Re: Auto-generate PUT and DELETE methods

1,440 views
Skip to first unread message

howesc

unread,
Jun 20, 2012, 7:05:00 PM6/20/12
to web...@googlegroups.com
i suspect that in your case PUT and DELETE would look a lot like POST.  not sure the exact code for your use case, but i know it's possible to have PUT and DELETE methods.

On Wednesday, June 20, 2012 9:30:26 AM UTC-7, Osama Hussain wrote:
Using the following code web2py generated all possible patterns for all my tables for GET and POST methods:

@request.restful()
def api():
    response.view = 'generic.'+request.extension
    def GET(*args,**vars):
        patterns = 'auto'
        parser = db.parse_as_rest(patterns,args,vars)
        if parser.status == 200:
            return dict(content=parser.response)
        else:
            raise HTTP(parser.status,parser.error)
    def POST(table_name,**vars):
        return db[table_name].validate_and_insert(**vars)
    return locals()

Is it possible to have patterns generated for PUT and DELETE methods?

Massimo Di Pierro

unread,
Jun 21, 2012, 7:01:50 PM6/21/12
to
You can do

@request.restful()
def api():
    response.view = 'generic.'+request.extension
    def GET(*args,**vars):
        patterns = 'auto'
        parser = db.parse_as_rest(patterns,args,vars)
        if parser.status == 200:
            return dict(content=parser.response)
        else:
            raise HTTP(parser.status,parser.error)
    def POST(table_name,**vars):
        return db[table_name].validate_and_insert(**vars)
    def PUT(table_name,record_id,**vars):
        return db(db[table_name]._id==record_id).update(**vars)
    def DELETE(table_name,record_id):
        return db(db[table_name]._id==record_id).delete()
    return locals()

Bruno Rocha

unread,
Jun 20, 2012, 7:43:15 PM6/20/12
to web...@googlegroups.com

How would it be to receive a file upload thought the restful api? 

On Wed, Jun 20, 2012 at 8:39 PM, Massimo Di Pierro <massimo....@gmail.com> wrote:
You can do

@request.restful()


def api():
    response.view = 'generic.'+request.extension


    def GET(*args,**vars):


        patterns = 'auto'
        parser = db.parse_as_rest(patterns,args,vars)


        if parser.status == 200:


            return dict(content=parser.response)


        else:
            raise HTTP(parser.status,parser.error)


    def POST(table_name,**vars):


        return db[table_name].validate_and_insert(**vars)
    def PUT(table_name,record_id,**vars):
        return db(db[table_name]._id==record_id).update(**vars)
    def PUT(table_name,record_id):


        return db(db[table_name]._id==record_id).delete()

Massimo Di Pierro

unread,
Jun 20, 2012, 11:42:17 PM6/20/12
to web...@googlegroups.com
The code I posted would not work... It depends on how it is uploaded.

if you have the code

curl -X POST \
  -H "Content-Type: text/plain" \
  -T 'hello.txt' \
  http://127.0.0.1:8000/app/default/upload1/hello.txt
I think you can do

def upload():
     table =  db.tablename
     record =  db.tablename[request.args(0)].
     record.update_record(uploadfield=record.store(file=request.body,filename=request.args(1))
     return 'done'

Bruno Rocha

unread,
Jun 20, 2012, 11:47:49 PM6/20/12
to web...@googlegroups.com

I am startiing to develop an mobile app for a website using movu.ca (http://www.menuvegano.com.br), the idea is that the users will be able to post cook recipes and its pictures via the mobile using the api.

For the mobile app I am using tiggzi.com and it is rest based.

Everything works, but upload not yet.


--

Osama Hussain

unread,
Jun 21, 2012, 11:53:42 PM6/21/12
to
Thanks a LOT! I know we should avoid auto pattern generation but having this functionality makes it super easy to rapidly develop a back end so that I could focus on my front end and have a prototype shipped in time, guess I made the right choice to choose web2py :) 

edit: Already had the typo fixed in my code, the second "PUT" method was supposed to be "DELETE"

Derek

unread,
Jun 21, 2012, 2:38:01 PM6/21/12
to web...@googlegroups.com
Looks like you have Get, Post, and PUT and PUT. Where's Delete?
Message has been deleted

Anthony

unread,
Jun 21, 2012, 7:04:04 PM6/21/12
to web...@googlegroups.com
Using my new Google Groups super powers, I have edited your original post, so if you'd like, you can delete this correction and we can pretend this never happened. ;-)

Anthony

On Thursday, June 21, 2012 6:40:37 PM UTC-4, Massimo Di Pierro wrote:
Silly me. This

def PUT(table_name,record_id):
        return db(db[table_name]._id==record_id).delete()

was supposed to be

def DELETE(table_name,record_id):
        return db(db[table_name]._id==record_id).delete()

Massimo Di Pierro

unread,
Jun 22, 2012, 10:25:19 AM6/22/12
to web...@googlegroups.com
wow. done that.

Rahul

unread,
Aug 24, 2020, 1:06:03 PM8/24/20
to web2py-users
Hi All,
           Not sure if this is the right thread to put this up --
I was trying to use this code for rest/json -- however -- with slight changes and wrong parameters in the URL my entire table got exposed -- Here is the code --

CONTROLLER :  DEFAULT.PY CODE

## API ---

@request.restful()
def api():
       
    response.view = 'generic.'+request.extension

    def GET(*args,**vars):
        patterns = 'auto'
        parser = db.parse_as_rest(patterns,args,vars)
        if parser.status == 200:
            return dict(content=parser.response)
        else:
            raise HTTP(parser.status,parser.error)

    def POST(table_name,**vars):
        return db[table_name].validate_and_insert(**vars)

    def PUT(table_name,record_id,**vars):
        return db(db[table_name]._id==record_id).update(**vars)

    def DELETE(table_name,record_id):
        return db(db[table_name]._id==record_id).delete()

    return dict(GET=GET, POST=POST, PUT=PUT, DELETE=DELETE)

When some adds the url like this in the browser -- http://127.0.0.1:8000/artpic/default/api/mblog?id=%221%22&id=%222%22  ( http://127.0.0.1:8000/artpic/default/api/mblog?id="1"&id="2" )  it poses a huge risk as all the data in the table is exposed. All tables are exposed and even username and password from my tables get exposed and easily accessible

This works properly -- but above url exposes a huge security risk --

Am I doing this properly ?? Is there something I am missing -- The above code in controller is the only code I am using --  Please see the image attached -- It looks like a huge security risk.

Regards,

Rahul
error.png

AGRogers

unread,
Aug 24, 2020, 6:48:41 PM8/24/20
to web...@googlegroups.com
Hi Rahul 

I haven't done much at all with the rest api. But I would have assumed that you would need to decorate it with @requires to control who can access what. I can't see that in your code. 


--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/eb1325a1-ee80-4054-a9f4-9a13e4b5ba8bn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages