[英]MONGO_QUERY_BLACKLIST doesn't work
I'm using python-eve with default settings where 我在默认设置下使用python-eve
'MONGO_QUERY_BLACKLIST': ['$where', '$regex']
But it appears that I still can use 'where'-parameter in queries to Eve. 但是似乎我仍然可以在对Eve的查询中使用“ where”参数。
import requests
params = {'where': '{"username":"Alex"}'}
response = requests.get('http://localhost/users', params)
print response.content
print response.status_code
{"_items": [{"username": "Alex", ... }], ...}
{“ _items”:[{“ username”:“ Alex”,...}],...}
200
200
You are conflating Eve's REST API parameter called where
(which translates the given parameters into query criteria for a standard MongoDB find()
query) with MongoDB's $where
JavaScript operator (whose usage is strongly discouraged and disabled by default in Eve). 您正在将Eve的REST API参数(称为
where
(将给定参数转换为标准MongoDB find()
查询的查询条件)与MongoDB的$where
JavaScript运算符(强烈建议不要使用它,并且在Eve中默认情况下禁用)。
This is an unfortunately confusing naming choice in the Eve API. 不幸的是,这是Eve API中令人困惑的命名选择。 The
$where
operator (if used) would be part of the query criteria provided to Eve's where
. $where
运算符(如果使用)将成为提供给Eve的where
的查询条件的一部分。
Modifying your example params to use a $where
query (for illustration purposes only, as this is definitely not recommendable or performant): 修改示例参数以使用
$where
查询(仅出于说明目的,因为绝对不建议这样做或不建议执行):
params = {'where': '{"$where":"this.username == \'Alex\'"}'}
With Eve's default settings (or $where
included in MONGO_QUERY_BLACKLIST), the Eve API will return a response similar to the following: 使用Eve的默认设置(或MONGO_QUERY_BLACKLIST
$where
包含的$where
),Eve API将返回类似于以下内容的响应:
{"_status": "ERR", "_error": {"message": "The browser (or proxy) sent a request that this server could not understand.", "code": 400}}
{“ _status”:“ ERR”,“ _ error”:{“ message”:“浏览器(或代理)发送了该服务器无法理解的请求。”,“代码”:400}}
Removing $where
from the blacklist will return matching _items
. 从黑名单中删除
$where
将返回匹配的_items
。 I tested this against Eve 0.7.2 to confirm the expected behaviour. 我针对Eve 0.7.2进行了测试,以确认预期的行为。
@Stennie is correct that QUERY_MONGO_BLACKLIST
refers to actual query parameters, not the lookup keyword itself. @Stennie是正确的,
QUERY_MONGO_BLACKLIST
是指实际的查询参数,而不是查阅关键字本身。 However, if you want to disable filtering altogether just set ALLOWED_FILTERS = []
. 但是,如果要完全禁用过滤,只需设置
ALLOWED_FILTERS = []
。
Also, you can use QUERY_WHERE
to pick another keyword if you do not want where
: 另外,如果您不想
where
,也可以使用QUERY_WHERE
选择另一个关键字:
# disable filters
ALLOWED_FILTERS = []
# replace the default 'where' with 'find'
QUERY_WHERE = 'find'
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.