Should plone.restapi be installed by default?

avoinea · September 16, 2021, 10:55am

I think plone.restapi profile should be installed by default:

mauritsvanrees · September 16, 2021, 2:14pm

My opinion: for Volto yes, for Plone Classic no.

pigeonflight · September 16, 2021, 6:57pm

If Volto is the default UI....
wouldn't that mean plone.restapi by default too?

mauritsvanrees · September 16, 2021, 7:52pm

The idea (not implemented yet) is that when creating a Plone Site you can choose to create either a Volto site or a Plone Classic site. When you choose Plone Classic, plone.restapi is not needed (but it offers opportunities of course, and can be installed later.)

ericof · September 16, 2021, 9:45pm

My 2 cents:

plone.restapi should be enabled by default, even for Classic sites
plone.volto is the one that would not be installed if Classic UI is selected

1letter · September 17, 2021, 4:41am

I think every package that is not needed, should not be installed. Reduce the complexity.

djay · September 17, 2021, 5:28am

and so the confusion starts.

Just release two downloads "Plone Volto 6.0" and "Plone Classic 6.0" and save the whole community a lot of pain down the track answering questions, and save a lot of confusion for anyone who might want to actually join the community or start a new plone site

You'd only have to have two different start profiles and point to two slightly reordered doc builds. And marketing would be a whole lot easier.

tisto · September 17, 2021, 6:10am

If I am not mistaken plone.restapi will be enabled even if it is not installed in the control panel. Therefore we would either have to put lots of effort into plone.restapi or we should enable it by default. What we have right now does not help either way IMHO.

mauritsvanrees · September 17, 2021, 8:02am

We may want to split this into a new topic, but I don't know how to do that, or I don't have the enough permissions.

Currently, installing plone.restapi does the following:

Set a few permissions, for example allowing anonymous users to use the restapi.
Install a PAS plugin, for the JWT authentication token.
Register a browser layer. This does... I don't know what it does. Something confusing with the Dexterity types control panel. I expected something else. Seems a detail that we can ignore in this little discussion.

Looks like: when you don't install it, anonymous users cannot use the restapi, and they cannot login to it either. This seems fine for Plone Classic.
The restapi endpoints are still available then, and you can call them from Python code. I just tried with collective.exportimport in 4.3, which uses plone.restapi for exporting, and this works fine even when I don't have plone.restapi installed in the UI. That is interesting to know.

I don't know what the "lots of effort" would be. Maybe keeping the dexterity types control panel working?

jensens · September 17, 2021, 10:10am

I do not think we want plone.restapi a dependecy of Products.CMFPlone (circular dependencies, you know...). So it is part of the Plone package which is in fact only a setup.cfg. So, with our current setup this is not easy possible.

But: Thinking further it would be great to have two profile packages, one for volto (I think this will be plone.volto (correct me if I am wrong) and one for plone.classicui.

Then we can discuss to have it installed by defaut (IMO keep it reduced and do not install it).

avoinea · September 17, 2021, 10:15am

I wonder why is it like this in the first place. Can't we have a browser layer for plone.restapi and register all the endpoints on it, in order to fully enable/disable restapi TTW?

tmassman · September 17, 2021, 10:20am

See [plone.restapi] Default configuration questions

avoinea · September 17, 2021, 10:21am

We do have. Both:

github.com

plone/plone.restapi/blob/main/src/plone/restapi/interfaces.py#L10-L12


      
          class IPloneRestapiLayer(IDefaultBrowserLayer):
              """Marker interface that defines a browser layer."""

github.com

plone/plone.rest/blob/main/src/plone/rest/zcml.py#L88


      
          
          
          def serviceDirective(
              _context,
              method,
              accept,
              factory,
              for_,
              permission,
              layer=IDefaultBrowserLayer,
              name="",
          ):
              _handle_for(_context, for_)
          
              media_types = parse_accept_header(accept)
              for media_type in media_types:
                  service_id = register_service(method.upper(), media_type)
                  view_name = service_id + name
          
                  # We need a service for CORS preflight processing but we don't get the
                  # desired Accept header in the preflight request. Thus we just register

We just need to figure out, how we make IPloneRestapiLayer the default one, in order not to break backward compatibility / existing custom endpoints within add-ons.

avoinea · September 17, 2021, 3:37pm

constraints.txt is broken now:

https://dist.plone.org/release/6.0-dev//constraints.txt

ERROR: Invalid requirement: 'In pre alpha stage we need a find-links, to find internal non-PyPI releases.' (from line 3 of https://dist.plone.org/release/6.0-dev//constraints.txt)
WARNING: You are using pip version 21.0.1; however, version 21.2.4 is available.
You should consider upgrading via the '/plone/backend/bin/python3 -m pip install --upgrade pip' command.

pigeonflight · September 17, 2021, 3:40pm

@djay has suggested something similar.

mauritsvanrees · September 17, 2021, 8:11pm

Oops. That should have been a comment. Fixed, thanks.

tkimnguyen · October 22, 2021, 2:22pm

8 posts were split to a new topic: Behold: pip install Plone works!

ronc · September 22, 2021, 2:31pm

I don't think that having the restapi (or not) should turn simply on the choice of interface. plone.restapi is one of the best things that happened to Plone 5, and that isn't going to change when Plone 6 is released. In industry, API's are now expected because of their utility in applications for the enterprise, not just Volto. Having a good restapi is a selling point for Plone as a whole.

fredvd · September 23, 2021, 9:34pm

From what I understand the issue here is that plone.restapi for anonymous users at the moment enables some possibilities of denial of service attacks. For example with the endpoint for vocabularies that can return very large amounts of data.

If you are not aware of this at the moment and/or don't add measures against these possible queries you are making your site vulnerable to these attacks. If plone.restapi is not required for Plone 6 when operating with a classic (server side rendered frontend), It's maybe being over cautios, but IMHO it would be unwise to activate restapi by default when it enlarges your attack surface.

If you need plone.restapi in your project it's a few lines of upgrade ZCML to install it programmatically in a policy package or activate it in the add'ons control panel afterwards.

avoinea · October 4, 2021, 3:40pm

Ha ha, so funny, my client just called me that their editors don't see anything within select widgets, even if I ensured them that everything looks ok on my side:

github.com

plone/plone.restapi/blob/9552b4b299810b206e514eacd0aeae36d8d0f5a7/src/plone/restapi/profiles/default/rolemap.xml#L6-L9


      
          <permission name="plone.restapi: Access Plone vocabularies" acquire="True">
            <role name="Manager"/>
            <role name="Site Administrator"/>
          </permission>