Sahana Eden

Web Services

Web Services in Sahana Eden are implemented as a RESTful API (Application Programming Interface).

This API allows other applications to access and manipulate Sahana Eden data resources directly over the web using the HTTP protocol, which means:

  • URLs to address resources
  • HTTP requests to perform actions and transfer data
  • HTTP method verbs (GET, PUT, POST, DELETE) to specify the actions to be performed
  • HTTP status codes to report status and errors

A powerful query language is available to address particular data elements:


(all person records where the first name contains "Miriam")

...or to specify method parameters:


(a pivot table of offices grouped by facility type vs. location)

The RESTful API uses Sahana Eden's native S3XML format for data exchange. Other XML or JSON formats are supported using on-the-fly XSLT transformation - Sahana Eden provides built-in XSLT stylesheets for a variety of XML standards (e.g. KML, EDXL-HAVE), and can also accept custom stylesheets.

URL Format

Basic URL Syntax

Example of a URL to address a resource in the Sahana Eden RESTful API:

The basic URL format is:

(Parts in { } are optional, [ A | B ] indicates alternatives)

http:// server / path / prefix / name { /<arguments> }{ ?<query> }

  • server ( is the server domain name
  • path (/eden) the path to the application
  • prefix (/hms) is the name (prefix) of the Sahana Eden module
  • name (/hospital) is the resource name

The <arguments> list consists of:

{ /id }{ / [ method | component { /component_id } { /method } ] } {.format}
  • id (/1) is a record ID in the master table of the resource
  • component (/bed_capacity) is a component name
  • component_id is a record ID in the component
  • method (/create) is a method of the resource
  • format specifies the requested data format (e.g.: ".xml" for S3XML)

For the <query> syntax, see the following section.

Basic Query Format

Example of a URL query:

?hospital.name__like=Example%20Hospital part the complete URL:
The basic query format is:

?resource.{foreign key$}field{operator}=value(s)

  • resource (hospital) is the name of the component, followed by a period (.)
  • foreign key is the name of the foreign key field followed by a dollar sign (to filter against a value in the table referenced by this foreign key)
  • field (name) is the name of the field in the target table
  • operator (__like) is the operator
  • value(s) (Example%20Hospital) is the value or a comma-separated list of values to test against (a comma will be treated as an OR)
Note that special characters in values must be properly URL-encoded (the %20 in this example stands for a blank).

Supported operators:

Operator Method Comments
__eq equal, = can be omitted
__ne not equal, !=
__lt less than, < numeric and date/time types only
__le less than or equal, <= numeric and date/time types only
__gt greater than, > numeric and date/time types only
__ge greater than or equal, >= numeric and date/time types only
__like wildcard comparison, LIKE(%value%) string/text types only
__unlike negative wildcard comparison, NOT LIKE(%value%) string/text types only
__in containment, contains(value) list types only
__ex negative containment, excludes(value) list types only

Other Queries

Boundary Box Queries

For resources with location references (e.g. Hospitals), you can use boundary box queries to select records. The general format of the query variable is:


    You can also specify the foreign key field name of the location reference the query relates to (e.g. in case there are multiple location references in that resource):




      URL Examples

      Interactive (HTML) Format

      All "person" records in the Person Registry module (pr):


      Non-interactive Formats

      All "person" records in the Person Registry module (pr), in other data formats:


      Record by ID


      Record by UUID

      http://localhost:8000/eden/pr/person?person.uuid= urn:uuid:839bab5a-a401-4be3-8616-27fbc1810ef4

      URL Queries


      Note that in URL queries, date/time values must be in UTC and use the ISO-8601 combined format YYYMMDDThh:mm:ss.

      Standard Methods

      Standard methods include:

      • interactive create, read, update and delete (CRUD) including list views
      • data export/import in various formats, including on-the-fly transformation


      • in XML and JSON, resources are always exported/imported including all their components and referenced resources.
      • in all other formats, the components need to be addressed separately


      Interactive Formats

      Interactive formats are HTML (Extension ".html"), or PLAIN (Extension ".plain"). If no format extension is specified, HTML format is assumed.

      • without method specified in the URL:
        • if no record ID in the URL: list view of the resource
        • with a record ID in the URL: read view of the specified record (if the user is permitted to update the record, an update form returned instead)

      Example: read view of the person record #1:

      • with method specified in the URL:
        • method create returns a create-form
        • method read returns a view of the specified record (other than with blank method, no update form is returned in this case)
        • method update returns an update form for the specified record
        • method delete returns a delete confirmation form together with a list of the specified records (if there is exactly one record identified by its ID in the URL, then the record will be deleted instead of a form being returned, see POST)

      Example: create form for a new person record:

      • some resources support other methods, e.g.
        • search returns a search form for the resource

      Example: search for a person by name or ID:


      Non-interactive formats

      Any format extension that is not listed under the interactive formats, is treated as non-interactive.

