The Elgg documentation describes the REST API rather superficially, yet provides no samples, and is now inaccurate for the recent versions of Elgg.
After a minor modification to your .htaccess file, using the REST API is very simple, and, in many cases, avoids the need to create individual files in your Elgg root directory to provide custom functionality.
First, let’s look at how your API method would be called:
http://localhost:8080/elgg/pg/api/rest?method=login&username=dansari&password=apples
Let me explain technically what’s going on first. Any API calls in Elgg are handled by a page handler, i.e., when the HTTP request begins with /pg/...
, the .htaccess (containing mod_rewrite
rules) tells Apache to use the Elgg file engine/handlers/pagehandler.php
to handle the request. Elgg then determines which page handler to use, and invokes it. The REST API is known as an “API endpoint”. In this case, because the next part of the URL is rest
, the API page handler passes control to the file services/api/rest.php
.
The problem with the .htaccess that ships with Elgg is that it would cause the page handler to be invoked as pagehandler.php?handler=api&page=rest
, discarding the querystring entirely. services/api/rest.php
actually expects the method parameters to be in the querystring, so to get this to work, we simply change the following line in .htaccess:
RewriteRule ^pg\/([A-Za-z\_\-]+)\/(.*)$ engine/handlers/pagehandler.php?handler=$1&page=$2
to this:
RewriteRule ^pg\/([A-Za-z\_\-]+)\/(.*)$ engine/handlers/pagehandler.php?handler=$1&page=$2 [QSA]
Here is the code for a sample REST method, which would be implemented via a plugin. For this example, the following file is located at mod/rest_login/start.php
(NB I had to put a space character before the ?php
in line 1 for WordPress to render this listing):
< ?php
function rest_login_init() {
expose_function('login', 'rest_login_handler', array(
"username" => array("type" => "string"),
"password" => array("type" => "string")
), "", "GET", false, true);
}
function rest_login_handler($username, $password) {
$persistent = "1";
$result = false;
if (!empty($username) && !empty($password)) {
if ($user = authenticate($username,$password)) {
$result = login($user, $persistent);
}
}
return $result;
}
// Add the plugin's init function to the system's init event
register_elgg_event_handler('init','system','rest_login_init');
?>
The important differences between what is stated in the Elgg documentation and here are:
- There is no
register_method
function. Instead, useexpose_function
as in line 4. "type"
must be specified for each parameter, as in lines 5-6.
Finally, here is an excerpt from engine/lib/api.php
, which explains the parameters in more detail:
/**
* Expose an arbitrary function as an api call.
*
* Limitations: Currently can not expose functions which expect objects.
*
* @param string $method The api name to expose this as, eg "myapi.dosomething"
* @param string $function Your function callback.
* @param array $parameters Optional list of parameters in the same order as in your function, with optional parameters last.
* This array should be in the format
* "variable" = array (
* type => 'int' | 'bool' | 'float' | 'string' | 'array'
* required => true (default) | false
* )
* @param string $description Optional human readable description of the function.
* @param string $call_method Define what call method should be used for this function.
* @param bool $require_auth_token Whether this requires a user authentication token or not (default is true).
* @param bool $anonymous Can anonymous (non-authenticated in any way) users execute this call.
* @return bool
*/
function expose_function($method, $function, array $parameters = NULL, $description = "", $call_method = "GET", $require_auth_token = true, $anonymous = false)
There are limitations of the REST API, one of them being that the return value is rendered in a view. You can override the view by including the directory structure and file views/default/api/output.php
in your module directory, but Elgg will still render it as HTML; if you need to process the result, you will need to parse this HTML. Also, if you decide to override this view, it will be overridden for any REST API method calls, not just the one implemented in your module.
One particular limitation of the sample above is that it does not authenticate! At least I couldn’t get it to work; the reason is that the API method is registered as not requiring a user authentication token. As a result, the method executes in unauthenticated fashion, and when authenticate()
is called to attempt to authenticate the user, it always succeeds – regardless of the password – because pam_authenticate()
returns true for the executing method. (Hopefully this would make sense to you if you’ve written an authentication plugin.)