Open ergo opened 6 years ago
Of course!
@wichert do you have some more examples on how to do validation?
I've tried to use colander at first to see how things work. For example when I have something like this:
@resource('/todos', create_permission=NO_PERMISSION_REQUIRED)
class TodoCollection(ColanderSchemaValidationMixin, CollectionResource, EditableResource):
schema = AccountSchema
def __init__(self, request):
pass
def to_dict(self):
return {}
def update_from_dict(self, data, replace=True):
return {}
@TodoCollection.GET(permission=NO_PERMISSION_REQUIRED)
def list_todos(collection, request):
return {"data": []}
@TodoCollection.POST(permission=NO_PERMISSION_REQUIRED)
def add_todo(collection, request):
todo = {
"id": "td1",
"title": 'title
}
todos[todo["id"]] = todo
return {"data": todo}
It seems that no post validation is being fired, I started digging a bit and for example ext.json schema has JsonSchemaChildValidationMixin
and JsonSchemaValidationMixin
, in general I'm very lost how to work with rest_toolkit
when trying to do any validation, I'm not sure at this point if I can mix decorated views with composited class?
You can not use decorated views with validation, you have to use the mixin classes and the standard methods they require. For example to get validation for adding children use something like this:
@resource('/todos', create_permission=YOUR_PERMISSION')
class TodoCollection(JsonSchemaChildValidationMixin, CollectionResource):
child_schema { …. }
def add_child(self, data):
# At this point data is a standard python dictionary with validated content
return {'_id': 1}
As soon as you use one of the method decorators like resource.GET
or resource.POST
you essentially opt out of all the standard services rest_toolkit provides. That is a design decision made early in the rest_toolkit design. An alternative API would have been something like this:
@resource('/todos')
class TodoCollection(CollectionResource):
pass
@TodoCollection.add_child(permission='create', schema=todo_schema):
def add_todo(resource, request, data):
….
That kind of API would still be reasonably easy to add if there was enough interest for it.
OK, that explains a little, so I think that colander mixins miss the ability to validate the children then, the should work only when someone is editing a resourse? Since they don't implement children methods at all.
Next question, if I would like to validate request properties like headers that would mean I need to implement additional set of methods on the classes?
It does look like the colander extension is missing a child validation mixin class. That should be trivial to add though. PR is very welcome ;)
Validating things like HTTP headers feels non-RESTish to me, but you could certainly do it if you want to. You can either override the validate
method from the validation mixin classes if your goal really is validation, or use some other Pyramid mechanism such as predicates if this is a resource-matching or authz issue.
If I would add support for marshmallow schemas would you accept the PR?