Commit | Line | Data |
---|---|---|
19b53e5b C |
1 | <?php |
2 | ||
380f3545 TO |
3 | /* |
4 | +--------------------------------------------------------------------+ | |
bc77d7c0 | 5 | | Copyright CiviCRM LLC. All rights reserved. | |
380f3545 | 6 | | | |
bc77d7c0 TO |
7 | | This work is published under the GNU AGPLv3 license with some | |
8 | | permitted exceptions and without any warranty. For full license | | |
9 | | and copyright information, see https://civicrm.org/licensing | | |
380f3545 TO |
10 | +--------------------------------------------------------------------+ |
11 | */ | |
12 | ||
13 | /** | |
14 | * | |
15 | * @package CRM | |
ca5cec67 | 16 | * @copyright CiviCRM LLC https://civicrm.org/licensing |
380f3545 | 17 | */ |
19b53e5b C |
18 | class CRM_Api4_Page_AJAX extends CRM_Core_Page { |
19 | ||
20 | /** | |
21 | * Handler for api4 ajax requests | |
22 | */ | |
23 | public function run() { | |
cfce6eb7 | 24 | $config = CRM_Core_Config::singleton(); |
7511bc6e | 25 | if (!$config->debug && !CRM_Utils_REST::isWebServiceRequest()) { |
cfce6eb7 SL |
26 | $response = [ |
27 | 'error_code' => 401, | |
28 | 'error_message' => "SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().", | |
29 | ]; | |
2e40130b | 30 | Civi::log()->debug("SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().", |
cfce6eb7 SL |
31 | [ |
32 | 'IP' => $_SERVER['REMOTE_ADDR'], | |
33 | 'level' => 'security', | |
34 | 'referer' => $_SERVER['HTTP_REFERER'], | |
35 | 'reason' => 'CSRF suspected', | |
36 | ] | |
37 | ); | |
38 | CRM_Utils_System::setHttpHeader('Content-Type', 'application/json'); | |
39 | echo json_encode($response); | |
40 | CRM_Utils_System::civiExit(); | |
41 | } | |
2e40130b | 42 | if ($_SERVER['REQUEST_METHOD'] == 'GET' && |
520430db | 43 | strtolower(substr($this->urlPath[4], 0, 3)) != 'get') { |
2e40130b SL |
44 | $response = [ |
45 | 'error_code' => 400, | |
46 | 'error_message' => "SECURITY: All requests that modify the database must be http POST, not GET.", | |
47 | ]; | |
48 | Civi::log()->debug("SECURITY: All requests that modify the database must be http POST, not GET.", | |
49 | [ | |
50 | 'IP' => $_SERVER['REMOTE_ADDR'], | |
51 | 'level' => 'security', | |
52 | 'referer' => $_SERVER['HTTP_REFERER'], | |
53 | 'reason' => 'Destructive HTTP GET', | |
54 | ] | |
55 | ); | |
56 | CRM_Utils_System::setHttpHeader('Content-Type', 'application/json'); | |
57 | echo json_encode($response); | |
58 | CRM_Utils_System::civiExit(); | |
59 | } | |
19b53e5b C |
60 | try { |
61 | // Call multiple | |
62 | if (empty($this->urlPath[3])) { | |
f7ad2038 | 63 | $calls = CRM_Utils_Request::retrieve('calls', 'String', CRM_Core_DAO::$_nullObject, TRUE, NULL, 'POST'); |
19b53e5b C |
64 | $calls = json_decode($calls, TRUE); |
65 | $response = []; | |
66 | foreach ($calls as $index => $call) { | |
67 | $response[$index] = call_user_func_array([$this, 'execute'], $call); | |
68 | } | |
69 | } | |
70 | // Call single | |
71 | else { | |
72 | $entity = $this->urlPath[3]; | |
73 | $action = $this->urlPath[4]; | |
74 | $params = CRM_Utils_Request::retrieve('params', 'String'); | |
75 | $params = $params ? json_decode($params, TRUE) : []; | |
76 | $index = CRM_Utils_Request::retrieve('index', 'String'); | |
77 | $response = $this->execute($entity, $action, $params, $index); | |
