MONGO_QUERY_BLACKLIST doesn't work

Question

I'm using python-eve with default settings where

'MONGO_QUERY_BLACKLIST': ['$where', '$regex']

But it appears that I still can use 'where'-parameter in queries to Eve.

import requests

params = {'where': '{"username":"Alex"}'}
response = requests.get('http://localhost/users', params)
print response.content
print response.status_code

{"_items": [{"username": "Alex", ... }], ...}

200

Answer 1

You are conflating Eve's REST API parameter called where (which translates the given parameters into query criteria for a standard MongoDB find() query) with MongoDB's $where JavaScript operator (whose usage is strongly discouraged and disabled by default in Eve).

This is an unfortunately confusing naming choice in the Eve API. The $where operator (if used) would be part of the query criteria provided to Eve's where .

Modifying your example params to use a $where query (for illustration purposes only, as this is definitely not recommendable or performant):

params = {'where': '{"$where":"this.username == \'Alex\'"}'}

With Eve's default settings (or $where included in MONGO_QUERY_BLACKLIST), the Eve API will return a response similar to the following:

{"_status": "ERR", "_error": {"message": "The browser (or proxy) sent a request that this server could not understand.", "code": 400}}

Removing $where from the blacklist will return matching _items . I tested this against Eve 0.7.2 to confirm the expected behaviour.

Answer 2

@Stennie is correct that QUERY_MONGO_BLACKLIST refers to actual query parameters, not the lookup keyword itself. However, if you want to disable filtering altogether just set ALLOWED_FILTERS = [] .

Also, you can use QUERY_WHERE to pick another keyword if you do not want where :

# disable filters
ALLOWED_FILTERS = []
# replace the default 'where' with 'find'
QUERY_WHERE = 'find'