| 1 | <?php |
| 2 | /* |
| 3 | +--------------------------------------------------------------------+ |
| 4 | | Copyright CiviCRM LLC. All rights reserved. | |
| 5 | | | |
| 6 | | This work is published under the GNU AGPLv3 license with some | |
| 7 | | permitted exceptions and without any warranty. For full license | |
| 8 | | and copyright information, see https://civicrm.org/licensing | |
| 9 | +--------------------------------------------------------------------+ |
| 10 | */ |
| 11 | |
| 12 | /** |
| 13 | * Class CRM_Cxn_ApiRouter |
| 14 | * |
| 15 | * The ApiRouter receives an incoming API request from CiviConnect, |
| 16 | * validates it, configures permissions, and sends it to the API layer. |
| 17 | */ |
| 18 | class CRM_Cxn_ApiRouter { |
| 19 | |
| 20 | /** |
| 21 | * @param array $cxn |
| 22 | * @param string $entity |
| 23 | * @param string $action |
| 24 | * @param array $params |
| 25 | * @return mixed |
| 26 | */ |
| 27 | public static function route($cxn, $entity, $action, $params) { |
| 28 | $SUPER_PERM = ['administer CiviCRM']; |
| 29 | |
| 30 | require_once 'api/v3/utils.php'; |
| 31 | |
| 32 | // FIXME: Shouldn't the X-Forwarded-Proto check be part of CRM_Utils_System::isSSL()? |
| 33 | if (Civi::settings()->get('enableSSL') && |
| 34 | !CRM_Utils_System::isSSL() && |
| 35 | strtolower(CRM_Utils_Array::value('X_FORWARDED_PROTO', CRM_Utils_System::getRequestHeaders())) != 'https' |
| 36 | ) { |
| 37 | return civicrm_api3_create_error('System policy requires HTTPS.'); |
| 38 | } |
| 39 | |
| 40 | // Note: $cxn and cxnId are authenticated before router is called. |
| 41 | $dao = new CRM_Cxn_DAO_Cxn(); |
| 42 | $dao->cxn_id = $cxn['cxnId']; |
| 43 | if (empty($cxn['cxnId']) || !$dao->find(TRUE) || !$dao->cxn_id) { |
| 44 | return civicrm_api3_create_error('Failed to lookup connection authorizations.'); |
| 45 | } |
| 46 | if (!$dao->is_active) { |
| 47 | return civicrm_api3_create_error('Connection is inactive.'); |
| 48 | } |
| 49 | if (!is_string($entity) || !is_string($action) || !is_array($params)) { |
| 50 | return civicrm_api3_create_error('API parameters are malformed.'); |
| 51 | } |
| 52 | if ( |
| 53 | empty($cxn['perm']['api']) |
| 54 | || !is_array($cxn['perm']['api']) |
| 55 | || empty($cxn['perm']['grant']) |
| 56 | || !(is_array($cxn['perm']['grant']) || is_string($cxn['perm']['grant'])) |
| 57 | ) { |
| 58 | return civicrm_api3_create_error('Connection has no permissions.'); |
| 59 | } |
| 60 | |
| 61 | $whitelist = \Civi\API\WhitelistRule::createAll($cxn['perm']['api']); |
| 62 | \Civi::dispatcher() |
| 63 | ->addSubscriber(new \Civi\API\Subscriber\WhitelistSubscriber($whitelist)); |
| 64 | CRM_Core_Config::singleton()->userPermissionTemp = new CRM_Core_Permission_Temp(); |
| 65 | if ($cxn['perm']['grant'] === '*') { |
| 66 | CRM_Core_Config::singleton()->userPermissionTemp->grant($SUPER_PERM); |
| 67 | } |
| 68 | else { |
| 69 | CRM_Core_Config::singleton()->userPermissionTemp->grant($cxn['perm']['grant']); |
| 70 | } |
| 71 | |
| 72 | $params['check_permissions'] = 'whitelist'; |
| 73 | return civicrm_api($entity, $action, $params); |
| 74 | } |
| 75 | |
| 76 | } |