Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This implements\Drupal\Core\Routing\Access\AccessInterface
. All implementations of that interface have a name ending inAccessCheck
, so this should too.A link the relevant portion in the spec is missing: http://jsonapi.org/format/#query-parameters.The spec calls it "Query Parameters". And it's about valid "implementation-specific" query parameters. The "custom" is okay, but I think "parameters" is too vague". Let's call it "query parameters", just like the spec.The route requirement_custom_parameter_names
is too generic. It should be prefixed with the modulename/spec. And it should include "query", per the previous point.Its validation does not actually validate everything that the spec outlines. Added@todo
s for this.And perhaps this validation actually belongs in a helper class, because it applies also to member names in the generated JSON documents. Only a tiny portion is specific to query parameters. Added@todo
s for this.
Comment | File | Size | Author |
---|---|---|---|
#51 | 2829328--custom_parameter_names__cleanup--39.patch | 8.13 KB | e0ipso |
| |||
#42 | custom_parameter_names__cleanup-2829328-39.patch | 17.77 KB | Wim Leers |
Comments
Comment #2
Wim LeersComment #3
e0ipsoGreat stuff!
I only want to add that #2779963: [BUGFIX] Protect fields: "type" and "id" should address the last concern when it gets resolved.
Comment #4
Wim LeersCool :)
Comment #5
Wim LeersComment #6
e0ipsoRe-rolled #2.
I'm setting this to Needs work because we need to implement the todos in there. But I'm letting the tests run first.
Comment #7
e0ipsoComment #8
Wim LeersI'll be pushing this forward later today.
Comment #9
e0ipsow00t!
Comment #10
Wim LeersStraight reroll. This didn't apply anymore, especially due to #2844717: Validation of parameter names doesn't correctly check for backslash and control characters :)
Comment #11
Wim LeersUpdating the IS to reflect what is already done.
Comment #12
Wim Leers#2844717: Validation of parameter names doesn't correctly check for backslash and control characters did a great job of also testing against the ASCII control characters, which is mentioned at http://jsonapi.org/format/ as:
But really,
DEL
(0x7F
orU+007F
in Unicode notation) should also be tested explicitly, since it's usually considered part of the C0 controls: https://en.wikipedia.org/wiki/C0_and_C1_control_codes#C0_.28ASCII_and_de...The JSON API spec specifically calls out that space is allowed but not recommended (because it's not URL-safe).
This resolves one of the
@todo
s I had added in #2.Comment #13
dawehnerTotally +1 to rename that
Note: This generates just one test case in total
Comment #14
Wim LeersThanks for the review & reroll, @dawehner!
A big update will follow shortly.
Comment #15
Wim LeersThe code is now called
CustomParameterNamesAccessCheck
, but it's wrong on at least two levels:Conclusions:
The fact that
CustomParameterNamesAccessCheck
is muddying all these concepts together makes it A) hard to understand, B) not future-proof.So here's a first step: moving the "restricted characters" to a "JSON API spec" class.
Comment #16
Wim LeersI noticed that the existing test coverage in
\Drupal\Tests\jsonapi\Unit\Access\CustomParameterNamesAccessCheckTest
is incomplete in at least two important ways:In adding those two test cases, I also noticed that the "unsafe chars" test cases were using
”
instead of"
and’
instead of'
. So, fixed that too. This should now have several failing tests.Comment #18
Wim LeersAs predicted, #16 failed. It has these 3 failures:
So the first new test case in #16 actually passed. The second did not, so the current validation is incorrect.
Finally, the incorrect "unsafe chars" I noticed that I fixed also resulted in failures. This means that that validation is incorrect as well.
This fixes all that.
Comment #19
Wim LeersAt this point, because of the improved (now actually correct) validation of member names, it becomes pointless/unnecessary to validate against the list of restricted characters too. The restricted characters are specifically called out for less strict implementations. But given that we can now strictly validate against the list of allowed characters (as defined by the JSON API spec), we can simplify things a lot.
