Problem/Motivation
After Wim's fix in #3035045: Make EntityToJsonApi use subrequests so that it never breaks again, we found that the method used to derive the route doesn't account for routes that are overridden by jsonapi_extras - i.e. a route that in plain JSONAPI would be described as jsonapi.node--article.individual
may be overridden to be jsonapi.article.individual
, and only the first route definition is considered inside EntityToJsonApi.
Proposed resolution
The service, as part of jsonapi_extras, should be aware of the overridden route. I have a quick patch that replaces the existing logic to load the appropriate resourceType from the resourceTypeRepository, this works in our situation, but further thought may be required so that this fits all use cases (i.e. is the overridden resourceType always going to be the component of the route?).
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
Comment | File | Size | Author |
---|---|---|---|
#16 | 3049221--entity-normalizer-fixes--16.patch | 2.89 KB | e0ipso |
| |||
#11 | 3049221-11.patch | 4.26 KB | Wim Leers |
#11 | interdiff.txt | 1.23 KB | Wim Leers |
#6 | 3049221--interdiff--5-6.txt | 2.23 KB | e0ipso |
#6 | 3049221--entity-normalizer-fixes.patch | 3.96 KB | e0ipso |
|
Comments
Comment #2
logickal CreditAttribution: logickal at The Weather Company commentedComment #4
logickal CreditAttribution: logickal at The Weather Company commentedJust adding another note based on a rabbit hole we went down this afternoon - It would seem that if you have a cron job that is processing queues that expect to be able to use the service, there is no session as part of the subrequest so the SessionHandler::write() method throws an exception as it tries to get the uid from the non-existent session. I'll continue chasing that down and also address the test failure on this issue tomorrow.
Edit - this MAY be a result of Drupal 8.6.14, but I don't have any solid evidence of that as of yet.
Comment #5
logickal CreditAttribution: logickal at The Weather Company commentedAttaching a patch that modifies the service to take in the session service and use that if it can't pick one up from the current request. This is definitely WIP just to fix our immediate issue and doesn't yet address the test failures, so leaving this as Needs Work.
Comment #6
e0ipso@logickal any chance you can give this a try before starting to fix tests?
I feel this will deserve dedicated testing. Maybe normalizing a user with and without the proper permissions?
Comment #7
logickal CreditAttribution: logickal at The Weather Company commentedThanks @e0ipso - that is much cleaner than my rush-job patch. :D We are testing it now, but looks good so far. When I have a few more cycles over the next day or two I will start taking a stab at the tests.
Comment #8
Wim LeersSession handling is complex. I can't vouch for this being correct. It'd require digging very deep in Drupal and Symfony internals.
Given that it seems to be working for both @logickal and @e0ipso (and testbot), I think this is probably fine.
Unnecessary change, was confused by this (wondering: "huh, what is different?!").
Ah, so this is what we were missing :)
Comment #9
Wim Leers(Marked as
so that automated testing kicks in; then we'd at least know that our current tests still pass.)Comment #10
e0ipsoThanks for taking a look Wim!
Well, it was running beyond 80 characters. The linter took care of it.
Even if the session handling is right I don't think we can ensure authentication is properly propagated to the HTTP subrequests. What if we are authenticating the master via an HTTP header, or a qs parameter, or some obscure auth provider? Will subrequests inherity the "current user" properly?
Comment #11
Wim LeersThat's what
\Symfony\Component\HttpFoundation\Request::create()
's$server
parameter is for (PHP$_SERVER
contains HTTP request headers — yes this is weird, this is PHP's legacy sadly).CommentController
's subrequest handling does do this.So it seems that I introduced two bugs in #3035045: Make EntityToJsonApi use subrequests so that it never breaks again:
WRT point 2, I did that kind of intentionally. I've always have been and still am concerned about using this service to generate information for anonymous consumption while in an authenticated user's context, because that would leak information only accessible to the authenticated user to the general public. But clearly I have to admit defeat here since people do want to use it in this way. OTOH this means I think this can never ever get into Drupal core; it's too easy and hence too dangerous to get wrong.
So… ported that same logic from
CommentController
's subrequest handling. Patch still needs to be cleaned up, but this gets the gist across.Comment #12
Wim LeersI think that with #11's interdiff, all of the things in #8.1 can be removed.
Comment #14
e0ipsoThis is probably going to cause an error if the request calling this service contains a non-jsonapi approved qs parameter.
:clap:
also, how is $_SERVER still a thing?! Oh… PHP.
Now that we are passing cookies. I think that cookie-less sessions that are relevant can be considered an edge case. If so, this makes me a bit nervous to have it here.
Comment #15
Wim LeersComment #16
e0ipsoComment #18
e0ipso