Summary

Enforce that API resources have unique URI template names.

Review Request #12682 — Created Oct. 14, 2022 and submitted Oct. 31, 2022, 2:31 p.m.

Information

Owner

maubin

Repository

Djblets

Branch

release-3.x

Bugs

Depends On

Blocks

12681

Reviewers

Groups

djblets

People

Description

We discovered a problem where resources that have the same name will have
their URI templates in the Root resource's URI templates list overwritten by
one another. Depending on the order that the resources are added to the URI
templates list, this can break the API by replacing the URI template for a
resource with another URI template that may not behave in the same way or
support the same methods as the previous one.

This is a problem that requires more thought and a rethink of how we handle
our resources in general, but for now this change applies a solution that
ensures we keep as much compatibility with our previous API behavior as
possible.

This change introduces the uri_template_name and uri_template_name_plural
attributes for use as the names of resources in the URI templates list, instead
of using the name attribute. This defaults to the name, but can be set to
something else to ensure that resource names in the templates list are unique.
This can also be set to None to have the resource omitted from the URI
templates list. When building the URI templates list, we assert that the
names used in it are unique, as to avoid issues where a resource's URI
template is being overwritten by another resource. The
RootResource.register_uri_template method does not check whether the
resource already exists in the templates because there are use cases where
we need to overwrite the URI template of an existing resource.

Testing Done


Ran all unit tests.
Manually tested Review Board's API Root resource, saw that the URI

  templates list appeared properly.

Commits

Summary	ID
Enforce that API resources have unique URI template names.	d43f52950b61b1f7e6ae09d8f3071653857acac2

Issues

Description	From	Last Updated
Let's start introducing type annotations for all new code. For this function, since there's no typed arguments and just a …	chipx86	Oct. 19, 2022, 10:28 a.m.
This'll be coming in 4.0.1. Should also have a Type in the docs.	chipx86	Oct. 19, 2022, 10:47 a.m.
Same comment regarding including the type in the signature.	chipx86	Oct. 19, 2022, 10:47 a.m.
Same comments regarding the version and Type.	chipx86	Oct. 19, 2022, 10:48 a.m.
Wonder if it'd be worth doing: elif self.uri_template_name == self.name: return self.name_plural else: return self.uri_template_name + 's' Also, let's pull …	chipx86	Oct. 19, 2022, 10:55 a.m.
We definitely want to catch this during development, but one bad extension can bring down a whole server if this …	chipx86	Oct. 19, 2022, 12:31 p.m.
Same here as above. In fact, what could be done is you could have this gather a list of URI …	chipx86	Oct. 19, 2022, 12:40 p.m.
And here.	chipx86	Oct. 19, 2022, 12:40 p.m.
4.0.1.	chipx86	Oct. 19, 2022, 12:40 p.m.
Here and the string below, can we put quotes around the first %s, to help ensure it reads as a …	chipx86	Oct. 25, 2022, 10:52 p.m.
The % (...) should go on the next line.	chipx86	Oct. 25, 2022, 10:53 p.m.
Sorry I didn't catch this before, but an important point when localizing text: If there's more than one format string …	chipx86	Oct. 28, 2022, 10:10 a.m.
For logging, we actually don't want to localize. Otherwise, if a user using, say, Mandarin were to trigger a loggable …	chipx86	Oct. 28, 2022, 10:22 a.m.
To give a bit more room and make editing easier, multi-line strins are better formatted as: expected_message = ( '...' …	chipx86	Oct. 28, 2022, 10:27 a.m.

flake8 passed.

JSHint passed.

djblets/webapi/resources/base.py (Diff revision 1)

The issue has been resolved. Show all issues

Let's start introducing type annotations for all new code.
For this function, since there's no typed arguments and just a typed (possibly-None) string return value, the format would be:

def uri_template_name(self) -> Optional[str]:
    ...

djblets/webapi/resources/base.py (Diff revision 1)

The issue has been resolved. Show all issues

This'll be coming in 4.0.1.

Should also have a Type in the docs.

chipx86 Oct. 18, 2022, 8:07 p.m.

Actually, not 4.0.1. 3.1.

I was thinking our recent Djblets release was at v4.0 when I saw this, but it's at 3.0. This change will be adding a feature to Djblets 3, so we need to bump the minor version, as per Semantic Versioning. We'd bump the major if we were removing a feature. So the new release will be 3.1.0.

djblets/webapi/resources/base.py (Diff revision 1)
The issue has been resolved. Show all issues
```
Same comment regarding including the type in the signature.
```
djblets/webapi/resources/base.py (Diff revision 1)
The issue has been resolved. Show all issues
```
Same comments regarding the version and Type.
```

djblets/webapi/resources/root.py (Diff revision 1)

The issue has been resolved. Show all issues

We definitely want to catch this during development, but one bad extension can bring down a whole server if this happens in production.

