Jump to content

dadish

Members
  • Posts

    113
  • Joined

  • Last visited

  • Days Won

    8

Posts posted by dadish

  1. On 3/31/2017 at 6:31 PM, Soma said:

    Just wanted to mention I got caught by a redirect scenario and language stuff. :) If you have multilange installed and configured to have language segments "/en/", "/de/" ...  so trying out ajax requests to "/graphql/" would redirect to "/en/graphql/ " but you get a response:

    
    {"errors":[{"message":"Must provide an operation."}]}

    So it took me a while to figure out and was looking at the query instead. Doing the request to "/en/graphql/" works flawless.

    Yeah, I had my nightmares with this situation too. There are lots of scenarios when ProcessWire could redirect your ajax requests and the graphql will not receive the query. The ones that I had encountered were:

    • If the url ends without slash: ...website.com/graphql ==> ...website.com/graphql/
    • If there is now www prefix: website.com/graphql/ ==> www.website.com/graphq/

    And now I guess when languages are enabled you also gotta make sure ProcessWire is not redirecting you to the respective language url of the graphql api. I haven't tested the module with the languages enabled yet, but I am sure there would be some additional caveats.

    On 3/31/2017 at 6:31 PM, Soma said:

    Permission so far seem to work. The template access setting seem no to be inherited, I guess that is intentional? I may have missed it and it was mentioned. Then I'm sorry.  – Like in a default install "home" has guest view access enabled, so all pages inherit that (unless you set it no to). But I had to give basic-page explicit guest view access to get querying. I think it's ok to not have all templates inherit access for graphQL. 

    Yes, that's the expected behavior. Unfortunately to support permission inheritance would be too expensive. Because it means to check template permissions of each ancestor of each returned page. I think the module is already slow and supporting permission inheritance would make it even slower. I guess I have to mention about not supporting permission inheritance somewhere in the documentation of the module.

    23 hours ago, Soma said:

    ... Lol hmm I added it to allowed fields and still same error. System fields "created",  "modified" work fine.

    That's right, it turns out there was a bug. I pushed an update regarding the datetime field. Grab the latest version of the module and it should work properly.

    23 hours ago, Soma said:

    Also if you only want to get one specific page is it correct to do for example a

    
    {
      basic_page(s: "id=1001"){ 
        list{ 
          title
        }
      }
    }

    or are there any other methods?

    Yep. That's the way. I know, it's ugly. But I can't think of a less verbose way to return a single page from the api. We could, of course introduce an additional field for each template like basic_page_single or something. But I don't think it's worth it, plus it will make the schema bigger for very little gain.

    23 hours ago, Soma said:

    So we can request a size that doesn't exist and it will create it if we have rights to do so. Thats would be pretty cool. Would be crazy to allow some stranger creating 1million sizes through public API :). But still if one has write access it is possible, but maybe thats no real issue. 

    I'm still trying to grasp the concept of graphQL and your implementation in PW. So every new Fieldtype and InputfieldType would have to be implemented to work with graphQL?

    I totally agree. We can't allow everyone to create images. The size field of the image type creates images only if the user has an edit permission on that image field. It is still available to the users who do not have edit permission, but only for getting existing variations, and it should return null if there isn't an image variation with the requested size.

    Edit: By the way, thanks a lot for the feedback.

    • Like 4
  2. 5 hours ago, Robin S said:

    Thanks for the video, and also a separate thanks for updating the Skyscrapers profile and making the export of that available. Would it be okay to mention your repo of that over in the Skyscrapers Profile thread so people can use it until we have an official profile release by Ryan?

    Sure, by all means.

    5 hours ago, Soma said:

    @Nurguly Ashyrov awesome cast! Thanks for making all this and taking your time to make it awesome :) This is really cool stuff and opens up a lot of possibilities.

    Thanks. I am glad you like it @Soma.

    • Like 1
  3. Thanks @adrian! I rerecorded the video many times before I could make it watchable. Trust me, you wouldn't say the same thing for the very first ones :D 

    About the field access rules. Yeah that's true. By default the behavior is the opposite to the one in ProcessWire. I think it would be better for security if the module initially treats everything private. But I get what you mean. In cases where you have dozens of fields in one template, it would be too tedious to configure access for each of them. That's why there is an option to reverse the behavior in the advanced section of the module configuration. You can learn more about it here. This option basically makes all fields without Access rules available to the public and you can restrict access by enabling rules only to couple ones.

