Comments (4)
This seems like a logical change to me. But I would be happy to read a different view point.
I have a PR #1586 that would fix this, and it is just one line. TODO: obviously some test fixes are needed. But if others do not like the approach, I would rather not spend the time.
Alternative is to explicitly request the UID as additional metadata. In a curl
command:
curl -H "Accept: application/json" http://localhost:8080/Plone/page?metadata_fields=UID
from plone.restapi.
I think the philosophical justification for not including the UID in the REST API is that the REST API aims to always use an external URL as a resource identifier, rather than the UID which is internal.
But, URLs change when an item is moved or renamed, so I can see the benefit of being able to access the UID which is stable. I think we should include it.
Any objection, @tisto?
from plone.restapi.
@fredvd @davisagli @mauritsvanrees I understand the value of having the UID for exportimport. Though, in general, I am wondering if we are comfortable exposing an internal database ID to anonymous users. I could imagine that this is something a security audit might complain about. What if we would just expose the UID attribute when the user has the manager role? This would solve the problem for exportimport and would not expose the UID for anonymous users.
from plone.restapi.
@tisto The thing is, I don't really consider it an internal database ID. Yes, we hide it from end users, but it also has a real purpose which is to be a stable UID that does not change when an item is moved around. That is not only useful inside Plone. If I want to put a stable reference to a Plone item in an external database, the UID would be the best choice.
In security audits at my last job the only concern about exposing internal ids was if they could be used to predict other ids. Completely random uuid4 ids like we use in Plone are not a security problem.
I would be fine with attaching it to a new "View UIDs" permission though. (Always protect actions with a permission, not a specific role. Then the policy for who gets the permission can be adjusted when necessary.)
from plone.restapi.
Related Issues (20)
- CI Badge HOT 2
- Github Actions are skipped HOT 3
- Undeprecate comma separated expansion parameters HOT 8
- Undeprecate token parameter from vocabularies endpoint HOT 9
- Code that seems to do nothing HOT 2
- Drop Python 3.7 support HOT 1
- jwt_auth PAS plugin is active without being installed HOT 9
- Global Site tabs should also be customizable with customize_entry HOT 5
- navigation_base_url is not also used here HOT 2
- json_body should not read entire request BODY HOT 5
- debug-exceptions = on in instance part in buildout causes requests that return BadRequest to be returned as html instead of json
- KeyError: 'portal' in tests with Python 3.12.1 HOT 10
- Translate validation error messages
- IBlocks SearchableText indexer bypasses plone.textindexer behavior HOT 2
- relatedItems field returns None in the serializer if the related item is deleted HOT 1
- Site Administrator cannot add user to group
- Add remote_url(getRemoteUrl) to link content-types in navigation HOT 4
- Include release notes in Plone 6 Documentation
- Authentication error messages from PAS Plugins aren't returned by the restapi HOT 1
- restapi double parameter is broking code. HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from plone.restapi.