Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Issue #2484829 by mariano.barcia, mallezie, Koen.Pasman, dgtlmoon, joseph.olstad, lokapujya, kurkuma, bangpound, jaskaran.nagra, iamEAP: Specifying the resource format via a URL extension (like "node/1.json") no longer works in Drupal 7.37
This release adds field level access to entity write operations, such as POST and PUT requests. Make sure that your service consumers have sufficient permissions to write fields they want to insert or update.
This release adds field level access to entity write operations, such as POST and PUT requests. Make sure that your service consumers have sufficient permissions to write fields they want to insert or update.
This release fixes a critical SQL injection vulnerability. It is mitigated by the fact that an attacker must have the permission to access a resource (example: Access the resource node) in order to exploit this.
Since development of this module has slowed down significantly over the last months this release also marks the first stable release, in order to get proper security advisories for any future security issues.
Consumers should not issue GET requests to /@entity_type/@id with HTTP Accept headers set to the expected format aynmore, since that could interfere with Drupal's page cache. HTML might be returned from that URLs that could break clients.
Example of URLs that are deprecated and should not be used anymore:
Consumers should not issue GET requests to /@entity_type/@id with HTTP Accept headers set to the expected format aynmore, since that could interfere with Drupal's page cache. HTML might be returned from that URLs that could break clients.
Example of URLs that are deprecated and should not be used anymore:
This release comes with a major API change for clients. A security token has been introduced to guard against CSRF attacks. This change only affects you if
* your client uses cookie-based user authentication and
* your client performs write operations (POST, PUT or DELETE).
Clients that only read data (GET requests) still work the same. Clients that use other authentication mechanisms (like restws_basic_auth) remain unaffected as well.
This release comes with a major API change for clients. A security token has been introduced to guard against CSRF attacks. This change only affects you if
* your client uses cookie-based user authentication and
* your client performs write operations (POST, PUT or DELETE).
Clients that only read data (GET requests) still work the same. Clients that use other authentication mechanisms (like restws_basic_auth) remain unaffected as well.
This release introduces querying support for entities. You can retrieve a list of entities now and even filter it with the power of EntityFieldQuery. See the Querying and Meta controls section in the README.txt. Big thanks to sepgil for implementing all this during Google Summer of Code!
First release of the new 2.x branch. The new branch was created because of an important API change: the HTTP request methods for create and update operations have been swapped (see #1472634: HTTP PUT / POST Reversed for CRUD CREATE / UPDATE Operations). The 7.x-1.x branch is now frozen and will get security fixes only. If you want to start a new project with RESTWS use the 2.x branch.