    • Like 9
  4. On 3/21/2017 at 7:59 PM, mvdesign said:

    Hi, and thanks for this great module :)

    Can you provide an example on how to create/update a page from GraphQL API ?

    Hi @mvdesign. So sorry that I could not respond earlier. I decided to make an introduction video for this module to help people that are trying to use it. But then, I never made a screencast video before, and on top of that, the last time I spoke english was 2011. So I had to take dozens of try-outs till I got something watchable.

    So here is the video. It shows how you would create/update pages with this module. The video is far from OK, so I will probably record another one after I get some feedback. Until then please refer to this video to learn about how the module works.

     

    • Like 23
  5. 19 minutes ago, microcipcip said:

    Now it works!! This is so cool...I wish I could like this thread twice :). Do you have any plan of adding the RepeaterField?

    I am happy it works now :). The plan is to add support for all core fieldtypes. That includes RepeaterField also. I will try to keep everyone updated via this thread, and you can also keep with the changelog.

    • Like 6
  6. 1 hour ago, microcipcip said:

    ...

    Do you know why? If I try the query in the GraphiQl admin I get the right data back. Do I have the wrong permissions set in the module?

    No, it's not the permissions. You're doing everything properly.

    I never tried this module with axios before, therefore this error is new to me. It turns out that axios sets the Content-Type header to application/json;charset=UTF-8 instead of application/json. That's where the problem was, because the ProcessGraphQL module would parse json payload only if Content-Type was set to just application/json. I changed the behavior and now it will look to your query in json payload if Content-Type contains application/json string in it. Please grab the latest version of the module and try again. It should work now.

    Thank you for taking time to report the issue.

    • Like 6
  7. 2 hours ago, teppo said:

    Personally I think that this thread already includes so much great content that it'd be a shame to abandon it -- not to mention that it's more than likely that folks looking for details about this module would end up here anyway.

    It's your choice obviously, but if you want, I (or any other moderator here) would be more than happy to move this thread to the modules section. Just let us know when you have decided what to do with it :) 

    I agree with you on that. I think it would be best if we move this thread to modules section. So, please move it to the modules section. Then after I will update my first post of this thread a bit and add a module tag I guess :) 

    • Like 3
  8. I am happy that you like it @Sebastian, thank you for your support. I started the thread here because I thought this would be more like a discussion on how GraphQL and ProcessWire could fit together and wanted to get some feedback first. But this thread quickly become this module's official place here in the ProcessWire forums. Also @teppo included the link to this thread as the "dedicated support forum thread" in the 143 issue of the weekly.pw (which I was flattered to see :)).

    Now I don't really know how to go on with this thread. Should we abandon it and start new thread in the modules section? Or maybe this thread could be moved to modules section? What @moderators think of this?

    Meanwhile, for those who are following this thread I wanted to mention that there are some additions in the dev branch, such as mutations that allows you to create/update pages and there is also support for FieldtypeMapMarker field. I stopped developing the module for some time because I thought that it needed a good testing before moving further with it and decided to built an SPA using this module, to see if there is something that need to be added or changed. But then I got carried away and started to make usage of third-party APIs such as Wikipedia and GoogleMaps. As a result the app does not make heavy usage of the ProcessGraphQL module, but it is still relevant to showcase the module's abilities. It is a US Skyscrapers app, duh... You can see it live here and the source code here (though I doubt that the code will interest you if you are not a React developer).

    I was finished with this demo SPA just couple of days ago. Now I will be back to continue to work on this module again.

    • Like 11
  9. Hey @bcartier and everyone who is following. I implemented a basic language support. Nothing really changed, except now with LanguageSupport enabled in your ProcessWire app, the GraphQL api will return the content in whatever language the user is assigned.

    In addition, when Language Support module is activated, there is a language field in your GraphQL api. So you can request the exact language you want. It looks like this.

    {
      language(name: "de")
      basic_page{
        list{
          title
          summary
        }
      }
    }

    You need to put the language field on the top. Well, not exactly on top but just before fields that return translatable content, like title, headline, body etc. It's because GraphQL processes requested fields from top to bottom and it will not know what language you want till it gets to language field. Did you also know that in GraphQL you can query same field multiple times with aliases? Here, take a look at this

    {
      basic_page_default: basic_page{
        list{
          title
          summary
        }
      }
      language(name: "de")
      basic_page_de: basic_page{
        list{
          title
          summary
        }
      }
    }

    Curious what will be the response? Try this with site-languages  profile and find out.