I suggest we conditionalize this based on settings.DEBUG. Something like:

if uri_template_name in templates:
    if settings.DEBUG:
        raise ImproperlyConfigured('some useful message to help them debug this here')
    else:
         logger.error('some useful message here...')

And then, of course, only add to the template if it's not already in there.

djblets/webapi/resources/root.py (Diff revision 1)

The issue has been resolved. Show all issues

Same here as above.

In fact, what could be done is you could have this gather a list of URI templates, then loop over when all this is done to apply the logic detailed above, so it's not duplicated.

djblets/webapi/resources/root.py (Diff revision 1)
The issue has been resolved. Show all issues
```
And here.
```
djblets/webapi/tests/test_root_resource.py (Diff revision 1)
The issue has been resolved. Show all issues
```
4.0.1.
```

djblets/webapi/resources/base.py (Diff revision 1)

The issue has been resolved. Show all issues

Wonder if it'd be worth doing:

elif self.uri_template_name == self.name:
    return self.name_plural
else:
    return self.uri_template_name + 's'


Also, let's pull out uri_template_name into a local variable up-front, so that we don't have to re-call the property every time. Maybe also make this method a @cached_property.

Commits:

	Summary	ID
	Enforce that API resources have unique URI template names.	5eb90d2ff54066bd8d5da56bfdd1835fab354517
	Enforce that API resources have unique URI template names.	818ccd09aa86ee95610524d9293931c62f87d3a3

Diff:

Revision 2 (+544 -64)

Show changes

	djblets/webapi/resources/base.py
	djblets/webapi/resources/root.py
	djblets/webapi/tests/test_root_resource.py

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

This looks fantastic. It's going to save us from all manner of problems down the road as the API grows. Thanks for taking this on :)

djblets/webapi/resources/root.py (Diff revision 2)

The issue has been resolved. Show all issues

Here and the string below, can we put quotes around the first %s, to help ensure it reads as a name and not some word in a sentence?

djblets/webapi/resources/root.py (Diff revision 2)
The issue has been resolved. Show all issues
```
The % (...) should go on the next line.
```

Change Summary:


Put quotes around template names in error/log messages.
Moved a % (...) so that its properly formatted.

Commits:

	Summary	ID
	Enforce that API resources have unique URI template names.	818ccd09aa86ee95610524d9293931c62f87d3a3
	Enforce that API resources have unique URI template names.	77ebdaff181fb54c1505b1b86c0dfb347da4196a

Diff:

Revision 3 (+546 -64)

Show changes

	djblets/webapi/resources/base.py
	djblets/webapi/resources/root.py
	djblets/webapi/tests/test_root_resource.py

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

djblets/webapi/resources/root.py (Diff revision 3)

The issue has been resolved. Show all issues

Sorry I didn't catch this before, but an important point when localizing text: If there's more than one format string inside, you need to use %(somevar)s rather than %s, and pass in a dictionary fulfilling those variables.

The reason is that this sentence:

"Hello %s, how is your %s?"

Could be localized to something structured more like:

"How is your %s, %s?"

If positional, that could end up being "How is your Bob, day?"

To solve that, we'd do:

_('Hello %(name)s, how is your %(subject)s?')
% {
    'name': ...,
    'subject': ...,
}

djblets/webapi/resources/root.py (Diff revision 3)

The issue has been resolved. Show all issues

For logging, we actually don't want to localize. Otherwise, if a user using, say, Mandarin were to trigger a loggable error, and we had localized this to Mandarin, it would be difficult for an English-speaking administrator to debug the error.

So we can strip localization for logging. We only want it for user-visible messages.

djblets/webapi/tests/test_root_resource.py (Diff revision 3)

The issue has been resolved. Show all issues

To give a bit more room and make editing easier, multi-line strins are better formatted as:

expected_message = (
    '...'
    '...'
    '...'
)

Change Summary:


Removed text localization in logged messages.
Made sure ordering of formatted strings is consistent in localized texts.
Made singleton resources have their uri_template_name_plural set to uri_template_name if uri_template_name is set.
Added unit tests for uri_template_name and uri_template_name_plural.
Made tests for RootResource.get_uri_templates more comprehensive and added clarifying comments.

Commits:

	Summary	ID
	Enforce that API resources have unique URI template names.	77ebdaff181fb54c1505b1b86c0dfb347da4196a
	Enforce that API resources have unique URI template names.	d43f52950b61b1f7e6ae09d8f3071653857acac2

Diff:

Revision 4 (+812 -64)

Show changes

	djblets/webapi/resources/base.py
	djblets/webapi/resources/root.py
	djblets/webapi/tests/test_root_resource.py
	djblets/webapi/tests/test_webapiresource.py

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Ship it!

```
Ship It!
```

Status: Closed (submitted)

Change Summary:

Pushed to release-3.x (a3a6563)