Commit f202f2e9 authored by Adrien Di Mascio's avatar Adrien Di Mascio
Browse files

[views] implement json / jsonp export views (closes #1942658)

Json export views are based on the same model as CSV export views.
There are two distinct views :

- *jsonexport* : direct conversion of the result set into json
- *ejsonexport* : convert entities into json

The JSONP parameter is named ``callback`` (same as on geonames, dbepdia
and a lot of sites)

An optional `_indent` request parameter can be passed to pretty print
the results.
parent 65e460690139
......@@ -223,13 +223,32 @@ def in_memory_cnx(repo, login, **kwargs):
return repo_connect(repo, login, cnxprops=cnxprops, **kwargs)
def in_memory_repo_cnx(config, login, **kwargs):
"""usefull method for testing and scripting to get a dbapi.Connection
"""useful method for testing and scripting to get a dbapi.Connection
object connected to an in-memory repository instance
# connection to the CubicWeb repository
repo = in_memory_repo(config)
return repo, in_memory_cnx(repo, login, **kwargs)
def anonymous_session(vreg):
"""return a new anonymous session
raises an AuthenticationError if anonymous usage is not allowed
anoninfo = vreg.config.anonymous_user()
if anoninfo is None: # no anonymous user
raise AuthenticationError('anonymous access is not authorized')
anon_login, anon_password = anoninfo
cnxprops = ConnectionProperties(vreg.config.repo_method)
# use vreg's repository cache
repo = vreg.config.repository(vreg)
anon_cnx = repo_connect(repo, anon_login,
cnxprops=cnxprops, password=anon_password)
anon_cnx.vreg = vreg
return DBAPISession(anon_cnx, anon_login)
class _NeedAuthAccessMock(object):
def __getattribute__(self, attr):
raise AuthenticationError()
......@@ -26,9 +26,23 @@ list them by category. They are all defined in
typically using JSON as a serialization format for input, and
sometimes using either JSON or XML for output;
* the JSonpController is a wrapper around the ``ViewController`` that
provides jsonp_ services. Padding can be specified with the
``callback`` request parameter. Only *jsonexport* / *ejsonexport*
views can be used. If another ``vid`` is specified, it will be
ignored and replaced by *jsonexport*. Request is anonymized
to avoid returning sensitive data and reduce the risks of CSRF attacks;
* the Login/Logout controllers make effective user login or logout
.. warning::
JsonController will probably be renamed into AjaxController soon since
it has nothing to do with json per se.
.. _jsonp:
* the Edit controller (see :ref:`edit_controller`) handles CRUD
......@@ -457,7 +457,7 @@ class Entity(AppObject):
"""custom json dumps hook to dump the entity's eid
which is not part of dict structure itself
dumpable = dict(self)
dumpable = self.cw_attr_cache.copy()
dumpable['eid'] = self.eid
return dumpable
......@@ -479,10 +479,8 @@ else:
"""define a json encoder to be able to encode yams std types"""
def default(self, obj):
if hasattr(obj, 'eid'):
d = obj.cw_attr_cache.copy()
d['eid'] = obj.eid
return d
if hasattr(obj, '__json_encode__'):
return obj.__json_encode__()
if isinstance(obj, datetime.datetime):
return ustrftime(obj, '%Y/%m/%d %H:%M:%S')
elif isinstance(obj,
......@@ -500,8 +498,8 @@ else:
# just return None in those cases.
return None
def json_dumps(value):
return json.dumps(value, cls=CubicWebJsonEncoder)
def json_dumps(value, **kwargs):
return json.dumps(value, cls=CubicWebJsonEncoder, **kwargs)
class JSString(str):
......@@ -23,6 +23,7 @@ __docformat__ = "restructuredtext en"
import sys
from time import clock, time
from contextlib import contextmanager
from logilab.common.deprecation import deprecated
......@@ -32,7 +33,7 @@ from cubicweb import set_log_methods, cwvreg
from cubicweb import (
ValidationError, Unauthorized, AuthenticationError, NoSelectableObject,
BadConnectionId, CW_EVENT_MANAGER)
from cubicweb.dbapi import DBAPISession
from cubicweb.dbapi import DBAPISession, anonymous_session
from cubicweb.web import LOGGER, component
from cubicweb.web import (
StatusResponse, DirectResponse, Redirect, NotFound, LogOut,
......@@ -42,6 +43,16 @@ from cubicweb.web import (
# print information about web session
def anonymized_request(req):
orig_session = req.session
yield req
class AbstractSessionManager(component.Component):
"""manage session data associated to a session identifier"""
__regid__ = 'sessionmanager'
......@@ -31,6 +31,7 @@ from cubicweb.devtools.testlib import CubicWebTC
from cubicweb.devtools.fake import FakeRequest
from cubicweb.web import LogOut, Redirect, INTERNAL_FIELD_VALUE
from cubicweb.web.views.basecontrollers import ViewController
from cubicweb.web.application import anonymized_request
class FakeMapping:
"""emulates a mapping module"""
......@@ -424,6 +425,18 @@ class ApplicationTC(CubicWebTC):
self.assertRaises(LogOut, self.app_publish, req, 'logout')
self.assertEqual(len(self.open_sessions), 0)
def test_anonymized_request(self):
req = self.request()
self.assertEqual(req.session.login, self.admlogin)
# admin should see anon + admin
self.assertEqual(len(list(req.find_entities('CWUser'))), 2)
with anonymized_request(req):
self.assertEqual(req.session.login, 'anon')