    • Like 10
  10. 14 minutes ago, microcipcip said:

    is it possible, for example, to get cropped images? Or more of a general question, can you manipulate the data before you fetch it?

    No there isn't at the moment. There will be support for it of course. The way it will work is if the user has a view access to the image field she will be able to fetch all the available image information, including the thumbnail variations. For user to be able to create thumbnails herself, she will need an edit access for that field.

    • Like 4
  11. @Oliver, @bcartier Thanks guys. Glad you like it.

    3 hours ago, bcartier said:

    Does this handle Language fields yet? For example, I have translated titles, summaries for an "article"  template, and I've allowed the article template, along with the "title" and "summary" fields in the module settings, but the the translatable fields are still not available through GraphiQL, even though the other non-translatable fields are. 

    No, Language fields are not supported yet. There will be support for them too. Maybe I will implement them this weekend. In any case I will let you know when they are available.

    For those who are following this module, I make releases almost everyday. Sometimes I introduce new bugs but patch them as soon as I find them. There are bunch of features added since the first introduction. You can follow up the changes/additions in the changelog. Lots of parts are not documented yet but I will provide full documentation and possibly introduction video targeted to ProcessWire users, on what the module is about, how you can use it, along with some todo app tutorial.

    But for now, feel free to play with it and provide some feedback either here or in issue tracker. It is always easier to make changes in the beginning.

    • Like 9
  12. Hey @zota. I made some changes on how the GraphiQL assets are loaded in the admin interface. Before that it was a quick stupid hack, sorry. Now it is as it supposed to be loaded for Process modules. I don't know why I didn't do it from the start. Please remove the old version and install the latest from repository. The error you are getting will most likely go away.

    • Like 3
  13. 6 hours ago, zota said:
    
    Parse Error: syntax error, unexpected '^', expecting ']' (line 9 of /home/zota/www/pw-logica/site/modules/ProcessGraphQL/GraphiQL/build/static/js/main.059c7daf.js) 

    Any clue?
    thanks

    Just to make sure. Is this a PHP error, or is it a JavaScript error in your browser console?

    Could you also give some environment details. Which version of PHP, ProcessWire?

    • Like 1
  14. On 2/5/2017 at 11:44 PM, Werner Pilnei said:

    Hello Nurguly,

    I was following this thread from day one and I am deeply impressed by the passion you are putting into your 'baby'. Especially your in-depth explanations helped me understand your concept and getting first results on my own. Very often talented programmers do not have the same skill in teaching others . But you definitely have.

    Thank you @Werner Pilnei. I am excited because I like using ProcessWire :). I try to do my best in introducing this module to the community. GraphQL is very young standard and is not mainstream yet. I intentionally started this thread in the Pub section, to make sure this is not a module support page but more a discussion on GraphQL (as this new api standard by facebook) and ProcessWire. To talk about how they could fit with each other, what ways we could use it, the new ways to use ProcessWire and so on.

    I personally never think about ProcessWire as a CMS. Though it is in fact a true CMS in its literal meaning, it is best at managing your content. But when people are introduced to ProcessWire it is presented as CMS and since the web is cursed by WordPress, people start using ProcessWire with wrong assumptions in their minds which result in negative impressions. I am generalizing here but when an average web developer hears CMS, she thinks it is a ready website with bunch of functionality baked in like tags, searching, blogging, commenting and so on.  Those functionalities become the evaluation criteria and when they see that there is no tags in ProcessWire they count that as one of the things ProcessWire is missing. They don't understand that tags are something ProcessWire shouldn't have, because they are used to see tags in a CMS.

    I don't think that I am telling something new here. The community is well aware of this problem and the release of new site profile states that these problems are being addressed. But it doesn't have to be the only way. The modular architecture of ProcessWire allows us to extend it anyway we want, and this module is one of those attempts in presenting ProcessWire in different perspective. Even if it won't make much difference, I think we should keep trying and experimenting. Who knows what could come up along the way. I was only thinking about SPAs when creating this module. Never thought of PWA and usage with service workers like you approached it. Which is, by the way is great to hear. I hope there will be bunch of other ways people use it.

    • Like 19
  15. 12 hours ago, bernhard said:

    hmmm... so you define your query on the client side? how can you make sure that people do not modify your queries in a way that you do not want? i read of your server-side restrictions regarding templates, but wouldn't it still be possible to modify the queries to some extend (like changing number of records to show, fields and so on). i'm thinking of someone maybe stealing content or creating his own json exports of my site's content...

