Author Topic: rest.php interface: a few questions/rant (Read 19003 times)

acrosman · November 18, 2008, 06:31:49 pm

For as much as the CiviCRM as a platform idea is fun, I don't see any real chance that the system would be re-designed to fire two HTTP requests to handle requests by design. There are several places where the front ends would benefit from a good REST interface, but only in ways that prevent full page loads, not places where Drupal or Joomla! would have to make HTTP calls to handle standard operations.

I agree with the issue of protecting the name space with 'civicrm' in the command. The shorter URLs would also require as fancy footwork to get the rewrites to work, without disrupting the rest of a standard clean URL installation of Drupal (and probably Joomla! but I know less about its setup). It might be a good idea in the long run, but it would have to be done with care, and lots of testing on different configurations of the underlying CMS.

Aaron

xavier · November 18, 2008, 11:57:25 pm

My bad about the url, I also agree about the civicrm prefix.

As for the platform, I doesn't make sense to have two requests for what is done normally via the regular web interface. However, having most of the actions potentially doable via the rest interface via ajax is a wortwhile goal.

Also, having the existing ajax stuff using the "platform" rest interface instead of having their ad hoc ajax interface on the server is a good direction.

X+

acrosman · November 22, 2008, 10:10:31 am

Lobo after all this did the field getting added to the database? What's it called, and how can I access it? I'm assuming I have to query the table directly but if there is another way that's better please let me know. I'm hoping to work on the new authentication function this weekend.

Donald Lobo · November 23, 2008, 06:46:07 am

http://issues.civicrm.org/jira/browse/CRM-3860

fixes commited in rev: 18213 a few mins back

its called api_key and has an index. I think if we are only using the key for authentication, then that index should be made unique (it currently is NOT unique). On the other hand we can use a tuple like (contact id, key) or (cms user name, key) for authentication in which case it need not be unique, plus hacking it becomes a wee bit more complex

You can set/get this value by calling

CRM_Core_DAO::getFieldValue( 'CRM_Contact_DAO_Contact', $contactID, 'api_key' );
CRM_Core_DAO::setFieldValue( 'CRM_Contact_DAO_Contact', $contactID, 'api_key', $apiKEY );

lobo

acrosman · November 23, 2008, 01:46:13 pm

Great. I'll update my svn copy and see what I can pull together in the next few days.

Aaron

xavier · November 25, 2008, 07:05:14 am

Great,

Could you mail me when you're moved more, I'll try to use it with my ajax tagging

cap10morgan · November 25, 2008, 01:30:53 pm

Quote from: acrosman on November 18, 2008, 06:31:49 pm

For as much as the CiviCRM as a platform idea is fun, I don't see any real chance that the system would be re-designed to fire two HTTP requests to handle requests by design. There are several places where the front ends would benefit from a good REST interface, but only in ways that prevent full page loads, not places where Drupal or Joomla! would have to make HTTP calls to handle standard operations.

...

Aaron

Sorry, I didn't mean to imply that it would work like this. From what I've seen, most RESTful systems handle this via a content negotiation scheme of some kind. So, if I send the GET verb for a specific resource w/ a .html extension (or a &format=html parameter, or any other equivalent mechanism), then I get the "web browser" view of that resource. Ideally it's semantic XHTML w/ CSS for design / layout. If I say .xml or &format=xml, then I get XML. Similarly for .json or &format=json for JSON.

So there is just one HTTP request like there is now, but it uses the REST resource-based URLs.

acrosman · December 14, 2008, 11:11:22 am

I'm finally getting this done (it should be complete in a couple hours). But I've run into a problem, and if anyone is watching this board today some feedback would be helpful. At the moment I am unable to work on this project and be on IRC at the same time, so I can't head there for help...arg.

Xavier mentioned someplace that he'd like to be able to use the session for authentication, so that AJAX calls still work. I'm completely on board with this, BUT I don't see any reference for this in the 2.2 code that I checked out yesterday that supports this method of authentication. I'd like to add it back in, but it's not clear to me where I can safely pull this information from. How do I know if the current SessionID (which I can get from session_id() ) contains an authenticated user? Just having a PHP session, doesn't mean the user has logged in. I've looked quickly at what's in $_SESSION, and I don't recognize anything that's helpful. Can someone push me in the right direction?

Aaron

xavier · December 14, 2008, 11:22:04 pm

Hi, Great news

on CRM/Core/Invoke.php
it uses CRM/Core/Permission.php that way

// check that we are permissioned to access this page
if ( ! CRM_Core_Permission::checkMenuItem( $item ) ) {
CRM_Utils_System::permissionDenied( );
return;
}

access( $module, $checkPermission = true ) {

is probably better. I don't know how to match the api modules to the modules there. Probably better not to be too smart and simply do like for the key authorisation (all/none access ?)

X+

P.S. Right now, the only rest usage is to set/unset a tag, not even sure there is a separate access right for that.

Donald Lobo · December 15, 2008, 06:35:49 am

for permissioning and ajax we currently use the form: civicrm/ajax/XXX. This allows us to implement permissioning using the menu system and not having to introduce another permissioning system

not sure how to get around the permissioning aspect for the API (since we don't bootstrap the CMS). I'll think a bit about this and update this forum if i figure out something

lobo

acrosman · December 15, 2008, 06:55:08 am

Xavier, before you get too excited, you should know that I suspect the patch I submitted yesterday (http://issues.civicrm.org/jira/browse/CRM-3937) breaks your AJAX calls. It turns out, without that patch, 2.2 has zero access controls on the REST interface (a valid session isn't even required). The patch resolves this, but not in the elegant way you suggested of just looking for the authenticated session from the underlying CMS. Right now the patch would require that first calls the the API use the login function if they aren't using the keys. I'm not at all opposed to fixing this, and will happily considering it a bug, but I wanted to get the main patch in before the 12/15 code-freeze.

That, and I lost several hours of work yesterday to a plumbing emergency, so I didn't have the time to do proper digging to figure out how to grab that information.

I'll try to get some documentation written up about what exactly those changes require of programs calling the API.

CiviCRM Community Forums (archive)

News:

Author Topic: rest.php interface: a few questions/rant (Read 19003 times)

acrosman

Re: rest.php interface: a few questions/rant

xavier

Re: rest.php interface: a few questions/rant

acrosman

Re: rest.php interface: a few questions/rant

Donald Lobo

Re: rest.php interface: a few questions/rant

acrosman

Re: rest.php interface: a few questions/rant

xavier

Re: rest.php interface: a few questions/rant

cap10morgan

Re: rest.php interface: a few questions/rant

acrosman

Re: rest.php interface: a few questions/rant

xavier

Re: rest.php interface: a few questions/rant

Donald Lobo

Re: rest.php interface: a few questions/rant

acrosman

Re: rest.php interface: a few questions/rant