Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
jsonapi
is great. jsonapi_extras
is even cooler!
I think they would be even better if all resources were disabled by default. This way, you don't have to spend time disabling each one by one. You can spend time configuring what you want to expose.
A compromise would be to at least be able to disable all resources with the push of a button, and then you can continue configuring. I will be glad to work on this issue.
Comments
Comment #2
mkolar CreditAttribution: mkolar at Ciklum Western Europe for BurdaForward commentedsame here :) it took a while to disable everything :) button would be great
Comment #3
sebi CreditAttribution: sebi at meltmedia commentedYeah, the other issue is if you add something new, after you've done all that clicking, you have to remember to disable the new thing in case you don't want that exposed either.
Comment #4
e0ipsoI do not think that disabling resources by default will be useful for everyone. However I do think that having "Enable All" and "Disable All" buttons can be interesting.
I wonder if that could be a views bulk operation (just like the /admin/content page). If views is enabled then the bulk operations are made available, if views is not enabled then things stay as is.
Comment #5
sebi CreditAttribution: sebi at meltmedia commentedThanks for your reply! I think the enable/disable all is useful as a compromise for sure. I'm sure there is some historical reason for enabling by default. I'm just concerned that someone who isn't aware of jsonapi creates a content type and now you can technically get to all the fields if it hasn't been "locked down". One less thing to worry about. I like to err on providing information as you need it than giving too much if not necessary.
Comment #6
e0ipsoI see where you are coming from. However I think that full linkability is more important in this case. Moreover, this policy goes in the same line that the JSON API uses, which is to expose all that the user can read & write based on the entity permissions.
Remember, you don't expose everything. You only expose the information that the user already has access on the website via HTML. If they can access it via HTML it's not a big deal that they can access it via JSON.
Comment #7
e0ipsoComment #8
e0ipsoComment #9
minnur CreditAttribution: minnur at Chapter Three commentedHere is a custom module for disable/enable all functionality. https://github.com/minnur/jsonapi_extras_bulk it might still have some bugs haven't fully tests, but might be something that we could put into JSON:API Extras module.
Comment #10
efpapado CreditAttribution: efpapado as a volunteer commentedI added minnur's code from his
jsonapi_extras_bulk
module to thejsonapi_extras
module, and wrote some tests.Attaching a patch.
Comment #11
jonnyeom CreditAttribution: jonnyeom as a volunteer commentedTested against 3.13 and the latest 3.14 as well.
Works great! Thanks!
Comment #12
gitesh.koli CreditAttribution: gitesh.koli commentedpatch #10 works ! Tested this against 3.14
Comment #13
hoporr CreditAttribution: hoporr commentedSame here: path #10 works; tested against 3.14.
Very useful feature.
Comment #14
bbralaSince this is duplicate code, we should find a way to extract this code to a service, parent or trait or something.
Also i'm wondering there should be confirmation before disabling all resources. It's relatively easy to misclick and break your configuration this way. What do you think?
Comment #15
brianperryApplied patch in #10 and it worked well. Also agree that a confirmation step would be worthwhile.
Comment #16
mxr576JSON API does a little bit more than that with its default behavior. When a module is enabled the
/jsonapi
exposes information about ALL entity types and bundles that the current site has, no matter if a user has access to any entity of entity type X or not. However, it is highly unlikely that a name of an entity or a bundle would lead to direct information disclosure, the response still provides a quite clear indirect idea about the enabled modules on a site, which can be leverage when there is a security issue with module X.(Even though changing the default
/jsonapi
path is recommended, I do not think it mitigates this.)Comment #17
bbralaThis is true, but by default i'd rather not change this. Although if i look at our default workflow, i'd also rather have new resources disabled by default then enable the ones I need. We could add an option to jaonapi_extra's for this behaviour, but that should be a separate issue.