# anon should only see anon user
self.assertEqual(len(list(req.find_entities('CWUser'))), 1)
self.assertEqual(req.session.login, self.admlogin)
self.assertEqual(len(list(req.find_entities('CWUser'))), 2)
def test_non_regr_optional_first_var(self):
req = self.request()
# expect a rset with None in [0][0]
from cubicweb.devtools.testlib import CubicWebTC
from json import loads
class JsonViewsTC(CubicWebTC):
def test_json_rsetexport(self):
req = self.request()
rset = req.execute('Any GN,COUNT(X) GROUPBY GN ORDERBY GN WHERE X in_group G, G name GN')
data = self.view('jsonexport', rset)
self.assertEqual(req.headers_out.getRawHeaders('content-type'), ['application/json'])
self.assertEqual(data, '[["guests", 1], ["managers", 1]]')
def test_json_rsetexport_with_jsonp(self):
req = self.request()
req.form.update({'callback': 'foo',
'rql': 'Any GN,COUNT(X) GROUPBY GN ORDERBY GN WHERE X in_group G, G name GN',
data = self.ctrl_publish(req, ctrl='jsonp')
self.assertEqual(req.headers_out.getRawHeaders('content-type'), ['application/javascript'])
# because jsonp anonymizes data, only 'guests' group should be found
self.assertEqual(data, 'foo([["guests", 1]])')
def test_json_rsetexport_with_jsonp_and_bad_vid(self):
req = self.request()
req.form.update({'callback': 'foo',
'vid': 'table', # <-- this parameter should be ignored by jsonp controller
'rql': 'Any GN,COUNT(X) GROUPBY GN ORDERBY GN WHERE X in_group G, G name GN',
data = self.ctrl_publish(req, ctrl='jsonp')
self.assertEqual(req.headers_out.getRawHeaders('content-type'), ['application/javascript'])
# result should be plain json, not the table view
self.assertEqual(data, 'foo([["guests", 1]])')
def test_json_ersetexport(self):
req = self.request()
rset = req.execute('Any G ORDERBY GN WHERE G is CWGroup, G name GN')
data = loads(self.view('ejsonexport', rset))
self.assertEqual(req.headers_out.getRawHeaders('content-type'), ['application/json'])
self.assertEqual(data[0]['name'], 'guests')
self.assertEqual(data[1]['name'], 'managers')
if __name__ == '__main__':
from logilab.common.testlib import unittest_main
# copyright 2003-2011 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
# contact --
# This file is part of CubicWeb.
# CubicWeb is free software: you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free
# Software Foundation, either version 2.1 of the License, or (at your option)
# any later version.
# CubicWeb is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
# details.
# You should have received a copy of the GNU Lesser General Public License along
# with CubicWeb. If not, see <>.
"""json export views"""
__docformat__ = "restructuredtext en"
_ = unicode
from cubicweb.utils import json_dumps
from cubicweb.view import EntityView, AnyRsetView
from cubicweb.web.application import anonymized_request
from cubicweb.web.views import basecontrollers
class JsonpController(basecontrollers.ViewController):
"""The jsonp controller is the same as a ViewController but :
- anonymize request (avoid CSRF attacks)
- if ``vid`` parameter is passed, make sure it's sensible (i.e. either
"jsonexport" or "ejsonexport")
- if ``callback`` request parameter is passed, it's used as json padding
Response's content-type will either be ``application/javascript`` or
``application/json`` depending on ``callback`` parameter presence or not.
__regid__ = 'jsonp'
def publish(self, rset=None):
if 'vid' in self._cw.form:
vid = self._cw.form['vid']
if vid not in ('jsonexport', 'ejsonexport'):
self.warning("vid %s can't be used with jsonp controller, "
"falling back to jsonexport", vid)
self._cw.form['vid'] = 'jsonexport'
else: # if no vid is specified, use jsonexport
self._cw.form['vid'] = 'jsonexport'
with anonymized_request(self._cw):
json_data = super(JsonpController, self).publish(rset)
if 'callback' in self._cw.form: # jsonp
json_padding = self._cw.form['callback']
# use ``application/javascript`` is ``callback`` parameter is
# provided, let ``application/json`` otherwise
json_data = '%s(%s)' % (json_padding, json_data)
return json_data
class JsonMixIn(object):
"""mixin class for json views
Handles the following optional request parameters:
- ``_indent`` : must be an integer. If found, it is used to pretty print
json output
templatable = False
content_type = 'application/json'
binary = True
def wdata(self, data):
if '_indent' in self._cw.form:
indent = int(self._cw.form['_indent'])
indent = None
self.w(json_dumps(data, indent=indent))
class JsonRsetView(JsonMixIn, AnyRsetView):
"""dumps raw result set in JSON format"""
__regid__ = 'jsonexport'
title = _('json-export-view')
def call(self):
# XXX mimic w3c recommandations to serialize SPARQL results in json ?
class JsonEntityView(JsonMixIn, EntityView):
"""dumps rset entities in JSON
The following additional metadata is added to each row :
- ``__cwetype__`` : entity type
__regid__ = 'ejsonexport'
title = _('json-entities-export-view')
def call(self):
entities = []
for entity in self.cw_rset.entities():
entity.complete() # fetch all attributes
# hack to add extra metadata
'__cwetype__': entity.__regid__,
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment