github
html_url | issue_url | id | node_id | user | created_at | updated_at | author_association | body | reactions | issue | performed_via_github_app |
---|---|---|---|---|---|---|---|---|---|---|---|
https://github.com/simonw/datasette/issues/880#issuecomment-692324230 | https://api.github.com/repos/simonw/datasette/issues/880 | 692324230 | MDEyOklzc3VlQ29tbWVudDY5MjMyNDIzMA== | 9599 | 2020-09-14T21:28:15Z | 2020-09-14T21:28:21Z | OWNER | Documentation here: https://docs.datasette.io/en/latest/sql_queries.html#json-api-for-writable-canned-queries | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
648637666 | |
https://github.com/simonw/datasette/issues/880#issuecomment-692299770 | https://api.github.com/repos/simonw/datasette/issues/880 | 692299770 | MDEyOklzc3VlQ29tbWVudDY5MjI5OTc3MA== | 9599 | 2020-09-14T20:36:40Z | 2020-09-14T20:36:40Z | OWNER | The JSON response will look like this: ```json { "ok": true, "message": "A message", "redirect": "/blah" } ``` `"ok"` will be `true` if everything went right and `false` if there was an error. The `"message"` and `"redirect"` will be whatever was configured using the on_success_message - the message shown `on_success_message`, `on_success_redirect`, `on_error_message` and `on_error_redirect` settings, see https://docs.datasette.io/en/stable/sql_queries.html#writable-canned-queries | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
648637666 | |
https://github.com/simonw/datasette/issues/880#issuecomment-692298011 | https://api.github.com/repos/simonw/datasette/issues/880 | 692298011 | MDEyOklzc3VlQ29tbWVudDY5MjI5ODAxMQ== | 9599 | 2020-09-14T20:33:13Z | 2020-09-14T20:33:13Z | OWNER | I'm going to support several ways of indicating that you would like a JSON response instead of getting a HTTP redirect from your writable canned query submission: - Use the `Accept: application/json` request header - Include `?_json=1` in the request query string - Include `"_json": 1` in the form submission (or the JSON body submission) | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
648637666 | |
https://github.com/simonw/datasette/issues/880#issuecomment-692272860 | https://api.github.com/repos/simonw/datasette/issues/880 | 692272860 | MDEyOklzc3VlQ29tbWVudDY5MjI3Mjg2MA== | 9599 | 2020-09-14T19:43:47Z | 2020-09-14T19:43:47Z | OWNER | I'm going to add support for POST content that is sent as a JSON document, in addition to the existing support for key=value encoded POST bodies. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
648637666 | |
https://github.com/simonw/datasette/issues/880#issuecomment-692271804 | https://api.github.com/repos/simonw/datasette/issues/880 | 692271804 | MDEyOklzc3VlQ29tbWVudDY5MjI3MTgwNA== | 9599 | 2020-09-14T19:41:37Z | 2020-09-14T19:41:37Z | OWNER | Relevant code section: https://github.com/simonw/datasette/blob/1552ac931e4d2cf516caac3ceeab4fd24da1510a/datasette/views/database.py#L209-L232 | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
648637666 | |
https://github.com/simonw/datasette/issues/880#issuecomment-691785692 | https://api.github.com/repos/simonw/datasette/issues/880 | 691785692 | MDEyOklzc3VlQ29tbWVudDY5MTc4NTY5Mg== | 9599 | 2020-09-14T03:10:11Z | 2020-09-14T03:10:11Z | OWNER | Answer: no, it's [not safe](https://twitter.com/glenathan/status/1305081266065244162) to skip CSRF if there's an `Accept: application/json` header because of a nasty old `crossdomain.xml` Flash vulnerability: https://blog.appsecco.com/exploiting-csrf-on-json-endpoints-with-flash-and-redirects-681d4ad6b31b?gi=a5ee3d7a8235 | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
648637666 | |
https://github.com/simonw/datasette/issues/880#issuecomment-691558387 | https://api.github.com/repos/simonw/datasette/issues/880 | 691558387 | MDEyOklzc3VlQ29tbWVudDY5MTU1ODM4Nw== | 9599 | 2020-09-12T22:04:48Z | 2020-09-12T22:04:48Z | OWNER | Is it safe to skip CSRF checks if the incoming request has `Accept: application/json` on it? I'm not sure that matters since `asgi-csrf` already won't reject requests that either have no cookies or are using a `Authorization: Bearer ...` header. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
648637666 | |
https://github.com/simonw/datasette/issues/880#issuecomment-691557675 | https://api.github.com/repos/simonw/datasette/issues/880 | 691557675 | MDEyOklzc3VlQ29tbWVudDY5MTU1NzY3NQ== | 9599 | 2020-09-12T22:01:02Z | 2020-09-12T22:01:11Z | OWNER | Maybe POST to `.json` doesn't actually make sense. I could instead support `POST /db/queryname` with an optional mechanism for requesting that the response to that POST be in a JSON format. Could be a `Accept: application/json` header with an option of including `"_accept": "json"` as a POST parameter instead. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
648637666 | |
https://github.com/simonw/datasette/issues/880#issuecomment-691557429 | https://api.github.com/repos/simonw/datasette/issues/880 | 691557429 | MDEyOklzc3VlQ29tbWVudDY5MTU1NzQyOQ== | 9599 | 2020-09-12T21:59:39Z | 2020-09-12T21:59:39Z | OWNER | What should happen when something does a POST to an extension that was registered by a plugin, e.g. `POST /db/table.atom` ? | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
648637666 | |
https://github.com/simonw/datasette/issues/880#issuecomment-652646487 | https://api.github.com/repos/simonw/datasette/issues/880 | 652646487 | MDEyOklzc3VlQ29tbWVudDY1MjY0NjQ4Nw== | 9599 | 2020-07-01T21:05:48Z | 2020-07-01T21:05:48Z | OWNER | I've been testing the WIP using this in the console: ```javascript fetch('/data/add_name.json', { method: 'POST', body: 'name=XXXfetch', credentials: 'omit', headers: {'Content-Type': 'application/x-www-form-urlencoded'} }) .then(response => console.log(response)) ``` Against a canned query configured like this: ```yaml databases: data: queries: add_name: sql: insert into names (name) values (:name) write: true ``` I haven't got it to work yet. Latest error is this one: ``` INFO: Uvicorn running on http://127.0.0.1:8001 (Press CTRL+C to quit) Traceback (most recent call last): File "/Users/simon/Dropbox/Development/datasette/datasette/app.py", line 975, in route_path await response.asgi_send(send) AttributeError: 'tuple' object has no attribute 'asgi_send' INFO: 127.0.0.1:49938 - "POST /data/add_name.json HTTP/1.1" 500 Internal Server Error ``` It looks like I'm going to have to rethink how the `BaseView` code around tables, formats and hashes is structured in order to fix this. That's a big refactoring! I'm moving this to a new milestone for Datasette 0.46. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
648637666 | |
https://github.com/simonw/datasette/issues/880#issuecomment-652162722 | https://api.github.com/repos/simonw/datasette/issues/880 | 652162722 | MDEyOklzc3VlQ29tbWVudDY1MjE2MjcyMg== | 9599 | 2020-07-01T03:16:07Z | 2020-07-01T03:16:07Z | OWNER | The response from this will never be a 302 - it will always be a 200 if the response worked or a 400 for bad parameters or a 500 for errors. The body returned will always be in JSON format. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
648637666 |