1. 11 Dec, 2017 4 commits
  2. 08 Dec, 2017 3 commits
  3. 11 Dec, 2017 1 commit
    • Denis Laxalde's avatar
      Add JSON and JSON Schema views for entities' workflow transitions · 4bf8a69fed72
      Denis Laxalde authored
      We associate the proper 'jsonschema.collection' mapper from the
      WorkflowTransitionsResource resource by implementing the mapper()
      Most added views are straightforward except the
      post_entity_workflow_transition which handles adapter.fire_transition()
      call directly (instead of passing through mapper.values()) since, as
      noted in previous changeset we diverge from the actual implementation of
      workflows in CubicWeb to expose a simpler REST API.
      See functional tests for how it works.
  4. 06 Dec, 2017 1 commit
  5. 08 Dec, 2017 1 commit
    • Denis Laxalde's avatar
      Add mappers for "workflow objects" · 8eda96bb89ab
      Denis Laxalde authored
      We add two mappers corresponding to the TrInfo entity type:
      * TrInfoEntityMapper is used for JSON Schema generation with "creation"
        role; this schema is different from what the normal mapper would
        produce in that it exposes the "name" of the transition directly and
        hides the implementation details of CubicWeb's workflows (which is a
        state machine not really needed in the framework of a REST API).
      * TrInfoCollectionMapper is a collection mapper that only supports
        serialization and produces the array of transitions fired for the
        entity given in context.
  6. 07 Dec, 2017 1 commit
  7. 06 Dec, 2017 5 commits
  8. 05 Dec, 2017 6 commits
  9. 04 Dec, 2017 7 commits
  10. 01 Dec, 2017 2 commits
  11. 30 Nov, 2017 3 commits
  12. 01 Dec, 2017 2 commits
    • Denis Laxalde's avatar
      Only add "links" to schema of type "object" · 5c2f3851c513
      Denis Laxalde authored
      For other kinds of JSON Schema (e.g. "array" or any final type), it does
      not make sense and will not work.
    • Denis Laxalde's avatar
      Do not return None ETypeRelationItemMapper.schema_and_definitions() · eb6de896fb08
      Denis Laxalde authored
      The previous None value would be converted as null in JSON which does
      not have this meaning (and is not even a valid JSON Schema).
      Instead we now return False to indicate that there is no data for items
      of the relation collection, so that when this "items" sub-schema is used
      within a type: "array", validation will always fail (which in turns,
      means that no entity creation is possible in such cases).
  13. 27 Nov, 2017 4 commits
    • Denis Laxalde's avatar
      Protect all API views with an "authenticated" permission · 11f5fcf0bd7d
      Denis Laxalde authored
      This permission (the name does not matter as we used ALL_PERMISSIONS on
      resources in the previous changeset) makes all unauthenticated requests
      on API views result in a "403 Forbidden". This is demonstrated in new
      tests in test_api_permissions.py. In other tests, we have to login
      before any such requests.
    • Denis Laxalde's avatar
      Set __acl__ on RootResource and RelationshipResource · 24e8ab93d3cd
      Denis Laxalde authored
      This __acl__ attribute defines the security rules for usage of all
      resources in the tree with RootResource as root in views. (Views
      permission is coming in the next changeset.) The first ACE (access
      control element) states that we allow anything to authenticated users
      while the second one states that we deny everything for everybody else.
      This makes sense since we actually rely on CubicWeb's permission check
      but we still need an authenticated user to perform this check. Such a
      user may be anonymous or a regular account, it does not matter and
      should be handled by CubicWeb permission system.
      Ideally, we should only have done this on RootResource but
      RelationshipResource (which we should drop, see #17086899) can exist
      outside the resource tree with RootResource as root, so we also need to
      repeat the __acl__ there.
    • Denis Laxalde's avatar
      Wrap all resources' rset method with a "need_cnx" decorator · 843c600db296
      Denis Laxalde authored
      This ensures that these methods are not called if the request is
      unauthenticated, which would not work since request.cw_cnx is None in
      this case. We issue a 403 Forbidden upon attempt to call these methods.
    • Denis Laxalde's avatar
      Use request.cw_cnx instead request.cw_request in resources · 401923e36af6
      Denis Laxalde authored
      The latter is not really meaningful without the old CubicWeb application
      handler (i.e. with "cubicweb.bwcompat = false").
      cw_request attribute is still used elsewhere but that's a start.