Comment #22
dawehnerTechnically this adds some coupling which didn't existed before. Not sure this is really needed.
People will argue about this finalness when this comes into the core review process. Just take it off, but I totally get why you did it.
I'm wondering whether we should move most of this unit test over to a dedicated test for the JsonApiSpec class.
Comment #23
e0ipsoI am good with where this is right now. I am not particularly concerned about @dawehner's comments above, but if it's important from his judgement that's good enough for me.
Comment #24
dawehnerSome things are just so simple to fix that its not worth to worry about.
Comment #25
Wim LeersThis moves the bulk of the tests over from
CustomParameterNamesAccessCheckTest
toJsonApiSpecTest
. This allows for proper unit testing.This addresses #22.3. It was already in progress before #22.3 was posted :)
Comment #27
Wim LeersThis adds a
\Drupal\jsonapi\JsonApiSpec::isValidCustomQueryParameter
method, as per #15.Includes additional unit test coverage to ensure the additional requirements are met.
This also means the final remaining
@todo
can be removed :)Comment #29
Wim LeersThis is what is causing the test failures on PHP 5. Apparently it's a PHP 7 feature: http://php.net/manual/en/migration70.new-features.php#migration70.new-fe....
Looking into a solution.
Comment #30
Wim LeersAnd this:
is triggering a parse error on PHP 5.5:
Apparently constant expressions are a PHP 5.6 feature: http://php.net/manual/en/migration56.new-features.php.
Comment #31
Wim Leers#27 failed precisely for the reasons mentioned in #15: the logic in HEAD was validating all parameter names, including official ones. We need to exclude official ones from "custom parameter" validation. We could apply member name validation to it, but it'd be pointless, since they're official query parameters anyway.
This fixes that.
I also took the opportunity to massively simplify
\Drupal\jsonapi\Access\CustomParameterNamesAccessCheck::validate()
.Comment #32
Wim LeersComment #34
Wim LeersThis makes the patch work in 5.5 and 5.6 too.
This is for both PHP 5.5 and PHP 5.6.
All other changes are only necessary for PHP 5.5.
P.S.: you can't quote that line of the diff directly, because drupal.org still runs on Drupal 7, which does not accept 4-byte Unicode characters.
Comment #35
dawehnerWhy can't things be nice, seriously ...
I'm wondering whether there should be its own helper method for that.
Wow I really like this documentation!
Cool, thank you!
Comment #36
Wim Leers#22:
Hm… I guess that's true. Also: I don't see what the point of this is anymore. I think I did it because the test coverage was not setting this route requirement or something like that. In any case: agreed, removed.
#35:
Comment #37
dawehnerThis looks great for me!
Comment #38
Wim LeersDid a final round of clean-up:
CustomQueryParameterNamesAccessCheckTest
test coverage_json_api_custom_parameter_names
to_jsonapi_custom_query_parameter_names
CustomParameterNamesAccessCheck
toCustomQueryParameterNamesAccessCheck
Comment #40
e0ipsoThanks gentlemen! You are awesome and the dream of any contrib maintainer.
Comment #41
e0ipsodarn! I just saw #38! I jumped the gun.
Comment #42
Wim LeersAnd just some final nits.
Comment #43
Wim LeersComment #44
dawehnerComment #47
Wim LeersIt's failing because it's already committed.
Comment #48
Wim LeersComment #49
dawehnerSo I guess you want to actually provide a different patch which is basically just the interdiff?
Comment #50
Wim LeersI figured @e0ipso would just revert his commit for this issue and then commit the now-RTBC patch.
Comment #51
e0ipsoFor the record, this is the patch git is coming up with after reverting the old and applying the new.
Comment #53
e0ipsoComment #54
Wim LeersYay, thanks!
Comment #55
Wim LeersThis unblocked #2829328: Clean up Drupal\jsonapi\Access\CustomParameterNames and make it follow the spec more closely.