traits => ['Array'],
default => sub { [] },
trigger => sub
- {
+ {
my ($self, $new) = @_;
$self->check_column_relation($_, 1) for @$new;
},
}
);
- before "set_${var}_column" => sub { $_[0]->check_column_relation($_[2], 1) }; #"
- before "insert_${var}_column" => sub { $_[0]->check_column_relation($_[2], 1) }; #"
+ before "set_${var}_column" => sub { $_[0]->check_column_relation($_[2], 1) };
+ before "insert_${var}_column" => sub { $_[0]->check_column_relation($_[2], 1) };
+}
+
+=attribute_public prefetch_allows is: ro, isa: ArrayRef[ArrayRef|Str|HashRef]
+
+prefetch_allows limits what relations may be prefetched when executing searches with joins. This is necessary to avoid denial of service attacks in form of queries which would return a large number of data and unwanted disclosure of data.
+
+Like the synopsis in DBIC::API shows, you can declare a "template" of what is allowed (by using an '*'). Each element passed in, will be converted into a Data::DPath and added to the validator.
+
+ prefetch_allows => [ 'cds', { cds => tracks }, { cds => producers } ] # to be explicit
+ prefetch_allows => [ 'cds', { cds => '*' } ] # wildcard means the same thing
+
+=cut
+
+has 'prefetch_allows' => (
+ is => 'ro',
+ writer => '_set_prefetch_allows',
+ isa => ArrayRef[ArrayRef|Str|HashRef],
+ default => sub { [ ] },
+ predicate => 'has_prefetch_allows',
+ traits => ['Array'],
+ handles =>
+ {
+ all_prefetch_allows => 'elements',
+ },
+);
+
+has 'prefetch_validator' => (
+ is => 'ro',
+ isa => 'Catalyst::Controller::DBIC::API::Validator',
+ lazy_build => 1,
+);
+
+sub _build_prefetch_validator {
+ my $self = shift;
+
+ sub _check_rel {
+ my ($self, $rel, $static, $validator) = @_;
+ if(ArrayRef->check($rel))
+ {
+ foreach my $rel_sub (@$rel)
+ {
+ _check_rel($self, $rel_sub, $static, $validator);
+ }
+ }
+ elsif(HashRef->check($rel))
+ {
+ while(my($k,$v) = each %$rel)
+ {
+ $self->check_has_relation($k, $v, undef, $static);
+ }
+ $validator->load($rel);
+ }
+ else
+ {
+ $self->check_has_relation($rel, undef, undef, $static);
+ $validator->load($rel);
+ }
+ }
+
+ my $validator = Catalyst::Controller::DBIC::API::Validator->new;
+
+ foreach my $rel ($self->all_prefetch_allows) {
+ _check_rel($self, $rel, 1, $validator);
+ }
+
+ return $validator;
}
=attribute_public count_arg is: ro, isa: Str, default: 'list_count'
has 'page_arg' => ( is => 'ro', isa => Str, default => 'list_page' );
-=attribute_public offset_arg is: ro, isa: Str, default: 'offset'
+=attribute_public offset_arg is: ro, isa: Str, default: 'list_offset'
offset_arg controls how to reference 'offset' in the the request_data
has 'prefetch_arg' => ( is => 'ro', isa => Str, default => 'list_prefetch' );
+=attribute_public stash_key is: ro, isa: Str, default: 'response'
+
+stash_key controls where in stash request_data should be stored
+
+=cut
+
+has 'stash_key' => ( is => 'ro', isa => Str, default => 'response');
+
=attribute_public data_root is: ro, isa: Str, default: 'list'
data_root controls how to reference where the data is in the the request_data
has 'data_root' => ( is => 'ro', isa => Str, default => 'list');
+=attribute_public item_root is: ro, isa: Str, default: 'data'
+
+item_root controls how to reference where the data for single object
+requests is in the the request_data
+
+=cut
+
+has 'item_root' => ( is => 'ro', isa => Str, default => 'data');
+
=attribute_public total_entries_arg is: ro, isa: Str, default: 'totalcount'
total_entries_arg controls how to reference 'total_entries' in the the request_data
=attribute_public use_json_boolean is: ro, isa: Bool, default: 0
-use_json_boolean controls whether JSON::Any boolean types are used in the success parameter of the response or if raw strings are used
+use_json_boolean controls whether JSON boolean types are used in the success parameter of the response or if raw strings are used
=cut