Update aql query endpoint

Author: jjnesbitt

multinet/api/tests/test_workspace.py

@@ -447,10 +447,16 @@ def test_workspace_rest_aql(
     node_table = populated_table(workspace, False)
     nodes: Cursor = node_table.get_rows()
     nodes_list = list(nodes)
+
     # try and execute a valid non-mutating query on the data
-    query = f'FOR document IN {node_table.name} RETURN document'
-    r = authenticated_api_client.get(
-        f'/api/workspaces/{workspace.name}/aql/', data={'query': query}
+    r = authenticated_api_client.post(
+        f'/api/workspaces/{workspace.name}/aql/',
+        {
+            'query': 'FOR doc IN @@TABLE RETURN doc',
+            'bind_vars': {
+                '@TABLE': node_table.name,
+            },
+        },
     )
     assert r.status_code == status_code
 
@@ -466,11 +472,17 @@ def test_workspace_rest_aql_mutating_query(
 ):
     workspace.set_user_permission(user, WorkspaceRoleChoice.READER)
     fake = Faker()
-
     node_table = populated_table(workspace, False)
+
     # Mutating query
-    query = f"INSERT {{ 'name': {fake.pystr()} }} INTO {node_table.name}"
-    r = authenticated_api_client.get(
-        f'/api/workspaces/{workspace.name}/aql/', data={'query': query}
+    r = authenticated_api_client.post(
+        f'/api/workspaces/{workspace.name}/aql/',
+        data={
+            'query': 'INSERT {name: @DOCNAME} INTO @@TABLE',
+            'bind_vars': {
+                '@TABLE': node_table.name,
+                'DOCNAME': fake.pystr(),
+            },
+        },
     )
     assert r.status_code == 400

multinet/api/views/serializers.py

@@ -89,6 +89,7 @@ class SingleUserWorkspacePermissionSerializer(serializers.Serializer):
 
 class AqlQuerySerializer(serializers.Serializer):
     query = serializers.CharField()
+    bind_vars = serializers.DictField(child=serializers.CharField())
 
 
 class AqlQueryTaskSerializer(serializers.ModelSerializer):

multinet/api/views/workspace.py

@@ -178,17 +178,22 @@ def put_workspace_permissions(self, request, name: str):
 
         return Response(PermissionsReturnSerializer(workspace).data, status=status.HTTP_200_OK)
 
-    @swagger_auto_schema(query_serializer=AqlQuerySerializer())
-    @action(detail=True)
+    @swagger_auto_schema(request_body=AqlQuerySerializer())
+    @action(detail=True, methods=['POST'])
     @require_workspace_permission(WorkspaceRoleChoice.READER)
     def aql(self, request, name: str):
         """Execute AQL in a workspace."""
-        serializer = AqlQuerySerializer(data=request.query_params)
+        serializer = AqlQuerySerializer(data=request.data)
         serializer.is_valid(raise_exception=True)
-        query_str = serializer.validated_data['query']
+
+        # Retrieve workspace and db
         workspace: Workspace = get_object_or_404(Workspace, name=name)
         database = workspace.get_arango_db()
-        query = ArangoQuery(database, query_str)
+
+        # Form query
+        query_str = serializer.validated_data['query']
+        bind_vars = serializer.validated_data['bind_vars']
+        query = ArangoQuery(database, query_str=query_str, bind_vars=bind_vars)
 
         try:
             cursor: Cursor = query.execute()