Closed (fixed)
Project:
Drupal core
Version:
8.2.x-dev
Component:
rest.module
Priority:
Critical
Category:
Bug report
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
17 Nov 2016 at 03:27 UTC
Updated:
14 Dec 2016 at 21:04 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #2
neclimdulRemoving debug method bit from exception i added to figure out what was going on.
Comment #3
neclimdulMaking summary readable.
We implemented this hack because earlier in d8's release REST would do its method checks in hardcoded middleware that precluded contrib code from catching the core's request before rejecting it. By registering the method like this we could get further into the Symfony stack and handle the CORS OPTIONS request the same as other requests. I'm not sure if that's true but we have a different solution in place.
Since the previous reporter ran into a similar failure like this is seems we should make the update a little more resiliant to modified methods in the rest.settings.
Comment #4
dawehnerSo the recommended action is to completely ignore unknown methods? That sounds like the option which at least doesn't break the update path.
Comment #5
wim leersSo per #3, this is really about updating REST resource configuration that includes
OPTIONS. #2803179-23: [regression] rest_update_8201() can fail and break things describes a similar problem withPUT.Relevant quote:
This is a problem, and it makes no sense.
Since this code lives in
\Drupal\rest\Entity\RestResourceConfig::normalizeRestMethod()and is called by both\Drupal\rest\Entity\RestResourceConfig::getAuthenticationProvidersForMethodGranularity()and\Drupal\rest\Entity\RestResourceConfig::getFormatsForMethodGranularity(), this is actually applying to not the upgrade path, but simply the behavior. It's possible to create aRestResourceConfigentity in a fresh Drupal 8.2.x site and also run into this problem.The reason you're also running into it during the upgrade process, is because
rest_post_update_resource_granularity()calls$resource_config_entity->save();, which is fine for a post-update function (post-update functions can rely on the entity system).Comment #6
wim leersI think simply removing the validation makes most sense.
Note that this also matches the scope of what
\Drupal\rest\Plugin\ResourceBase::requestMethods()allows:That lists all official HTTP methods. But allows a particular REST resource to define additional ones.
Comment #7
wim leersComment #8
neclimdulWorked swimmingly. I figured there was something that required it to be limited down to that set of methods but tests don't seem to think so and this implementation makes more sense to me. We didn't even seem to assert the validation :-D
Thanks!
Comment #9
wim leersIndeed!
Comment #10
alexpottI think we should have a test for this. We might decide to limit this again in the future and be wrong.
Comment #11
alexpottDiscussed with @effulgentsia, @catch, @xjm and @cilefen. We agreed this was critical because if this update fails your rest settings and not upgraded to work with 8.2.x and your site is then broken.
Comment #12
xjmComment #13
mradcliffeHere is a start to an unit test. I added as a pure unit test for speed. It invokes the getMethods method on the entity, which seems to be the easiest way to get at the normalizeRestMethod protected method.
I thought about adding a data provider, but that really could be done in a follow-up for testing getMethods, getFormats, etc... respectively.
Comment #15
dawehnerIdeally our entity plugin could somehow validate this
Comment #16
wim leers#15: that's already happening. See
\Drupal\rest\Plugin\rest\resource\EntityResource::availableMethods(), which calls\Drupal\rest\Plugin\ResourceBase::availableMethods(), which calls\Drupal\rest\Plugin\ResourceBase::requestMethods().So, it's being validated not at configuration time, but at the run time.
Ideally, the configuration itself could indeed be validated. But then we need a configuration validation API, which doesn't exist … (#2164373: [META] Untie config validation from form validation — enables validatable Recipes, decoupled admin UIs …)
Comment #17
wim leersI think this should also do a "foo" method, just to show that it literally doesn't care about which HTTP methods are being used.
Once that's done, this is ready IMO.
Comment #18
mradcliffeAdds change to test for adding an unsupported method to assert that normalizeRestMethod should not be doing validation from #17.
I thought about adding a comment, but I wasn't sure about the wording so I left it without.
Comment #19
wim leersThanks!
Comment #21
mradcliffeRe-running test due to #2157927: Intermittent test fails in LocaleUpdateTest::testUpdateImportSourceRemote().
Comment #22
wim leersRetesting against 8.2.x, and adding a test against 8.3.x. Because #2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method just landed.
Comment #24
catchCommitted/pushed to 8.3.x and cherry-picked to 8.2.x. Thanks!