In REST APIv7 responses, when resources are embedded, it is possible to create an infinite loop of requests for resources. Some scenarios where this might occur:
- A Group resource embeds its subgroups, and the subgroups embed the groups they belong to. The same would also occur for EPerson resources that embed Groups, and those Groups embed their EPersons (which again embed their Groups)
- Collection (or any DSO) resource which embeds its ResourcePolicies and those ResourcePolicies embedding the DSO they refer to (which again embed their ResourcePolicies)
- Disables all embedded resources by default. (However it is possible for a request to choose to reenable those embedded resources via projections)
- Disallow (via Java code) some Links to ever be embedded. For example, the EPersonGroupLinkRepository disallows any request to embed those resources by returning `false` for `isEmbeddableRelation()`. (This ensures no requests or projections can embed those resources.)
As pointed out in Slack today by Andrea Bollini (4Science), this simple workaround works fine, but point #2 above requires us to keep close watch on any links/embeds that might accidentally result in an infinite loop.
An alternative, more automated solution to this problem might be to only allow a full resource to be embedded once in a request. The second time that resource is encountered in the same request, only its ID would be embedded.
This would ensure infinite loops are no longer possible in any requests. However, it would require clients to "understand" that the full resource and the "only ID" resource are in fact the same resource.
This ticket is currently a simple placeholder for more discussion. More analysis/discussion is needed to determine the best route forward.