Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem/Motivation
The rest module exposed entities by entity type and not by entity type plus entity bundle.
The result for operations like DELETE node/1, PATCH node/1 and POST node depends on what bundle this node has and the configured permissions for that bundle.
Some sites may want to expose only their articles through a rest API but they cannot configure this.
Why not expose entities through end points like entity_type/entity_bundle ie /node/article/1?
This may be done by contrib but what about #1925618: Ensure Drupal's web services are self-documenting: Swagger support OR rest_api_doc to Drupal core as an experimental module?. Should core provide basic API and documentation?
Proposed resolution
Define a basic rest API like /api/rest/entity_type/entity_bundle/entity_id or even /api/rest/entity_type/entity_bundle/entity_uuid
Comments
Comment #1
clemens.tolboomComment #2
BerdirCore has no by-bundle view permissions, only for create/edit/update (this should all work fine) but contrib can extend this.
As core doesn't provide this for the UI, I don't think that rest.module has to do it in core?
Comment #3
larowlanAgreed, if a fix is sought - then it should be generic in the form of per node-type view permissions - not REST specific.
Comment #4
clemens.tolboomI forgot to mention POST PATCH and DELETE operations. My curl example was wrong. Fixed the summary accordingly.
Comment #5
R.Muilwijk CreditAttribution: R.Muilwijk commentedPOST / PATCH / DELETE are checked with the default node permissions for the bundle? View can be limited with contrib.
As by #2 and #3 this can be closed?