      • without method in the URL:
        • returns all matching records in the specified format

      Example: all person records the user is allowed to read, in S3XML format:

      GET http://localhost:8000/eden/pr/person.xml
      • with method in the URL:
        • method create or update returns a schema document of the resource
        • method create or update together with a source imports the data into the specified resource (see chapter S3XML)
        • method options returns a field options document of the resource
        • other methods are not supported

      Example: get a schema document of the person resource:

      GET http://localhost:8000/eden/pr/person/create.xml
      • XLS and PDF formats work read-only (create/update/delete being ignored)


      Interactive Formats

      • performs the respective method (if specified in the request)
        • method create creates a new record
        • method update updates the specified record
        • method delete deletes the specified record
      • expects the form data as multi-part request body

      Non-interactive Formats

      • enters an interactive review of the source data before importing the data into the resource


      Interactive formats

      • see POST

      Non-interactive formats

      • import data from the request body (which must be in the specified format) into the resource
      • records being matched by the UIDs specified in the data, while any record IDs in the URL restrict the selection


      • deletes those of the addressed records which are deletable by the current user


      It is possible to access privileged resources by providing the username/password within each request, rather than the usual method of having the login stored within the session.

      The RESTful API supports HTTP Basic Authentication (

      Note: for some command-line tools like wget or RESTClient you might need to additionally activate an option for pre-emptive authentication (unsolicited sending of credentials). E.g. for wget, use the --auth-no-challenge option.

      AJAX Examples

      Here some examples how to add the HTTP Basic Authentication header to AJAX requests:

      function make_base_auth(user, password) {
       var tok = user + ':' + pass;
       var hash = Base64.encode(tok);
       return 'Basic ' + hash;
      var auth = make_basic_auth('', 'password');
      var url = 'http://host.domain/eden/controller/function?vars';
      // RAW
      request = new XMLHttpRequest();
      request.setRequestHeader('Authorization', auth);'PUT', url, true); // async=true
      // ExtJS
          url : url,
          method : 'GET',
          headers : { Authorization : auth }
      // jQuery
          url : url,
          method : 'GET',
          beforeSend : function(req) {
              req.setRequestHeader('Authorization', auth);

      Error Handling

      The HTTP status code in the response indicates the success or failure of a request:

      Status Code Cause  Response Body
       200 OK Success results or JSON message
      400 BAD REQUEST Syntax error or method not supported for the specified resource
      JSON message
      401 UNAUTHORIZED Authorization required Clear text error
      403 FORBIDDEN Insufficient permissions Clear text error
      404 NOT FOUND Non-existent Resource Clear text error
      50x Unrecoverable internal error Ticket issued or clear text error

      Where a JSON message is returned, it has the following structure:
          success= "True" | "False",
          statuscode = "XXX",
          message = "clear text error message",
          tree = {
            /* element tree */

      If there was an input element tree and it contained any errors, a subtree with the invalid elements will be added to the JSON message ("tree"). This subtree is expressed in JSON Format. Invalid elements will have an additional @error attribute containing a clear-text error desription.

      Skipping invalid records at import:

      By default, an import request will be rolled back (completely) and an HTTP 400 BAD REQUEST error be returned if the source contains any invalid data.

      You can override this behavior by using the ignore_errors URL variable (?ignore_errors=True). Invalid records will then be skipped, while the valid records will be committed to the database and the request returns a HTTP 200 OK. The JSON message in the response body would however contain the error message and the element tree with the invalid elements.

      Note that ignore_errors applies to Validation Errors only. Any other type of error (e.g. XML syntax error) will be handled as usual (=rollback + error message).

      The ignore_errors option is meant for "dirty" data, e.g. cases where you need to import from a source but do not have permission and/or means to clean it up before import. In all other cases, where possible, you should avoid ignore_errors and rather sanitize the source.

      S3XML On-the-fly Transformation

      The Sahana Eden RESTful API can perform XSLT transformation of XML sources into the S3XML format on-the-fly when exporting or importing data.


      The XSLT stylesheets to use for this transformation can be:

      • a static file on the server or a web URL
      • a file attached to the request (at import)
      • an integrated stylesheet of Eden (folder static/formats)


      • You cannot use the .xml or .json extension if the source is to be transformed. By these extensions, the interface assumes the source is already S3XML.
      • Non-XML formats such as PDF or XLS do not support on-the-fly transformation.

      Integrated Transformation Stylesheets

      Sahana Eden provides a number of internal XSLT stylesheets for various formats. These will be automatically used if no other stylesheet is specified (fallback). The internal stylesheets reside in:

      • static/formats/<format>/export.xsl to transform S3XML into another format
      • static/formats/<format>/import.xsl to transform another format into S3XML


      • static/formats/have/import.xsl transforms EDXL-HAVE (*.have) into S3XML
      • static/formats/have/export.xsl transforms S3XML into EDXL-HAVE

      XSLT Stylesheets on the Server

      You can use the URL variable transform to specify a transformation stylesheet at a file system location on the server, e.g.:

      ...or at another location on the web,e.g.:

      If you use transform to specify the stylesheet location explicitly, any existing internal stylesheet for the format extension would not be used.


      • the Eden web server must be permitted to access the stylesheet without authentication
      • the request must not use ".xml" as data format extension, otherwise no transformation will be performed at all (transform would be ignored then)

      This feature is especially useful to create custom feeds to integrate into remote sites, e.g. RSS:

      • create your own rss.xsl to transform S3XML into RSS
      • place it on a public (e.g. your own) web server, e.g.:
      • provide a feed link to Eden resources using your RSS stylesheet:

      This does work with any XML format, e.g. KML - if you wanted to provide a map rather than a feed link.

      Attached XSLT Stylesheets

      For data import, an XSLT stylesheet to transform foreign XML into S3XML can be attached to the request.

      The filename of the attached stylesheet is expected to be <resourcename>.xsl, where <resourcename> is the name of the target resource (without module prefix, e.g. person or hospital).


      • document(), xsl:include and xsl:import will need absolute paths in this case (safer to avoid these)