[civicrm-core.git] / CRM / Cxn / ApiRouter.php

<?php
/*
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC. All rights reserved.                        |
 |                                                                    |
 | This work is published under the GNU AGPLv3 license with some      |
 | permitted exceptions and without any warranty. For full license    |
 | and copyright information, see https://civicrm.org/licensing       |
 +--------------------------------------------------------------------+
 */

/**
 * Class CRM_Cxn_ApiRouter
 *
 * The ApiRouter receives an incoming API request from CiviConnect,
 * validates it, configures permissions, and sends it to the API layer.
 */
class CRM_Cxn_ApiRouter {

  /**
   * @param array $cxn
   * @param string $entity
   * @param string $action
   * @param array $params
   * @return mixed
   */
  public static function route($cxn, $entity, $action, $params) {
    $SUPER_PERM = ['administer CiviCRM'];

    require_once 'api/v3/utils.php';

    // FIXME: Shouldn't the X-Forwarded-Proto check be part of CRM_Utils_System::isSSL()?
    if (Civi::settings()->get('enableSSL') &&
      !CRM_Utils_System::isSSL() &&
      strtolower(CRM_Utils_Array::value('X_FORWARDED_PROTO', CRM_Utils_System::getRequestHeaders())) != 'https'
    ) {
      return civicrm_api3_create_error('System policy requires HTTPS.');
    }

    // Note: $cxn and cxnId are authenticated before router is called.
    $dao = new CRM_Cxn_DAO_Cxn();
    $dao->cxn_id = $cxn['cxnId'];
    if (empty($cxn['cxnId']) || !$dao->find(TRUE) || !$dao->cxn_id) {
      return civicrm_api3_create_error('Failed to lookup connection authorizations.');
    }
    if (!$dao->is_active) {
      return civicrm_api3_create_error('Connection is inactive.');
    }
    if (!is_string($entity) || !is_string($action) || !is_array($params)) {
      return civicrm_api3_create_error('API parameters are malformed.');
    }
    if (
      empty($cxn['perm']['api'])
      || !is_array($cxn['perm']['api'])
      || empty($cxn['perm']['grant'])
      || !(is_array($cxn['perm']['grant']) || is_string($cxn['perm']['grant']))
    ) {
      return civicrm_api3_create_error('Connection has no permissions.');
    }

    $whitelist = \Civi\API\WhitelistRule::createAll($cxn['perm']['api']);
    \Civi::dispatcher()
      ->addSubscriber(new \Civi\API\Subscriber\WhitelistSubscriber($whitelist));
    CRM_Core_Config::singleton()->userPermissionTemp = new CRM_Core_Permission_Temp();
    if ($cxn['perm']['grant'] === '*') {
      CRM_Core_Config::singleton()->userPermissionTemp->grant($SUPER_PERM);
    }
    else {
      CRM_Core_Config::singleton()->userPermissionTemp->grant($cxn['perm']['grant']);
    }

    $params['check_permissions'] = 'whitelist';
    return civicrm_api($entity, $action, $params);
  }

}
Commit	Line	Data
48716433 TO	1	<?php
	2	/*
	3	+--------------------------------------------------------------------+
bc77d7c0	4	\| Copyright CiviCRM LLC. All rights reserved. \|
48716433	5	\| \|
bc77d7c0 TO	6	\| This work is published under the GNU AGPLv3 license with some \|
	7	\| permitted exceptions and without any warranty. For full license \|
	8	\| and copyright information, see https://civicrm.org/licensing \|
48716433 TO	9	+--------------------------------------------------------------------+
	10	*/
	11
	12	/**
	13	* Class CRM_Cxn_ApiRouter
	14	*
	15	* The ApiRouter receives an incoming API request from CiviConnect,
	16	* validates it, configures permissions, and sends it to the API layer.
	17	*/
	18	class CRM_Cxn_ApiRouter {
	19
	20	/**
	21	* @param array $cxn
	22	* @param string $entity
	23	* @param string $action
	24	* @param array $params
	25	* @return mixed
	26	*/
	27	public static function route($cxn, $entity, $action, $params) {
be2fb01f	28	$SUPER_PERM = ['administer CiviCRM'];
48716433 TO	29
	30	require_once 'api/v3/utils.php';
	31
	32	// FIXME: Shouldn't the X-Forwarded-Proto check be part of CRM_Utils_System::isSSL()?
aaffa79f	33	if (Civi::settings()->get('enableSSL') &&
48716433 TO	34	!CRM_Utils_System::isSSL() &&
	35	strtolower(CRM_Utils_Array::value('X_FORWARDED_PROTO', CRM_Utils_System::getRequestHeaders())) != 'https'
	36	) {
	37	return civicrm_api3_create_error('System policy requires HTTPS.');
	38	}
	39
	40	// Note: $cxn and cxnId are authenticated before router is called.
	41	$dao = new CRM_Cxn_DAO_Cxn();
	42	$dao->cxn_id = $cxn['cxnId'];
	43	if (empty($cxn['cxnId']) \|\| !$dao->find(TRUE) \|\| !$dao->cxn_id) {
	44	return civicrm_api3_create_error('Failed to lookup connection authorizations.');
	45	}
	46	if (!$dao->is_active) {
	47	return civicrm_api3_create_error('Connection is inactive.');
	48	}
	49	if (!is_string($entity) \|\| !is_string($action) \|\| !is_array($params)) {
	50	return civicrm_api3_create_error('API parameters are malformed.');
	51	}
	52	if (
	53	empty($cxn['perm']['api'])
	54	\|\| !is_array($cxn['perm']['api'])
	55	\|\| empty($cxn['perm']['grant'])
	56	\|\| !(is_array($cxn['perm']['grant']) \|\| is_string($cxn['perm']['grant']))
	57	) {
	58	return civicrm_api3_create_error('Connection has no permissions.');
	59	}
	60
	61	$whitelist = \Civi\API\WhitelistRule::createAll($cxn['perm']['api']);
4162ab6f	62	\Civi::dispatcher()
48716433 TO	63	->addSubscriber(new \Civi\API\Subscriber\WhitelistSubscriber($whitelist));
	64	CRM_Core_Config::singleton()->userPermissionTemp = new CRM_Core_Permission_Temp();
	65	if ($cxn['perm']['grant'] === '*') {
	66	CRM_Core_Config::singleton()->userPermissionTemp->grant($SUPER_PERM);
	67	}
	68	else {
	69	CRM_Core_Config::singleton()->userPermissionTemp->grant($cxn['perm']['grant']);
	70	}
	71
	72	$params['check_permissions'] = 'whitelist';
	73	return civicrm_api($entity, $action, $params);
	74	}
	75
	76	}