GitLab

This is needed as rqlcontroller is listed as deps in signedrequest.
This creates the following error in signedrequest:

cubicweb._exceptions.ConfigurationError: cycles in graph: rqlcontroller -> signedrequest

This is cubicweb related and not a cycle in deps directly.

POST for application/json are safe from csrf but not multipart/form-data.
CSRF protection is thus disabled on application/json (no matter the authentications method).

For multipart/form-data, there are 3 usecases:

1. multipart/form-data authenticated by cookies (webrowser), this requires
   csrf and this is handled by MultipartRqlIOController.
2. multipart/form-data anon user, this does not require csrf and this in
   handled by AnonMultipartRqlIOController
3. multipart/form-data authenticated with authorization, this does not
   requires csrf as there is an authentification. This is not handled here
   but in signed-request that implements the authentification.

By the way move the extended version after all include to erase if needed

As of Cubicweb 3.32, there is a CSRF check on every controllers. However, the
RQLIO one is a bit peculiar, as it is intended to be used by authenticated
3rd-parties, meaning that we can disable CSRF check because the RQLIO
controllers does not rely on cookie authentication.

because of CSRF

It is usefull for download through PyPi, because it avoids to
download the new version that only support Python 3 if it is still
a Python 2 project.

Its two class methods get_schema and get_schema_hash will only compute
the schema once. They where computed every time the schema was
requested.

Closes #1.

This object generates a schema usable by the cwclientlib API.
Enable the schema generation to be done by the backend.

- Python 2 support removed.
- File cubicweb-rqlcontroller.spec seemed to be usefull only for
  Python 2.6, so we removed it.
- We use mainly Debian 10 "Buster" that ships python3.7 for
  python3, so we consider that we won't support previous versions
  anymore. This cube is maintained just a bit and users should
  upgrade, so it does not sound a problem to remove support for
  things that should be upgraded.
- With the same logic, the current last version of CubicWeb
  (3.27.3) is now required. In fact, the needed code in CubicWeb
  is not yet in a version, so it is not accurate, because the
  next one will be needed, but we would like not to wait to
  publish a new version of rqlcontroller.

We decide to support only the newest version of CubicWeb. Like
this, it is easier to maintain and encourages users to upgrade.

This introduces a version 2.0 of the rqlio protocol that is able to answer
select RQL queries with symbolic bindings (with the names of the selected
variables) instead of the positional rows. Because this breaks compatibility
with the 1.0 protocol, this change warrants a new version. The previous version
continues to work alongside the new one.

The end result is the ability to answer the query Any X WHERE X is CWEtype with
[ { 'rows': [ [101], [102], [103], ...],
  'variables': ['X'] } ]
instead of
[ [[101], [102], [103], ...] ]

In protocol version 2.0, when there are no variable names, the variables member
is simply empty. In addition, the value of the 'rows' member of the response
object is exactly the same as the total response in the previous protocol, which
should help write fallback code in client libraries.