Comment #18
mxr576The problem with #10 is that it only provides a UI solution for bulk disabling/enabling API endpoints. It does not solve the problem that whenever a custom/contrib module introduces a new entity/bundle you have to keep in mind that you may want to disable the related JSONAPI endpoint _manually_ because it gets exposed by default.
Comment #19
bbralaYes i understand that, and as i said, i'm open to having an option to disable by default.
Comment #20
mxr576Sorry, I did not see your previous comment when I submitted my new one after #17 :)
I am open a new issue later and reference this one, although maybe it should be rather a Drupal core issue for JSON API to have a switch for the default behavior.
Comment #21
e0ipsoRemember that you are talking about information that you are declaring to be accessible, so it is exposed. There are several points where you might avoid that info being consumable:
I think these are ample options to disable the entities to be exposed.
----
That being said, I have a client project that applies the "off by default" behavior. And believe me that there is more nuance than I anticipated in that scenario. My custom module allows config like this:
Having implemented that, I would say this is out of scope of this issue.
Comment #22
e0ipsoI think the scope of this issue is solving the problem of: Oh my! Now I have to click all these pages manually...
Comment #23
mxr576@e0ipso, thanks for your insides :) Yes, I am aware that both the current solution and the other one have their PROS and CONS. There is no perfect default configuration for everyone (for every project).
The background story where my frustration is coming from that enabling JSON API on an existing project causing a bunch of unexpected extra work for developers. (If they even know what "side-effects" this module comes.)
That gets even a bigger nightmare when an upstream adds JSON API as a dependency (f.e.: because it introduces one decoupled component) and just by updating the latest version on a downstream project, a bunch of API endpoints and information gets exposed from a site and downstream devs without preliminary knowledge may not even recognize this. So the unexpected extra work in this scenario is both on the upstream side and the downstream side. The upstream has to provide detailed documentation and manual steps for downstream devs about how they can achieve "an expected state" on site after updating to a news release.
I agree that this out of the scope of this issue.
Is there a chance to have that published on Drupal.org? :)
Comment #24
e0ipsoCan you clarify these two points? I am not sure I understand if the needs behind these are generic or a particular use case:
----
Sadly, I already maintain enough modules so it may be a while until I find the ability to do so.
Comment #25
mxr576What I have just described earlier, but in short: my expectation is that the JSON API module should just provide a programming API that simplifies the creation of JSON API compatible endpoints, instead of exposing a bunch of API endpoint on a site when it gets installed.
As you can see, just the name of the exposed endpoint can leak information from a site, even if they respect the entity/field access under the hood. Also, if you are enabling the JSON API module on upstream (f.e.: in a distribution), because you want to expose 1 entity API endpoint, you suddenly expose a bunch of other API endpoints on every dowstream site that uses your distro and downstream developers who are not familiar with this module, they may not even know about it.
Anyway, maybe my expectations are incorrect and this issue is definitely not the right one to discuss with a broader audience. Sorry for the noise :)
Comment #26
efpapado CreditAttribution: efpapado as a volunteer commentedI agree.
At least, there should be by default an easy differentiation between content and config entities.
Comment #27
uniquename CreditAttribution: uniquename commentedJust thinking: if the two buttons from the patch would also save a setting, if resources should be enabled or disabled by default, it might be possible to hook into the creation of an entity type, when a new module is installed, with hook_modules_installed and set the resource status accordingly.
Comment #28
bbralaAs #3169413: Add a configuration option to default resources without configuration to disabled was merged. Wouldn't that kinda cover this use case? Now you can default to disable unconfigured resources.
Comment #29
mxr576@bbrala yes, it seems that is something we can use to cover this use case, although that commit is not available in a stable release yet. So I hope there will be a new release soon.
Comment #30
bbralaI released 3.20 which should contain that feature? Have you tried that release?
Comment #31
mxr576Hm, I used simplytest.me to quickly try this out but that versions was not and still not visible there. Which is possibly a bug in their end, also my bad. Sorry