[civicrm-core.git] / CRM / Api4 / Page / AJAX.php

<?php

/*
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC. All rights reserved.                        |
 |                                                                    |
 | This work is published under the GNU AGPLv3 license with some      |
 | permitted exceptions and without any warranty. For full license    |
 | and copyright information, see https://civicrm.org/licensing       |
 +--------------------------------------------------------------------+
 */

/**
 *
 * @package CRM
 * @copyright CiviCRM LLC https://civicrm.org/licensing
 */
class CRM_Api4_Page_AJAX extends CRM_Core_Page {

  /**
   * Handler for api4 ajax requests
   */
  public function run() {
    $config = CRM_Core_Config::singleton();
    if (!$config->debug && !CRM_Utils_REST::isWebServiceRequest()) {
      $response = [
        'error_code' => 401,
        'error_message' => "SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
      ];
      Civi::log()->debug("SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
        [
          'IP' => $_SERVER['REMOTE_ADDR'],
          'level' => 'security',
          'referer' => $_SERVER['HTTP_REFERER'],
          'reason' => 'CSRF suspected',
        ]
      );
      CRM_Utils_System::setHttpHeader('Content-Type', 'application/json');
      echo json_encode($response);
      CRM_Utils_System::civiExit();
    }
    if ($_SERVER['REQUEST_METHOD'] == 'GET' &&
      strtolower(substr($this->urlPath[4], 0, 3)) != 'get') {
      $response = [
        'error_code' => 400,
        'error_message' => "SECURITY: All requests that modify the database must be http POST, not GET.",
      ];
      Civi::log()->debug("SECURITY: All requests that modify the database must be http POST, not GET.",
        [
          'IP' => $_SERVER['REMOTE_ADDR'],
          'level' => 'security',
          'referer' => $_SERVER['HTTP_REFERER'],
          'reason' => 'Destructive HTTP GET',
        ]
      );
      CRM_Utils_System::setHttpHeader('Content-Type', 'application/json');
      echo json_encode($response);
      CRM_Utils_System::civiExit();
    }
    try {
      // Call multiple
      if (empty($this->urlPath[3])) {
        $calls = CRM_Utils_Request::retrieve('calls', 'String', CRM_Core_DAO::$_nullObject, TRUE, NULL, 'POST');
        $calls = json_decode($calls, TRUE);
        $response = [];
        foreach ($calls as $index => $call) {
          $response[$index] = call_user_func_array([$this, 'execute'], $call);
        }
      }
      // Call single
      else {
        $entity = $this->urlPath[3];
        $action = $this->urlPath[4];
        $params = CRM_Utils_Request::retrieve('params', 'String');
        $params = $params ? json_decode($params, TRUE) : [];
        $index = CRM_Utils_Request::retrieve('index', 'String');
        $response = $this->execute($entity, $action, $params, $index);
      }
    }
    catch (Exception $e) {
      $statusMap = [
        \Civi\API\Exception\UnauthorizedException::class => 403,
      ];
      http_response_code($statusMap[get_class($e)] ?? 500);
      $response = [];
      if (CRM_Core_Permission::check('view debug output')) {
        $response['error_code'] = $e->getCode();
        $response['error_message'] = $e->getMessage();
        if (!empty($params['debug'])) {
          if (method_exists($e, 'getUserInfo')) {
            $response['debug']['info'] = $e->getUserInfo();
          }
          $cause = method_exists($e, 'getCause') ? $e->getCause() : $e;
          if ($cause instanceof \DB_Error) {
            $response['debug']['db_error'] = \DB::errorMessage($cause->getCode());
            $response['debug']['sql'][] = $cause->getDebugInfo();
          }
          if (\Civi::settings()->get('backtrace')) {
            // Would prefer getTrace() but that causes json_encode to bomb
            $response['debug']['backtrace'] = $e->getTraceAsString();
          }
        }
      }
      else {
        $error_id = rtrim(chunk_split(CRM_Utils_String::createRandom(12, CRM_Utils_String::ALPHANUMERIC), 4, '-'), '-');
        $response['error_code'] = '1';
        $response['error_message']  = ts('Sorry an error occurred and your request was not completed. (Error ID: %1)', [
          1 => $error_id,
        ]);
        \Civi::log()->debug('AJAX Error ({error_id}): failed with exception', [
          'error_id' => $error_id,
          'exception' => $e,
        ]);
      }
    }
    CRM_Utils_System::setHttpHeader('Content-Type', 'application/json');
    echo json_encode($response);
    CRM_Utils_System::civiExit();
  }

