-
Notifications
You must be signed in to change notification settings - Fork 216
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix MRO to return 405 for unsupported methods #3175
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great find @dhruvkb! Tested manually and it returns the error message correctly. Could you add an automated test for when the HTTP method is different from POST
? It may go in tests/test_auth.py
.
Co-authored-by: Krystle Salazar <krystle.salazar@automattic.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one small request to remove some unnecessary (at least I think, could be wrong) JSON parsing. Krystle's change to the unit test is also critical too 🙂
Otherwise LGTM!
data = json.loads(res.content) | ||
return Response(data, status=res.status_code) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it necessary to json.loads
the content? Would something like this work without the need for that?
data = json.loads(res.content) | |
return Response(data, status=res.status_code) | |
data = json.loads(res.content) | |
return HttpResponse(content=res.content, content_type="application/json", status=res.status_code) |
HttpResponse
is the more low-level version from django.http
that allows you to bypass the DRF Response
data parsing. Doing json.loads
and then passing it directly to Response
means we're unnecessary marshalling the JSON string to Python and then immediately back to a string.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Although, more general question: why is it necessary to do anything manual here at all, other than just return res
like we used to? Does APIView
complain about not receiving the right type of response object or something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using the
Response
class simply provides a nicer interface for returning content-negotiated Web API responses, that can be rendered to multiple formats.
— DRF docs
We can use HttpResponse
for sure, but sending DRF's Response
is more consistent and it renders the DRF API UI in the browser like our other endpoints.
I agree that it's one more step of JSON parsing followed by serialization but DRF doesn't allow any other way to set data where the content_type
can be negotiated automatically.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can use HttpResponse for sure, but sending DRF's Response is more consistent and it renders the DRF API UI in the browser like our other endpoints.
Ahh, interesting, I didn't realise that was a side effect. For this view, it doesn't seem like a tragic loss, though? It's not exactly a "browseable" response 🤔 At least not any less so if your browser just renders a nice JSON explorer (Firefox does this, not sure of others).
I also don't think we want to support anyone using this view over anything than JSON anyway, but I guess Response
handles it regardless so 🤷 I would personally use HttpResponse but if you prefer to keep it, all good with me as well 👍
Co-authored-by: Krystle Salazar <krystle.salazar@automattic.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excellent! Thank you, @dhruvkb.
Fixes
Fixes #2374 by @krysal
Description
This PR fixes the method resolution order of the token
APIView
so that the exception handler will be invoked and a 405 Method Not Allowed response will be sent. When the MRO is incorrect the exception is not handled and results in a 500 Internal Server Error.Testing Instructions
/v1/auth_tokens/token/
endpoint.Checklist
Update index.md
).main
) or a parent feature branch.Developer Certificate of Origin
Developer Certificate of Origin