search

pyeve / eve-demo

A fully functional REST Web API. Powered by Eve.
Other
256 stars 78 forks source link

403 Forbidden on DELETE item #12

Closed ghost closed 10 years ago

ghost commented 10 years ago

Hello nicolaiarocci,

First off, thank you and everyone who contributes to Eve; it looks like a fantastic project to really streamline creating rest api's in python.

But, in trying things out, I've run into a problem. After cloning the repository and starting the development server, I am unable to DELETE single items. For example (with MongoDB setup in a docker container and pip3 install eve in a virtualenv (python version 3.4)):

$ curl -X GET -H 'Content-Type: application/json' localhost:5000/people
{
    "_items":  [], 
    "_links": {
        "parent": {
            "title": "home", 
            "href": ""
        }, 
        "self": {
            "title": "people", 
            "href": "/people"}
        }
}
$ curl -X POST -d '{"firstname": "test", "lastname": "test", "role": ["contributor"]}' localhost:5000/people
{
  "_updated": "Fri, 05 Sep 2014 18:01:44 GMT",
  "_id": "5409fa883a347127db3e82c2",
  "_created": "Fri, 05 Sep 2014 18:01:44 GMT",
  "_links": {
    "self": {
      "title": "person",
      "href": "/people/5409fa883a347127db3e82c2"
    }
  },
  "_status": "OK",
  "_etag": "54fa4ca775664d6f0e095aeba187cc3a6f14c78c"
}
$ curl -X DELETE localhost:5000/people/5409fa883a347127db3e82c2
{
  "_error": {
    "message": "You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.",
    "code": 403
  },
  "_status": "ERR"
}
$ # ^^^ This should have worked
$ curl -X PATCH -d '{"firstname": "test_changed"}' localhost:5000/people
{
  "_error": {
    "message": "You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.",
    "code": 403
  },
  "_status": "ERR"
}
$ # ^^^ This also does not work
$ curl -X DELETE localhost:5000/people
{}
$ # ^^^ But, this does work

I've logged into my MongoDB instance and checked that the person is actually being stored. And, I've tried adding all methods to PUBLIC_METHODS and PUBLIC_ITEM_METHODS and even to individual resources' resource_methods, item_methods, public_methods, public_item_methods methods lists.

I am having this same problem on my own testing of eve. So, assuming everything would be configured correctly in this repo, I thought I would clone the demo to check if it is just my settings that were misconfigured. But, it looks like the problem exists here as well. Is there something I've missed?

nicolaiarocci commented 10 years ago

Please check the documentation: Data Integrity and Concurrency Control.

ghost commented 10 years ago

Thank you, and sorry for the inconvenience. The documentation is excellent.

JohnLockwood commented 9 years ago

Thanks for that pointer to the doc -- helped me too on the same issue.

nicolaiarocci commented 9 years ago

As pointed in the docs you can switch If-Match checks off, if so you wish.

MacHu-GWU commented 9 years ago

Hi nicolaiarocci, I tried using etag to do delete method:

import requests
requests.delete('http://127.0.0.1:5000/people/p002', data={"_etag":     "2ae5d10202122321caa640b60e6bf1855229394d"})

I also tried, but not working...:

requests.delete('http://127.0.0.1:5000/people/p002', headers={"Content-Type":"application/json",'If-Match': '2ae5d10202122321caa640b60e6bf1855229394d'})

And I double checked the setting:

    'resource_methods': ['GET', 'POST', 'DELETE'],
'item_methods': ['GET', 'PATCH', 'PUT', 'DELETE'],

could you give us an simple example about that?

nicolaiarocci commented 9 years ago

I guess you're doing it against a local instance. I suggest you first try again the public demo so you make sure to get your request right, then you turn your attention onto server settings. You want to use the If-Match header (application/json should not be necessary for itemd elete). Public instance gets a reset every once in a while so delete away. I see you are using custom ids?

MacHu-GWU commented 9 years ago

@nicolaiarocci creat and read operation works correctly. I add an criterion to cerberus-schema 

{"_id": {"type": "string"}}

Why I do this is because I use _id = Hash(fields1, fields2), so I can control the _id as a primary key. Originally I think delete operation can be performed like this:

requests.delete("ip:port/people/people_id"),

But when I see concurrency control and etag things, I get confused.

alex-eri commented 8 years ago

I tried to provide _etag with query, but failed

curl 'http://localhost:5000/api/line/56f7068ed246f462788767d6?_etag=395e78372bf5b1f35fc941a1365f408ad4524218' -X DELETE

nicolaiarocci commented 8 years ago

@alex-eri your request is wrong. You need to use the If-Match header, see the docs. The example is for PATCH, but you can adapt it to DELETE.