  /**
   * Run api call & prepare result for json encoding
   *
   * @param string $entity
   * @param string $action
   * @param array $params
   * @param string $index
   * @return array
   */
  protected function execute($entity, $action, $params = [], $index = NULL) {
    $params['checkPermissions'] = TRUE;

    // Handle numeric indexes later so we can get the count
    $itemAt = CRM_Utils_Type::validate($index, 'Integer', FALSE);

    $result = civicrm_api4($entity, $action, $params, isset($itemAt) ? NULL : $index);

    // Convert arrayObject into something more suitable for json
    $vals = ['values' => isset($itemAt) ? $result->itemAt($itemAt) : (array) $result];
    foreach (get_class_vars(get_class($result)) as $key => $val) {
      $vals[$key] = $result->$key;
    }
    unset($vals['rowCount']);
    $vals['count'] = $result->count();
    $vals['countFetched'] = $result->countFetched();
    if (in_array('row_count', $params['select'] ?? [])) {
      // We can only return countMatched (whose value is independent of LIMIT clauses) if row_count was in the select.
      $vals['countMatched'] = $result->count();
    }

    return $vals;
  }

}
Commit	Line	Data
19b53e5b C	1	<?php
19b53e5b C	2
380f3545 TO	3	/*
380f3545 TO	4	+--------------------------------------------------------------------+
bc77d7c0	5	\| Copyright CiviCRM LLC. All rights reserved. \|
380f3545	6	\| \|
bc77d7c0 TO	7	\| This work is published under the GNU AGPLv3 license with some \|
	8	\| permitted exceptions and without any warranty. For full license \|
	9	\| and copyright information, see https://civicrm.org/licensing \|
380f3545 TO	10	+--------------------------------------------------------------------+
	11	*/
	12
	13	/**
	14	*
	15	* @package CRM
ca5cec67	16	* @copyright CiviCRM LLC https://civicrm.org/licensing
380f3545	17	*/
19b53e5b C	18	class CRM_Api4_Page_AJAX extends CRM_Core_Page {
	19
	20	/**
	21	* Handler for api4 ajax requests
	22	*/
	23	public function run() {
cfce6eb7	24	$config = CRM_Core_Config::singleton();
7511bc6e	25	if (!$config->debug && !CRM_Utils_REST::isWebServiceRequest()) {
cfce6eb7 SL	26	$response = [
	27	'error_code' => 401,
	28	'error_message' => "SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
	29	];
2e40130b	30	Civi::log()->debug("SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
cfce6eb7 SL	31	[
	32	'IP' => $_SERVER['REMOTE_ADDR'],
	33	'level' => 'security',
	34	'referer' => $_SERVER['HTTP_REFERER'],
	35	'reason' => 'CSRF suspected',
	36	]
	37	);
	38	CRM_Utils_System::setHttpHeader('Content-Type', 'application/json');
	39	echo json_encode($response);
	40	CRM_Utils_System::civiExit();
	41	}
2e40130b	42	if ($_SERVER['REQUEST_METHOD'] == 'GET' &&
520430db	43	strtolower(substr($this->urlPath[4], 0, 3)) != 'get') {
2e40130b SL	44	$response = [
	45	'error_code' => 400,
	46	'error_message' => "SECURITY: All requests that modify the database must be http POST, not GET.",
	47	];
	48	Civi::log()->debug("SECURITY: All requests that modify the database must be http POST, not GET.",
	49	[
	50	'IP' => $_SERVER['REMOTE_ADDR'],
	51	'level' => 'security',
	52	'referer' => $_SERVER['HTTP_REFERER'],
	53	'reason' => 'Destructive HTTP GET',
	54	]
	55	);
	56	CRM_Utils_System::setHttpHeader('Content-Type', 'application/json');
	57	echo json_encode($response);
	58	CRM_Utils_System::civiExit();
	59	}
19b53e5b C	60	try {
	61	// Call multiple
	62	if (empty($this->urlPath[3])) {
f7ad2038	63	$calls = CRM_Utils_Request::retrieve('calls', 'String', CRM_Core_DAO::$_nullObject, TRUE, NULL, 'POST');
