X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FCatalyst%2FController%2FDBIC%2FAPI%2FStaticArguments.pm;h=ae53e0936d38699df98409b116f54d698183a6f1;hb=4e5983f2a904f894762e61c2dff962a37da5ef92;hp=063b75feb38273ec0194f41ea19bb72c59204cfc;hpb=73517f507669cada16503d144607e42c86b65f64;p=catagits%2FCatalyst-Controller-DBIC-API.git

diff --git a/lib/Catalyst/Controller/DBIC/API/StaticArguments.pm b/lib/Catalyst/Controller/DBIC/API/StaticArguments.pm
index 063b75f..ae53e09 100644
--- a/lib/Catalyst/Controller/DBIC/API/StaticArguments.pm
+++ b/lib/Catalyst/Controller/DBIC/API/StaticArguments.pm
@@ -31,7 +31,7 @@ foreach my $var (qw/create_requires create_allows update_requires update_allows/
         traits => ['Array'],
         default => sub { [] },
         trigger => sub
-        {   
+        {
             my ($self, $new) = @_;
             $self->check_column_relation($_, 1) for @$new;
         },
@@ -50,6 +50,72 @@ foreach my $var (qw/create_requires create_allows update_requires update_allows/
     before "insert_${var}_column" => sub { $_[0]->check_column_relation($_[2], 1) }; #"
 }
 
+=attribute_public prefetch_allows is: ro, isa: ArrayRef[ArrayRef|Str|HashRef]
+
+prefetch_allows limits what relations may be prefetched when executing searches with joins. This is necessary to avoid denial of service attacks in form of queries which would return a large number of data and unwanted disclosure of data.
+
+Like the synopsis in DBIC::API shows, you can declare a "template" of what is allowed (by using an '*'). Each element passed in, will be converted into a Data::DPath and added to the validator.
+
+    prefetch_allows => [ 'cds', { cds => tracks }, { cds => producers } ] # to be explicit
+    prefetch_allows => [ 'cds', { cds => '*' } ] # wildcard means the same thing
+
+=cut
+
+has 'prefetch_allows' => (
+    is => 'ro',
+    writer => '_set_prefetch_allows',
+    isa => ArrayRef[ArrayRef|Str|HashRef],
+    default => sub { [ ] },
+    predicate => 'has_prefetch_allows',
+    traits => ['Array'],
+    handles =>
+    {
+        all_prefetch_allows => 'elements',
+    },
+);
+
+has 'prefetch_validator' => (
+    is => 'ro',
+    isa => 'Catalyst::Controller::DBIC::API::Validator',
+    lazy_build => 1,
+);
+
+sub _build_prefetch_validator {
+    my $self = shift;
+
+    sub _check_rel {
+        my ($self, $rel, $static, $validator) = @_;
+        if(ArrayRef->check($rel))
+        {
+            foreach my $rel_sub (@$rel)
+            {
+                _check_rel($self, $rel_sub, $static, $validator);
+            }
+        }
+        elsif(HashRef->check($rel))
+        {
+            while(my($k,$v) = each %$rel)
+            {
+                $self->check_has_relation($k, $v, undef, $static);
+            }
+            $validator->load($rel);
+        }
+        else
+        {
+            $self->check_has_relation($rel, undef, undef, $static);
+            $validator->load($rel);
+        }
+    }
+
+    my $validator = Catalyst::Controller::DBIC::API::Validator->new;
+
+    foreach my $rel ($self->all_prefetch_allows) {
+        _check_rel($self, $rel, 1, $validator);
+    }
+
+    return $validator;
+}
+
 =attribute_public count_arg is: ro, isa: Str, default: 'list_count'
 
 count_arg controls how to reference 'count' in the the request_data
@@ -122,6 +188,14 @@ prefetch_arg controls how to reference 'prefetch' in the the request_data
 
 has 'prefetch_arg' => ( is => 'ro', isa => Str, default => 'list_prefetch' );
 
+=attribute_public stash_key is: ro, isa: Str, default: 'response'
+
+stash_key controls where in stash request_data should be stored
+
+=cut
+
+has 'stash_key' => ( is => 'ro', isa => Str, default => 'response');
+
 =attribute_public data_root is: ro, isa: Str, default: 'list'
 
 data_root controls how to reference where the data is in the the request_data
@@ -130,6 +204,15 @@ data_root controls how to reference where the data is in the the request_data
 
 has 'data_root' => ( is => 'ro', isa => Str, default => 'list');
 
+=attribute_public item_root is: ro, isa: Str, default: 'data'
+
+item_root controls how to reference where the data for single object
+requests is in the the request_data
+
+=cut
+
+has 'item_root' => ( is => 'ro', isa => Str, default => 'data');
+
 =attribute_public total_entries_arg is: ro, isa: Str, default: 'totalcount'
 
 total_entries_arg controls how to reference 'total_entries' in the the request_data
@@ -140,7 +223,7 @@ has 'total_entries_arg' => ( is => 'ro', isa => Str, default => 'totalcount' );
 
 =attribute_public use_json_boolean is: ro, isa: Bool, default: 0
 
-use_json_boolean controls whether JSON::Any boolean types are used in the success parameter of the response or if raw strings are used
+use_json_boolean controls whether JSON boolean types are used in the success parameter of the response or if raw strings are used
 
 =cut