🚑 #495 - fix: use POST body for selection items API call to prevent excessive URL length

Author: svenvandescheur

backend/src/openarchiefbeheer/selection/api/drf_spectacular/hooks.py

@@ -17,10 +17,10 @@ def update_schema_for_dynamic_keys(
     openapi_response_schema = force_instance(SCHEMA_RESPONSE)
 
     # TODO: Try if a OpenApiSerializerExtension can be used to do this?
-    result["paths"]["/api/v1/selections/{key}/"]["get"]["responses"]["200"]["content"][
+    result["paths"]["/api/v1/selections/{key}/"]["post"]["responses"]["200"]["content"][
         "application/json"
     ]["schema"] = openapi_response_schema.response
-    result["paths"]["/api/v1/selections/{key}/"]["get"]["responses"]["200"]["content"][
+    result["paths"]["/api/v1/selections/{key}/"]["post"]["responses"]["200"]["content"][
         "application/json"
     ]["examples"] = build_examples_list(openapi_response_schema.examples)
 

backend/src/openarchiefbeheer/selection/api/views.py

@@ -50,7 +50,7 @@ def _get_selection_representation(self, queryset=None):
         # DRF spectacular post processing hooks.
         responses={200: SelectionItemDataReadSerializer(many=True)},
     )
-    def get(self, request, *args, **kwargs):
+    def post(self, request, *args, **kwargs):
         queryset = self.filter_queryset(self.get_queryset())
 
         return Response(self._get_selection_representation(queryset))

backend/src/openarchiefbeheer/selection/tests/test_endpoints.py

@@ -40,7 +40,7 @@ def test_get_zaak_selection(self):
 
         self.client.force_login(self.user)
 
-        response = self.client.get(reverse("api:selections", args=[key]))
+        response = self.client.post(reverse("api:selections", args=[key]))
 
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
@@ -230,7 +230,7 @@ def test_get_filtered_zaak_selection(self):
         endpoint.args["annotated"] = True
         endpoint.args["test"] = "tralala"
 
-        response = self.client.get(endpoint.url)
+        response = self.client.post(endpoint.url)
 
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
@@ -263,7 +263,7 @@ def test_get_selection_item(self):
         self.client.force_login(self.user)
         endpoint = furl(reverse("api:selections", args=[key]))
         endpoint.args["items"] = "http://zaken.nl/api/v1/zaken/111-111-111"
-        response = self.client.get(endpoint.url)
+        response = self.client.post(endpoint.url)
 
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
@@ -303,7 +303,7 @@ def test_filter_items(self):
         endpoint.args["items"] = (
             "http://zaken.nl/api/v1/zaken/111-111-111,http://zaken.nl/api/v1/zaken/222-222-222"
         )
-        response = self.client.get(endpoint.url)
+        response = self.client.post(endpoint.url)
 
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
@@ -477,7 +477,7 @@ def test_urls_not_camelised(self):
 
         self.client.force_login(self.user)
 
-        response = self.client.get(reverse("api:selections", args=[key]))
+        response = self.client.post(reverse("api:selections", args=[key]))
 
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 

frontend/src/lib/api/zaakSelection.ts

@@ -35,15 +35,14 @@ export async function getSelectionItems<DetailType = unknown>(
   selectedOnly = true,
   signal?: AbortSignal,
 ) {
-  const zaakUrls = zaken.map((zaak) => _getZaakUrl(zaak));
-  const params = new URLSearchParams({ items: zaakUrls.join(",") });
+  const items = zaken.map((zaak) => _getZaakUrl(zaak));
+  const params = new URLSearchParams();
   selectedOnly && params.set("selected", "true");
-
   const response = await request(
-    "GET",
+    "POST",
     `/selections/${key}/`,
     params,
-    undefined,
+    { items },
     undefined,
     signal,
   );

frontend/src/pages/destructionlist/review/DestructionListReview.stories.tsx

@@ -80,19 +80,19 @@ const meta: Meta<typeof DestructionListReviewPage> = {
       },
       {
         url: "http://localhost:8000/api/v1/selections/destruction-list-review-00000000-0000-0000-0000-000000000000-changes_requested/?items=http%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F87691e74-1b0b-491a-aa63-0a396bbb1e3e%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F3038cc8e-003b-411c-b6ef-7dc5ddc5a3ee%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F78b6dd10-261b-4a40-99e2-1eea3e38bc99%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F64bec25d-5752-48a9-b2f9-6c27085a469f%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F409a291a-9cf0-4c40-9f31-25e9452a8e79%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F1188687c-392b-439e-9d5f-4d17bac822bf%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F5d816422-7f1c-42b4-9a4c-715d2e07aca3%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F2e803c71-49c4-4dc0-bfd1-42f2a3da99f9%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2Fbd6cdd85-d578-47fa-9ddb-846354088a47%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F2ca5f28c-397b-4cc6-ac76-4ef6cab19f59",
-        method: "GET",
+        method: "POST",
         status: 200,
         response: {},
       },
       {
-        url: "http://localhost:8000/api/v1/selections/storybook-storage-key/?items=http%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F87691e74-1b0b-491a-aa63-0a396bbb1e3e%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F3038cc8e-003b-411c-b6ef-7dc5ddc5a3ee%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F78b6dd10-261b-4a40-99e2-1eea3e38bc99%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F64bec25d-5752-48a9-b2f9-6c27085a469f%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F409a291a-9cf0-4c40-9f31-25e9452a8e79%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F1188687c-392b-439e-9d5f-4d17bac822bf%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F5d816422-7f1c-42b4-9a4c-715d2e07aca3%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F2e803c71-49c4-4dc0-bfd1-42f2a3da99f9%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2Fbd6cdd85-d578-47fa-9ddb-846354088a47%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F2ca5f28c-397b-4cc6-ac76-4ef6cab19f59",
-        method: "GET",
+        url: "http://localhost:8000/api/v1/selections/storybook-storage-key/",
+        method: "POST",
         status: 200,
         response: {},
       },
       {
-        url: "http://localhost:8000/api/v1/selections/storybook-storage-key/?items=http%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F87691e74-1b0b-491a-aa63-0a396bbb1e3e%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F3038cc8e-003b-411c-b6ef-7dc5ddc5a3ee%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F78b6dd10-261b-4a40-99e2-1eea3e38bc99%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F64bec25d-5752-48a9-b2f9-6c27085a469f%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F409a291a-9cf0-4c40-9f31-25e9452a8e79%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F1188687c-392b-439e-9d5f-4d17bac822bf%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F5d816422-7f1c-42b4-9a4c-715d2e07aca3%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F2e803c71-49c4-4dc0-bfd1-42f2a3da99f9%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2Fbd6cdd85-d578-47fa-9ddb-846354088a47%2Chttp%3A%2F%2Flocalhost%3A8000%2Fzaken%2Fapi%2Fv1%2Fzaken%2F2ca5f28c-397b-4cc6-ac76-4ef6cab19f59&selected=true",
-        method: "GET",
+        url: "http://localhost:8000/api/v1/selections/storybook-storage-key/",
+        method: "POST",
         status: 200,
         response: {},
       },