19b53e5b C	64	$calls = json_decode($calls, TRUE);
	65	$response = [];
	66	foreach ($calls as $index => $call) {
	67	$response[$index] = call_user_func_array([$this, 'execute'], $call);
	68	}
	69	}
	70	// Call single
	71	else {
	72	$entity = $this->urlPath[3];
	73	$action = $this->urlPath[4];
	74	$params = CRM_Utils_Request::retrieve('params', 'String');
	75	$params = $params ? json_decode($params, TRUE) : [];
	76	$index = CRM_Utils_Request::retrieve('index', 'String');
	77	$response = $this->execute($entity, $action, $params, $index);
	78	}
	79	}
	80	catch (Exception $e) {
2af6f9b6 TO	81	$statusMap = [
	82	\Civi\API\Exception\UnauthorizedException::class => 403,
	83	];
b8ccbe73	84	http_response_code($statusMap[get_class($e)] ?? 500);
f9d83e59	85	$response = [];
19b53e5b	86	if (CRM_Core_Permission::check('view debug output')) {
f9d83e59	87	$response['error_code'] = $e->getCode();
19b53e5b	88	$response['error_message'] = $e->getMessage();
f9d83e59 CW	89	if (!empty($params['debug'])) {
	90	if (method_exists($e, 'getUserInfo')) {
	91	$response['debug']['info'] = $e->getUserInfo();
	92	}
	93	$cause = method_exists($e, 'getCause') ? $e->getCause() : $e;
	94	if ($cause instanceof \DB_Error) {
	95	$response['debug']['db_error'] = \DB::errorMessage($cause->getCode());
	96	$response['debug']['sql'][] = $cause->getDebugInfo();
	97	}
	98	if (\Civi::settings()->get('backtrace')) {
	99	// Would prefer getTrace() but that causes json_encode to bomb
	100	$response['debug']['backtrace'] = $e->getTraceAsString();
	101	}
19b53e5b C	102	}
19b53e5b C	103	}
2af6f9b6 TO	104	else {
	105	$error_id = rtrim(chunk_split(CRM_Utils_String::createRandom(12, CRM_Utils_String::ALPHANUMERIC), 4, '-'), '-');
	106	$response['error_code'] = '1';
	107	$response['error_message'] = ts('Sorry an error occurred and your request was not completed. (Error ID: %1)', [
	108	1 => $error_id,
	109	]);
	110	\Civi::log()->debug('AJAX Error ({error_id}): failed with exception', [
	111	'error_id' => $error_id,
	112	'exception' => $e,
	113	]);
	114	}
19b53e5b C	115	}
	116	CRM_Utils_System::setHttpHeader('Content-Type', 'application/json');
	117	echo json_encode($response);
	118	CRM_Utils_System::civiExit();
	119	}
	120
	121	/**
	122	* Run api call & prepare result for json encoding
	123	*
	124	* @param string $entity
	125	* @param string $action
	126	* @param array $params
	127	* @param string $index
	128	* @return array
	129	*/
	130	protected function execute($entity, $action, $params = [], $index = NULL) {
	131	$params['checkPermissions'] = TRUE;
	132
	133	// Handle numeric indexes later so we can get the count
	134	$itemAt = CRM_Utils_Type::validate($index, 'Integer', FALSE);
	135
	136	$result = civicrm_api4($entity, $action, $params, isset($itemAt) ? NULL : $index);
	137
	138	// Convert arrayObject into something more suitable for json
	139	$vals = ['values' => isset($itemAt) ? $result->itemAt($itemAt) : (array) $result];
	140	foreach (get_class_vars(get_class($result)) as $key => $val) {
	141	$vals[$key] = $result->$key;
	142	}
651c4c95	143	unset($vals['rowCount']);
19b53e5b	144	$vals['count'] = $result->count();
4f8baa75 RLAR	145	$vals['countFetched'] = $result->countFetched();
	146	if (in_array('row_count', $params['select'] ?? [])) {
	147	// We can only return countMatched (whose value is independent of LIMIT clauses) if row_count was in the select.
	148	$vals['countMatched'] = $result->count();
	149	}
	150
19b53e5b C	151	return $vals;
	152	}
	153
	154	}