Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
We agreed in #2829398-26: Clean up JsonApiResource: the annotation, plugin type, plugin manager, plugin implementations, the dynamic routes generator and the request handler that this is the right path forward.
Comment | File | Size | Author |
---|---|---|---|
#13 | 2838630--no-more-enabled--13.patch | 16.14 KB | e0ipso |
| |||
#10 | enabled-2838630-10.patch | 20.18 KB | Wim Leers |
|
Comments
Comment #2
Wim LeersDone.
Comment #3
Wim LeersDoing so made me touch code where I was wondering whether the Entity Access API was already being used for relationships/includes. AFAICT it is not. This implies that already the JSON API module is violating the Entity Access API. It's currently only checking it for accessing individual entities, and it's checking field access when modifying a relationship. But it's not checking entity access when following relationships.
It's
\Drupal\jsonapi\Normalizer\EntityNormalizer::serializeField()
that generates anEntityCollection
object, which is what will be used later to comply with?include=…
instructions. It does this:This is indeed fine to determine whether a field is viewable. But in the case of an entity reference field, you need both reference field access and access to the referenced entity to be allowed. See e.g.
\Drupal\Core\Field\Plugin\Field\FieldFormatter\EntityReferenceLabelFormatter
, it calls\Drupal\Core\Field\Plugin\Field\FieldFormatter\EntityReferenceFormatterBase::getEntitiesToView()
, which does the entity access checking.So, opened an issue for that: #2838646: Relationships violate Entity Access API.
Comment #5
Wim LeersGah, this conflicts with #2831185: Rename DocumentWrapper to JsonApiDocumentTopLevel and DocumentRootNormalizer to JsonApiDocumentTopLevelNormalizer. Would be great if that one would be committed.
Comment #6
Wim LeersAnd e0ipso just committed that! Unblocked, re-testing.
Comment #7
klausiFrom a security point of view this is a bad idea. We had a horrible security issue with RESTWS at https://www.drupal.org/node/2765567 (remote code execution) because it exposed any entity type.
If a developer gets the entity access controller wrong for an entity type you immediately open up a vulnerability over the JSON API for that entity type.
Comment #8
Wim Leers#7:
The whole point of the JSON API module is that it makes it easy to follow relationships. Requiring every entity type to be manually enabled completely nullifies that. If we'd do that, then I don't think there'd be much of a point to the JSON API module.
Comment #9
Wim Leers#2831134: Remove configurable 'id_field': always use UUID conflicted with this, rerolling…
Comment #10
Wim LeersComment #11
e0ipsoOne minor change:
Since we don't know the reason of the inaccessibility we should not omit anything.
«Leave the code in to win 403 error on access denied!»
We should delete those TODO for now.
Maybe we should just remove the tests for
/jsonapi/entity_type_2/bundle_path_2
since they are duplicating/jsonapi/entity_type_1/bundle_path_1
.Comment #12
e0ipsoStealing this to be able to merge it.
Comment #13
e0ipsore-rolled and addressed own feedback from #11.
Comment #15
e0ipso