78 | } | |
79 | } | |
80 | catch (Exception $e) { | |
2af6f9b6 TO |
81 | $statusMap = [ |
82 | \Civi\API\Exception\UnauthorizedException::class => 403, | |
83 | ]; | |
b8ccbe73 | 84 | http_response_code($statusMap[get_class($e)] ?? 500); |
f9d83e59 | 85 | $response = []; |
19b53e5b | 86 | if (CRM_Core_Permission::check('view debug output')) { |
f9d83e59 | 87 | $response['error_code'] = $e->getCode(); |
19b53e5b | 88 | $response['error_message'] = $e->getMessage(); |
f9d83e59 CW |
89 | if (!empty($params['debug'])) { |
90 | if (method_exists($e, 'getUserInfo')) { | |
91 | $response['debug']['info'] = $e->getUserInfo(); | |
92 | } | |
93 | $cause = method_exists($e, 'getCause') ? $e->getCause() : $e; | |
94 | if ($cause instanceof \DB_Error) { | |
95 | $response['debug']['db_error'] = \DB::errorMessage($cause->getCode()); | |
96 | $response['debug']['sql'][] = $cause->getDebugInfo(); | |
97 | } | |
98 | if (\Civi::settings()->get('backtrace')) { | |
99 | // Would prefer getTrace() but that causes json_encode to bomb | |
100 | $response['debug']['backtrace'] = $e->getTraceAsString(); | |
101 | } | |
19b53e5b C |
102 | } |
103 | } | |
2af6f9b6 TO |
104 | else { |
105 | $error_id = rtrim(chunk_split(CRM_Utils_String::createRandom(12, CRM_Utils_String::ALPHANUMERIC), 4, '-'), '-'); | |
106 | $response['error_code'] = '1'; | |
107 | $response['error_message'] = ts('Sorry an error occurred and your request was not completed. (Error ID: %1)', [ | |
108 | 1 => $error_id, | |
109 | ]); | |
110 | \Civi::log()->debug('AJAX Error ({error_id}): failed with exception', [ | |
111 | 'error_id' => $error_id, | |
112 | 'exception' => $e, | |
113 | ]); | |
114 | } | |
19b53e5b C |
115 | } |
116 | CRM_Utils_System::setHttpHeader('Content-Type', 'application/json'); | |
117 | echo json_encode($response); | |
118 | CRM_Utils_System::civiExit(); | |
119 | } | |
120 | ||
121 | /** | |
122 | * Run api call & prepare result for json encoding | |
123 | * | |
124 | * @param string $entity | |
125 | * @param string $action | |
126 | * @param array $params | |
127 | * @param string $index | |
128 | * @return array | |
129 | */ | |
130 | protected function execute($entity, $action, $params = [], $index = NULL) { | |
131 | $params['checkPermissions'] = TRUE; | |
132 | ||
133 | // Handle numeric indexes later so we can get the count | |
134 | $itemAt = CRM_Utils_Type::validate($index, 'Integer', FALSE); | |
135 | ||
136 | $result = civicrm_api4($entity, $action, $params, isset($itemAt) ? NULL : $index); | |
137 | ||
138 | // Convert arrayObject into something more suitable for json | |
139 | $vals = ['values' => isset($itemAt) ? $result->itemAt($itemAt) : (array) $result]; | |
140 | foreach (get_class_vars(get_class($result)) as $key => $val) { | |
141 | $vals[$key] = $result->$key; | |
142 | } | |
651c4c95 | 143 | unset($vals['rowCount']); |
19b53e5b | 144 | $vals['count'] = $result->count(); |
4f8baa75 RLAR |
145 | $vals['countFetched'] = $result->countFetched(); |
146 | if (in_array('row_count', $params['select'] ?? [])) { | |
147 | // We can only return countMatched (whose value is independent of LIMIT clauses) if row_count was in the select. | |
148 | $vals['countMatched'] = $result->count(); | |
149 | } | |
150 | ||
19b53e5b C |
151 | return $vals; |
152 | } | |
153 | ||
154 | } |