Yii2: Turn off showing exceptions in REST

Created on 3 Jul 2014  路  10Comments  路  Source: yiisoft/yii2

By default Yii2 outputs array with exception info in REST controller response, even if YII_ENV = prod and YII_DEBUG = false. I think it is wrong behavior, because it is unsecure to show to API consumers exception messages like

SQLSTATE[42S22]: Column not found: 1054 Unknown column 'test' in 'where clause' The SQL being executed was: SELECT * FROM `table` WHERE `test`=1

What is the right and easy way to turn this off? Why not to change default behavior of REST classes to not show such information?

bug
Source
picture RomeroMsk

All 10 comments

Should be changed to show no detailed info by default.

cebe picture cebe on 3 Jul 2014

Not by default, it should depend on YII_DEBUG same as web exceptions do.

samdark picture samdark on 3 Jul 2014

If YII_DEBUG is false, we should turn non-user exceptions into 500 HTTP exception with a fixed error message.

qiangxue picture qiangxue on 3 Jul 2014

Yes, it will be good solution, will wait. Thanks!

RomeroMsk picture RomeroMsk on 3 Jul 2014

Also for such user exceptions the 'type' field is not necessary, I think:

<response>
    <type>yii\web\BadRequestHttpException</type>
    <name>Bad Request</name>
    <message>Missing required parameters: test</message>
    <code>0</code>
    <status>400</status>
</response>
RomeroMsk picture RomeroMsk on 4 Jul 2014

I agree. that type isn't needed. would it be better if the user can customize the error format. there are some cases specially in production that it will only needed name and status, nothing more nothing else.

bryglen picture bryglen on 11 Jul 2014

@RomeroMsk type is OK to include since it will be easy to write cosumer code i.e. there will be a single method of parsing exception JSON, not two separate methods and not one big method with ifs.

samdark picture samdark on 11 Jul 2014

@samdark include the name of framework into type - is not good, I think.

RomeroMsk picture RomeroMsk on 11 Jul 2014
👍1

why not make it flexible to make it customizable by the developer?

possible solutions is to provide docs how to override the error class or have a configuration to the error response.

bryglen picture bryglen on 11 Jul 2014

Cheked, works fine. Thank you! :+1:

RomeroMsk picture RomeroMsk on 27 Aug 2014
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Kolyunya picture Kolyunya  路  3Comments
wartur picture wartur  路  3Comments
sahifedp picture sahifedp  路  3Comments
Locustv2 picture Locustv2  路  3Comments
SamMousa picture SamMousa  路  3Comments