    That will all depend on how you configure your api. If you wish this module can expose all pages in your website, including the system ones. Or you can restrict to some very limited data. There are more functionality to come,

    but at this stage the module supports:

    • Template restrictions. You can choose which templates are enabled, but in addition it will conform to ProcessWire permissions. So you could limit access to certain templates only to certain user roles. You can enable access to only logged in users for example.
    • Field restrictions. Also supports ProcessWire permissions. Including template context permissions. Meaning, you can allow title to be viewable for one template and restrict for another.
    • Max limit support. Like the one you use in selectors. So users won't be able to get list of data for more than say 50 pages at a time.

    and also many other security options are on the roadmap: 

    • Built in field restrictions. At it's current stage api gives access to page fields like children, parents, createdUser..., or there are path, size, basename for files and images fields. Those will be disabled and available as extras.
    • Query complexity limit. Currently you can build queries as deep as you want, to request ridiculous amounts of data. This will also be limited for only couple levels of complexity and you will be able to increase or decrease it.
    • Like 10
  16. 2 hours ago, bernhard said:

    hi @Nurguly Ashyrov 

    this looks very interesting!

    could you please provide a simple example how one would use graphql and/or your module with simple ajax requests? i guess this could be great to return data for https://datatables.net/ ?

    Hey there @bernhard! I am happy people like it.

    To make an AJAX request to your GraphQL api, you need to send a query variable that describes what you want. You should've seen how the query looks like in the first post of this thread. To send the query you can use any of your favorite AJAX libraries. Here is how it looks like in jQuery.

    $.post(
      '/graphql/', // this is the url where your GraphQL api is exposed.
      {
        query: "{ skyscrapers { list { title } } }", // this is your query, this one requests the skyscrapers and title field for each of them.
      },
      function (res) { console.log(res); } // here you do whatever you want with the returned data
    );

    Or if you prefer to communicate with your api in application/json, you can do that too. Here is how it looks like in my favorite AJAX library - superagent.

    superagent
      .post('/graphql/')
      .set('Content-Type', 'application/json')
      .send({
        query: "{ city { list { title } } }"
      })
      .then(function (res) {
    	console.log(res.body);
      });

    PLEASE NOTE:  When making requests to your api make sure the url is pointing where it is supposed to. The request will not work if you omit the trailing slash. With default settings the request to /graphql won't be processed by ProcessWire but instead redirected to /graphql/ and the ProcessGraphQL module will not receive the query parameter you sent. Same might happen with leading www. prefix. The request to http://example.com will be redirected to http://www.example.com which will also loose the query parameter in the middle.

    • Like 8
  17. 5 minutes ago, horst said:

    in regard to the public / private part, what @blynx mentioned, especially the by PW default "private fields" simply needs to be covered via accessrights on fieldlevel, set by the dev who wants to use this module. There is no need for public/private endpoints in the mosule. Or I'm wrong?

    If you build a site without that module, you are done by simply use display logic in your templatefiles to control output of fields. If you want to use the module, you additionally have to mimik the accessrights via PW fields access settings. Thats how I understand it by just reading this really valuable thread. :)

    That's right. That's the way it will work when module is done. Currently there is a support for template permissions. Support for Field permissions are on the way, I am working on it but it will take some time. For now you can limit the fields via module settings, I pushed support for legal fields two hours ago.

    12 minutes ago, horst said:

    Thumbs up from @horst ! Yeeeey :) I am a big fan of your modules!

    • Like 7
  18. 14 hours ago, blynx said:

    The confusion might be about this:

    Normally in processwire templates you have to "make the fields public" by manually echoing data in a template (echo $page->title) - so actually for a guest user everything is hidden by default - though by permission actually authorized.

    With this module - everything gets "unveiled" (to use another term here) automatically. This is what I meant by "public" and "private".

    ... am I right?

    Ooh, that's right. Now I get what you mean. Thank you for clarifying that for me.

    That's true, with this module it gets available to the public without echoing it explicitly. So you will have to setup extra permissions to make it closed to the guest user. This was the initial intention of this module really. The goal is to build a tool that will allow you to quickly bootstrap an AJAX api of your ProcessWire content to build SPA out of it. For cases like you guys describe, this module might have some drawbacks. But you could always cook your own GraphQL api and make it behave however you want. It's fairly easy after you learn a bit about it. Here is the library I use for this module.

    • Like 5
  19. 3 hours ago, Ivan Gretsky said:

    I was thinking of a few endpoints to handle authentication with the template permissions. One for the public, another for the registered users with the ability to make changes via mutations when they'll be implemented. There are other ways to handle authentication of course. But then we will have to implement some restrictions via module itself. But maybe I am not seeing something obvious here.

