GitLab

Also redefine __select__ as parent classes require a version in the URL.

This is needed as rqlcontroller is listed as deps in signedrequest.
This creates the following error in signedrequest:

cubicweb._exceptions.ConfigurationError: cycles in graph: rqlcontroller -> signedrequest

This is cubicweb related and not a cycle in deps directly.

POST for application/json are safe from csrf but not multipart/form-data.
CSRF protection is thus disabled on application/json (no matter the authentications method).

For multipart/form-data, there are 3 usecases:

1. multipart/form-data authenticated by cookies (webrowser), this requires
   csrf and this is handled by MultipartRqlIOController.
2. multipart/form-data anon user, this does not require csrf and this in
   handled by AnonMultipartRqlIOController
3. multipart/form-data authenticated with authorization, this does not
   requires csrf as there is an authentification. This is not handled here
   but in signed-request that implements the authentification.

By the way move the extended version after all include to erase if needed

As of Cubicweb 3.32, there is a CSRF check on every controllers. However, the
RQLIO one is a bit peculiar, as it is intended to be used by authenticated
3rd-parties, meaning that we can disable CSRF check because the RQLIO
controllers does not rely on cookie authentication.

because of CSRF