can not in REST. This bug needs to be fixed so permissions are consistant.
Comment #242
lslinnet CreditAttribution: lslinnet at FFW commentedStumbled on an issue caused by this, when using user register from the Rest endpoint the user gets blocked, but when using the same configuration from the user register form it is activated (which is the state required to access the password reset form.)Have attached a patch for it here, with updated tests to cover these cases.
Moved this to it's own issue see https://www.drupal.org/node/2921853
Comment #243
Wim Leers@hanoii filed a follow-up at #3002019: Register a user without email verification should still send an email . Feedback welcome.
Comment #244
boby_ui CreditAttribution: boby_ui as a volunteer commentedHi Guys,
I have a problem on my end where I used postman to test /user/register and setup POST method and its working fine under postman, but I run this through a simple android app,
using the post method also, some the the request of POST turns into OPTIONS and thus its 409 conflict?
and I am wondering if /entity/user/register is still available as I am on 8.6.14 version now, and this patches already does not make sense for me to check and the files are pretty different?