I'm using python-eve with default settings where
'MONGO_QUERY_BLACKLIST': ['$where', '$regex']
But it appears that I still can use 'where'-parameter in queries to Eve.
import requests
params = {'where': '{"username":"Alex"}'}
response = requests.get('http://localhost/users', params)
print response.content
print response.status_code
{"_items": [{"username": "Alex", ... }], ...}
200
You are conflating Eve's REST API parameter called where
(which translates the given parameters into query criteria for a standard MongoDB find()
query) with MongoDB's $where
JavaScript operator (whose usage is strongly discouraged and disabled by default in Eve).
This is an unfortunately confusing naming choice in the Eve API. The $where
operator (if used) would be part of the query criteria provided to Eve's where
.
Modifying your example params to use a $where
query (for illustration purposes only, as this is definitely not recommendable or performant):
params = {'where': '{"$where":"this.username == \'Alex\'"}'}
With Eve's default settings (or $where
included in MONGO_QUERY_BLACKLIST), the Eve API will return a response similar to the following:
{"_status": "ERR", "_error": {"message": "The browser (or proxy) sent a request that this server could not understand.", "code": 400}}
Removing $where
from the blacklist will return matching _items
. I tested this against Eve 0.7.2 to confirm the expected behaviour.
@Stennie is correct that QUERY_MONGO_BLACKLIST
refers to actual query parameters, not the lookup keyword itself. However, if you want to disable filtering altogether just set ALLOWED_FILTERS = []
.
Also, you can use QUERY_WHERE
to pick another keyword if you do not want where
:
# disable filters
ALLOWED_FILTERS = []
# replace the default 'where' with 'find'
QUERY_WHERE = 'find'
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.