Should plone.restapi be installed by default?

I think plone.restapi profile should be installed by default:

1 Like

My opinion: for Volto yes, for Plone Classic no.

If Volto is the default UI....
wouldn't that mean plone.restapi by default too?


The idea (not implemented yet) is that when creating a Plone Site you can choose to create either a Volto site or a Plone Classic site. When you choose Plone Classic, plone.restapi is not needed (but it offers opportunities of course, and can be installed later.)

My 2 cents:

  • plone.restapi should be enabled by default, even for Classic sites
  • plone.volto is the one that would not be installed if Classic UI is selected

I think every package that is not needed, should not be installed. Reduce the complexity.


and so the confusion starts.

Just release two downloads "Plone Volto 6.0" and "Plone Classic 6.0" and save the whole community a lot of pain down the track answering questions, and save a lot of confusion for anyone who might want to actually join the community or start a new plone site

You'd only have to have two different start profiles and point to two slightly reordered doc builds. And marketing would be a whole lot easier.

If I am not mistaken plone.restapi will be enabled even if it is not installed in the control panel. Therefore we would either have to put lots of effort into plone.restapi or we should enable it by default. What we have right now does not help either way IMHO.


We may want to split this into a new topic, but I don't know how to do that, or I don't have the enough permissions.

Currently, installing plone.restapi does the following:

  • Set a few permissions, for example allowing anonymous users to use the restapi.
  • Install a PAS plugin, for the JWT authentication token.
  • Register a browser layer. This does... I don't know what it does. Something confusing with the Dexterity types control panel. I expected something else. Seems a detail that we can ignore in this little discussion.

Looks like: when you don't install it, anonymous users cannot use the restapi, and they cannot login to it either. This seems fine for Plone Classic.
The restapi endpoints are still available then, and you can call them from Python code. I just tried with collective.exportimport in 4.3, which uses plone.restapi for exporting, and this works fine even when I don't have plone.restapi installed in the UI. That is interesting to know.

I don't know what the "lots of effort" would be. Maybe keeping the dexterity types control panel working?

I do not think we want plone.restapi a dependecy of Products.CMFPlone (circular dependencies, you know...). So it is part of the Plone package which is in fact only a setup.cfg. So, with our current setup this is not easy possible.

But: Thinking further it would be great to have two profile packages, one for volto (I think this will be plone.volto (correct me if I am wrong) and one for plone.classicui.

Then we can discuss to have it installed by defaut (IMO keep it reduced and do not install it).


I wonder why is it like this in the first place. Can't we have a browser layer for plone.restapi and register all the endpoints on it, in order to fully enable/disable restapi TTW?

See [plone.restapi] Default configuration questions

1 Like

We do have. Both:

We just need to figure out, how we make IPloneRestapiLayer the default one, in order not to break backward compatibility / existing custom endpoints within add-ons.

constraints.txt is broken now:

ERROR: Invalid requirement: 'In pre alpha stage we need a find-links, to find internal non-PyPI releases.' (from line 3 of
WARNING: You are using pip version 21.0.1; however, version 21.2.4 is available.
You should consider upgrading via the '/plone/backend/bin/python3 -m pip install --upgrade pip' command.

@djay has suggested something similar.

Oops. That should have been a comment. Fixed, thanks.


8 posts were split to a new topic: Behold: pip install Plone works!

I don't think that having the restapi (or not) should turn simply on the choice of interface. plone.restapi is one of the best things that happened to Plone 5, and that isn't going to change when Plone 6 is released. In industry, API's are now expected because of their utility in applications for the enterprise, not just Volto. Having a good restapi is a selling point for Plone as a whole.


From what I understand the issue here is that plone.restapi for anonymous users at the moment enables some possibilities of denial of service attacks. For example with the endpoint for vocabularies that can return very large amounts of data.

If you are not aware of this at the moment and/or don't add measures against these possible queries you are making your site vulnerable to these attacks. If plone.restapi is not required for Plone 6 when operating with a classic (server side rendered frontend), It's maybe being over cautios, but IMHO it would be unwise to activate restapi by default when it enlarges your attack surface.

If you need plone.restapi in your project it's a few lines of upgrade ZCML to install it programmatically in a policy package or activate it in the add'ons control panel afterwards.


Ha ha, so funny, my client just called me that their editors don't see anything within select widgets, even if I ensured them that everything looks ok on my side:

1 Like

Plone Foundation Code of Conduct