    There is not need for different endpoint for users with different roles. The module does not have any authentication/authorization logic on it's own. The users that will be able to authenticate with this module are the same users in your ProcessWire installation. When I mentioned implementing authentication, I was talking about logging in via GraphQL api, like via AJAX. In reality it will be the same $session->login('username', 'password'), nothing more.

    1 hour ago, blynx said:

    Since by defining legal templates in one endpoint those will be legal for anyone.

    No, no. Of course not. I am sorry for the confusion here. Legal templates mean legal for the api. It does not mean it will make it available to the public. Like I mentioned earlier the module checks if the requesting user has permissions to view, edit, create and etc. If say you select user template as legal. It does not mean it will be public. It means it is available via api to those who are authorized to view it, authorized via ProcessWire's access control system.

    I personally don't think there is even a need for the legal templates option. But it is helpful if you have too many templates and selecting only few can reduce the schema size and make api faster.

    I think there is a bit confusion about this. I want emphasize that this module does not make any data public, nor does it anything private. That is not the module's concern. The module's job is to make your data available in a JSON format, in addition providing the ability to consume that JSON data via GraphQL api. If the user does not have permissions to view a certain page according to ProcessWire's access control system then he won't be able to fetch it.

    45 minutes ago, blynx said:

    Maybe it would also be handy to have an option to define "legalFields" in the same way as templates? So you can restrain the amount of data which is instantly public a bit more granularly. So you can just hide anything which doesn't need to be public at all.

    The same goes for fields. When implemented the user will be able to access only those fields that he is authorized via ProcessWire's access control. But I will add an option for legal fields also, because that also could help reduce the initial schema size.

    • Like 3
  20. 19 hours ago, Ivan Gretsky said:

    Here is another idea. What about the ability to make a number of API endpoints with different allowed templates and restrictions based on single instance of a module. By passing an argument to executeGraphQL() or something like that. With the ability do distinguish them in hooks.

    But all you said is already can be achieved. :) No need to do anything on my side. Maybe add documentation on module's properties though. You can modify the module settings via api by overwriting them. So here how you can set different templates for different endpoints.

    // /site/templates/graphql-endpoint1.php
    <?php
    $ProcessGraphQL = $modules->get('ProcessGraphQL');
    $ProcessGraphQL->legalTemplates = array('skyscraper', 'city');
    echo $ProcessGraphQL->executeGraphQL();
    ?>
    
    // /site/templates/graphql-endpoint2.php
    <?php
    $ProcessGraphQL = $modules->get('ProcessGraphQL');
    $ProcessGraphQL->legalTemplates = array('architect', 'basic-page');
    echo $ProcessGraphQL->executeGraphQL();
    
    // /site/templates/graphql-endpoint3.php
    $ProcessGraphQL = $modules->get('ProcessGraphQL');
    echo $ProcessGraphQL->executeGraphQL(); // here it will use default settings that you set via admin interface

     

    For the ability to distinguish the versions of your GraphQL endpoints. That's also doable without much effort. We are talking about ProcessWire after all. Here how it might look like.

    $config->GraphqlEndpointID = 123;
    echo $modules->get('ProcessGraphQL')->executeGraphQL();
    $config->GraphqlEndpointID = false;

    And same thing in other template files with different endpoint id. Now anywhere you attach a hook, you can know which endpoint of your api is being executed, or if it is being executed at all. You just need to add a conditional block in your hook. Something like

    if (wire('config')->GraphqlEndpointID === 123) {
      // some bussiness here
    }

     

    I am a bit confused though. One of selling points of GraphQL is that there is only one url that you need to deal with. It's just `example.com/graphql/` and nothing more. No more this

      GET example.com/graphql/skyscrapers/
      GET example.com/graphql/skyscrapers/{id}
     POST example.com/graphql/skyscrapers/
      PUT example.com/graphql/skyscrapers/{id}
    PATCH example.com/graphql/skyscrapers/{id}
      GET example.com/graphql/architects/
     ...

    It's only one endpoint for everything you need. That's actually is the way it is encouraged to build GraphQL api. Also it is only one HTTP verb you need to use, which is POST. You can stop thinking about dealing with PUT, PATCH, HEAD, OPTION and more. You only need this with GraphQL.

