Problem/Motivation
Sometimes a contrib module wants to guarantee access to a certain REST resource (some entity type, usually), in a particular format, with a particular authentication mechanism. However, the REST module requires configuration to be created for that, but that means it can be modified by the site owner. Which means the expectations of the contrib module can be violated.
One might say Well, why don't those modules simply provide their own controller?
, to which the answer would be: The problem is that they then must duplicate large portions of
. The point is to rely on the REST module's test coverage/improvements/bug fixes, and to not duplicate all that.\Drupal\rest\RequestHandler to handle serialization+cacheability correctly, and they'd also need to duplicate portions of EntityResource
Proposed resolution
Enable this use case by allowing the route to specify the plugin to use. This would decouple \Drupal\rest\RequestHandler() from RestResourceConfig config entities.
Remaining tasks
TBD
User interface changes
None.
API changes
None.
Data model changes
None.
Comments
Comment #2
wim leersComment #3
wim leers#2822302: Refactor Acquia Content Hub's "GET entity" route/logic would benefit from this.
Comment #4
wim leersSee #2575761-7: Discuss a better system for discovering and selecting normalizers and -8, it looks like the Schemata module also would benefit from this.
Comment #5
wim leersRelevant: https://www.drupal.org/core/d8-bc-policy#controllers.
Comment #6
chi commentedThe problem is more general. I had similar thought recently choosing between Views and Controller. It's quite common that contributed modules and profiles want to preserve their content types, fields, rules, whatever from being broken by site owner.
I wonder if it is possible to implement some kind of lock for a particular configuration object?
Comment #8
wim leersFor us to support this, we first need sanity in REST's routing. So we need #2737751: Refactor REST routing to address its brittleness to be fixed first. I did a lot of work in that area in the past 2 months.
Since #2737751 has 3 blockers, this has 4 blockers: we need #2737751 to be fixed to be able to work on this.
Comment #9
wim leers#2472337: Provide a lazy alternative to service collectors which just detects service IDs landed, #2858482: Simplify REST routing: disallow requesting POST/PATCH in any format, make consistent has been rerolled and is now blocked on review. Once that's in, there's again one less blocker here.
Comment #12
wim leers#2737751: Refactor REST routing to address its brittleness has only one blocker left.
Comment #13
jeqq commentedRELAXed Web Services contrib projects is a good example of the problem described in this issue (8.x-1.x branch). It duplicates some code from REST core module, implements a controller and provides config entities to make possible the custom REST resources work. Also, a problem has been to correctly handle the cacheability, this still might not be completely and/or correctly implemented.
Comment #14
wim leersWhat are your thoughts about the proposed resolution?
Comment #16
wim leers#2869426: EntityResource should add _entity_access requirement to REST routes landed, which means #2737751: Refactor REST routing to address its brittleness is fixed, which means this is also unblocked!
Now this is finally actionable, but how big is demand for this? 12 followers isn't nothing, but it isn't very much either.