Problem/Motivation
Fields to have a flag in their configuration which is used to hide them.
This works perfect for HTML but \Drupal\rest\Plugin\views\row\DataFieldRow::render doesn't take that into account yet
Proposed resolution
* Fix it
* Write tests
Remaining tasks
User interface changes
API changes
Data model changes
Comment | File | Size | Author |
---|---|---|---|
#35 | rest_raw_exclude-2606548-35.patch | 2.69 KB | Lendude |
#8 | rest_raw_exclude-2606548-8.patch | 2.68 KB | Lendude |
| |||
#8 | interdiff-2606548-3-8.txt | 759 bytes | Lendude |
#3 | rest_raw_exclude-2606548-3.patch | 2.46 KB | Lendude |
#3 | rest_raw_exclude-2606548-3-TEST_ONLY.patch | 1.3 KB | Lendude |
Comments
Comment #2
LendudeFirst stab at a fix. Setting to needs review to kick the testbot into gear, but needs work.
Adding a hidden field to one of the views used in \Drupal\rest\Tests\Views\StyleSerializerTest sort of illustrates the problem but would require a lot of refactoring of the existing test to take the hidden field into account because of the way those tests are build up.
So I'll take a look at adding a new view for this with a hidden field and running some tests on that.
Comment #3
LendudeTest and fix.
Comment #4
dawehnerNIce. Thanks a lot!
Comment #7
alexpottThere are two if's and only one test - are we missing test coverage here? I think we're only testing the second if.
Comment #8
LendudeGood point, added test for the row options.
Comment #9
dawehnerIts great that skip over those entries, if they aren't rendered anyway.
Comment #10
alexpottThinking about this bug fix some more - we're at the unfortunate point where doing this could potentially break people's sites - something could be relying on the excluded field not being excluded. Therefore I think we should fix this in 8.1.x and not do in a patch release and also have an upgrade path. The upgrade path should find all rest views with excluded fields and makes them not excluded and inform the user.
Comment #11
catchThat makes sense to me - preserve the existing behaviour on existing sites, fix it for anything new.
Comment #12
dawehnerThat doesn't make sense to me. When we argue that way, how can we fix any kind of bug? You could always rely on any kind of wrong behaviour.
Comment #13
dawehnerMoving back to 8.0.x. If people configure a view we should trust their configuration over a broken behaviour in views.
Comment #14
alexpott@dawehner the difference is that the view is not broken and it is perfectly possible to use the output in a mobile app or whatever.
Comment #15
LendudeYou could also argue that this bug might be displaying sensitive data that a site builder is expecting to be hidden, and it's a possible security risk to not fix it.
For what it's worth, I'm with @dawehner on this, it's a bug and
doesn't sound like the sort of thing we'd need to consider as valid configuration.
Comment #16
damiankloip CreditAttribution: damiankloip commentedSorry, I think I agree with Daniel here. Saying people are relying on broken behaviour could be said about almost any bug out there.
Comment #17
alexpottI'm not saying that we shouldn't fix the bug I'm saying that given we are changing the output of something that is meant for creating public APIs. We should do so in the most conservative way possible. All that means is changing existing REST views to not exclude fields in an update and tell the user we've done that.
Comment #18
catchThere's a big difference between broken behaviour that affects output vs. one that doesn't. In this particular case, how does the person interacting with the Views output know that it's broken?
The idea with moving this to 8.1.x is that we're fine with breaking reliance on broken behaviour in minor releases, but we try not to do that in patch releases.
Comment #19
xjmI agree with #17 and #18. We can commit this to 8.1.x as soon as we have the upgrade path RTBC. Thanks!
Comment #20
xjmComment #21
dawehnerAlright, Drupal 8.0. is so indeed stable in the sense that it doesn't improve anymore.
Comment #22
tim.plunkett+1 for fixing in 8.0.x
Trust the subsystem maintainers, please.
Comment #23
tim.plunkettWhen a site builder goes into the Views UI and chooses to exclude a field from display, that is a very purposeful choice.
Nowhere do we default to excluding. They would have to explicitly click that, and have clear expectations for the result.
Not fixing this in 8.0.x is irresponsible.
Comment #24
tim.plunkettFurther discussion between the D8 Views maintainers and the original Views author:
Comment #25
damiankloip CreditAttribution: damiankloip commentedThis is also a similar ilk as #2574077: REST Export display cannot show any raw output for fields using the Field field handler. Which I think we should fix asap too.
Comment #26
alexpottHere is my reasoning for saying that we should remove the exclude option from existing REST views.
REST is for creating public APIs. Changing site's public APIs from underneath them should be avoided. If we do change the behaviour we should communicate this in a release note / change record or even update.php. However, given that REST is used to create public APIs that are consumed by applications that the site owner and developers might not even know about this information is highly unlikely to reach the correct ears. Therefore I proposed changing the views and informing the site owner / site developers as part of update.php. This gives the site the most options - they can decide they don't care about public consumers and exclude the field, or they can canvas their users, or they can just decide it is not an issue. Maybe the best solution would be inform the user prior to update and let them choose how they want they specific site to handle this as the answer is probably going to depend on what is actually disclosed and how public the REST is.
Comment #27
catchSo for me both #26 and the information disclosure potential are about 50/50.
I think it's very unlikely that there'll be actual information disclosure (usually when exclude is used, it's because it's being used in a rewrite or something and gets rendered one way or the other anyway).
But it's also very unlikely that that particular field is going to be used directly by a web service consumer - at least while the number of 8.x sites is very low. The more sites start providing REST APIs the more chance one gets impacted (although still low).
So we are balancing two unlikely scenarios against each other, depending on which type of breakage you prioritise, both are valid.
An update with a choice in general seems like a good approach for this, although I wouldn't hold this issue up on that - it could happen in 8.1.x either way with an update.php and a release notes mention.
Comment #28
dawehner@catch
No, this is just simply wrong.
Common ways how you could use a token outside of rendering:
What really annoys me is that subsystem maintainers are not trusted on this issue. At least though, one subsystem maintainer completely disagrees with all the other ones.
Comment #29
dawehnerTo be honest having the 8.1.x fix with the update path, is just the worst of all possible solutions. We would disagree with an active decision of the user.
We should not make assumptions over users will, vs. some freaking arbitrary academic situation.
Comment #30
catchI don't think it's an arbitrary academic situation - if you're providing REST views, and the excluded fields are included, it's not academic that someone might end up relying on those fields - the consumer of the REST API has no way to know what you intended (unless you have documentation for every individual field somewhere).
Overall I'm coming 'round to treating this as a straight bug fix though, and if there is breakage then we just say we erred on the side of caution against information disclosure.
Comment #31
dawehnerWell, I see your point, but I still disagree.
Comment #32
catchWell I think it's unlikely, in the same way that I think an actual information disclosure issue (as opposed to just extra unwanted data which you could probably find elsewhere on a site) is unlikely - which is why for me I'd be OK with the patch as is for 8.0.x with a release notes mention. We're not changing Drupal's API, we're potentially changing the API that a site provides, but that also would have happened with the raw output issue.
Comment #33
dawehnerAlright, easy.
So here is a release note mentioning text:
Comment #35
LendudeStraight reroll.
And want to thank everybody for their detailed arguments, really helped me see what the pros and cons were here.
Comment #36
dawehnerIts green
Comment #37
alexpottCommitted 1673fa6 and pushed to 8.0.x and 8.1.x. Thanks!
It is hard to know who to give review credit on this issue so I'm giving to everyone as I know that everyone spent some time discussing this issue.
Added missing fullstop on commit.
Comment #40
dawehnerThank you alex, xjm, catch