    POST example.com/your-endpoint-url/

    And that's it. One HTTP verb and one url to rule them all :)

    • Like 3
  21. 1 hour ago, BitPoet said:

    Just a thought, since this is what I try to do with my own modules: could you add hookable methods in ProcessGraphQL that allow implementing custom restrictions? These hookables could be no-ops if not hooked and receive all information about the query at the time of calling, enabling users to filter or reject queries before or after they've run.

    That's a very good idea! Will do that. Thank you for the tip.

    • Like 2
  22. On 1/30/2017 at 7:22 PM, teppo said:

    Obviously this is mainly a problem with systems that include a enabled-by-default (or always enabled) built-in public API, and less so when enabling/installing the API itself is a conscious choice.

    Either way, it's good to understand that exposing your content to the world via a publicly queryable API may uncover some surprises. This is one of the reasons why I find certain value in the idea of crafting the API per current needs and so that it only exposes the minimum viable amount of data :)

    You are completely right. I can't argue that "enabled-by-default" approach can lead to lots of security issues. That's why I am limiting the exposable pages only to selected templates. While the selector option is quite simple to implement I don't want to enable this kind of option because I believe it should not be this module's concern.

    The way I see it, if this module stays consistent and retrieves data only through $pages->find() api (or it's equivalent like $page->children(), $page->siblings() etc) that should give the user any type of control with the security. For example what you suggest could be achieved with a single hook. Say this is your template file where you expose your GraphQL api (something like /site/templates/graphql.php).

    <?php
    
    echo $modules->get('ProcessGraphQL')->executeGraphQL();

    What you suggest could be achieved like this.

    <?php
    
    wire()->addHookAfter('Pages::find', function($event) {
      $event->return = $event->return->filter($mySecuritySelector);
    });
    
    echo $modules->get('ProcessGraphQL')->executeGraphQL();

    I would prefer users to approach security this way. This strategy to security gives full control for the user while allowing me to stick to a single rule when concerned about security and makes the code of the module much easier to reason about. I do realize that I could just insert the above code in the module and that's basically an implementation of what you suggest. But I don't want to encourage the user to solve security problems via module settings because no matter how hard I try, I won't be able to make this module dummy proof without limiting it's capabilities.

    Another thing I wanted to mention is that I see this module as a GraphQL representation of ProcessWire api. Like @Ivan Gretsky mentioned, if done right, this could allow us to build lot's of useful developer tools on top of this module. Even a mobile app that gives you limited site administration capabilities. But only if module is consistent with how ProcessWire behaves. And that includes the security of course.

    On 1/30/2017 at 7:22 PM, teppo said:

    Note: don't get me wrong, I'm definitely not against this module. What I've said here is mostly theoretical. I also think that your idea of being able to manually define queryable templates makes a lot of sense. While I'd still suggest enabling a selector instead, you obviously know the use cases (and the implementation) better.

    Oh no sir, not at all. I value your opinion very much. That's exactly what I wanted to hear from the community, opinions. I am thankful to you for mentioning this aspect of the module in it's early stage, before I started to implement other features that depend on it, like authentication or others that I might not think of right now.

    • Like 9
  23. 1 hour ago, teppo said:

    That being said, have you already implemented or are you considering implementing custom selector support for such limits? I.e. allow the developer to manually define a selector that returned pages must match, or alternatively should never match? I think that could make a lot of sense from a security point of view, particularly for public API endpoints, where it might actually work best as a per-endpoint setting :)

    I have not thought about this kind of security layer. Though it sounds reasonable. I will keep in mind this option. For now I plan to add an option to limit the templates that are meant to be accessible via public api by explicitly selecting them.

    • Like 2
  24. 41 minutes ago, teppo said:

    ...sometimes a site may have content that is viewable only if you know the direct URL, and a public API like this may make it "more public" than the developer intended.

    Are you talking about pages with the status hidden? If thats the case, it should behave as expected. At this point this module accesses content only via $pages->find(). As long as $pages->find() does not return pages that are not intended for public this module should not make it accessible. I do not use $pages->get()as it bypasses some permission rules.

    41 minutes ago, teppo said:

    Another thing is that there may be a code-level permission check in place, and a module like this would have hard time figuring that out.

    As a proper citizen of ProcessWire, one would implement code-level permission check by attaching a hook to User::hasPagePermission, User::hasTemplatePermission or any other equivalent, including field level permissions. For that cases this module wouldn't have to figure out anything, it will happen naturally. But for those cases where access to resources are checked outside of ProcessWire's permissions context, this module might not be a good fit for building service api.

    • Like 1
×
×
  • Create New...