4 +--------------------------------------------------------------------+
5 | Copyright CiviCRM LLC. All rights reserved. |
7 | This work is published under the GNU AGPLv3 license with some |
8 | permitted exceptions and without any warranty. For full license |
9 | and copyright information, see https://civicrm.org/licensing |
10 +--------------------------------------------------------------------+
16 * @copyright CiviCRM LLC https://civicrm.org/licensing
18 class CRM_Api4_Page_AJAX
extends CRM_Core_Page
{
21 * Handler for api4 ajax requests
23 public function run() {
24 $config = CRM_Core_Config
::singleton();
25 if (!$config->debug
&& !CRM_Utils_REST
::isWebServiceRequest()) {
28 'error_message' => "SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
30 Civi
::log()->debug("SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
32 'IP' => $_SERVER['REMOTE_ADDR'],
33 'level' => 'security',
34 'referer' => $_SERVER['HTTP_REFERER'],
35 'reason' => 'CSRF suspected',
38 CRM_Utils_System
::setHttpHeader('Content-Type', 'application/json');
39 echo json_encode($response);
40 CRM_Utils_System
::civiExit();
42 if ($_SERVER['REQUEST_METHOD'] == 'GET' &&
43 strtolower(substr($this->urlPath
[4], 0, 3)) != 'get') {
46 'error_message' => "SECURITY: All requests that modify the database must be http POST, not GET.",
48 Civi
::log()->debug("SECURITY: All requests that modify the database must be http POST, not GET.",
50 'IP' => $_SERVER['REMOTE_ADDR'],
51 'level' => 'security',
52 'referer' => $_SERVER['HTTP_REFERER'],
53 'reason' => 'Destructive HTTP GET',
56 CRM_Utils_System
::setHttpHeader('Content-Type', 'application/json');
57 echo json_encode($response);
58 CRM_Utils_System
::civiExit();
61 // Two call formats. Which one was used? Note: CRM_Api4_Permission::check() and CRM_Api4_Page_AJAX::run() should have matching conditionals.
62 if (empty($this->urlPath
[3])) {
63 // Received multi-call format
64 $calls = CRM_Utils_Request
::retrieve('calls', 'String', CRM_Core_DAO
::$_nullObject, TRUE, NULL, 'POST');
65 $calls = json_decode($calls, TRUE);
67 foreach ($calls as $index => $call) {
68 $response[$index] = call_user_func_array([$this, 'execute'], $call);
72 // Received single-call format
73 $entity = $this->urlPath
[3];
74 $action = $this->urlPath
[4];
75 $params = CRM_Utils_Request
::retrieve('params', 'String');
76 $params = $params ?
json_decode($params, TRUE) : [];
77 $index = CRM_Utils_Request
::retrieve('index', 'String');
78 $response = $this->execute($entity, $action, $params, $index);
81 catch (Exception
$e) {
83 \Civi\API\Exception\UnauthorizedException
::class => 403,
85 http_response_code($statusMap[get_class($e)] ??
500);
87 if (CRM_Core_Permission
::check('view debug output')) {
88 $response['error_code'] = $e->getCode();
89 $response['error_message'] = $e->getMessage();
90 if (!empty($params['debug'])) {
91 if (method_exists($e, 'getUserInfo')) {
92 $response['debug']['info'] = $e->getUserInfo();
94 $cause = method_exists($e, 'getCause') ?
$e->getCause() : $e;
95 if ($cause instanceof \DB_Error
) {
96 $response['debug']['db_error'] = \DB
::errorMessage($cause->getCode());
97 $response['debug']['sql'][] = $cause->getDebugInfo();
99 if (\Civi
::settings()->get('backtrace')) {
100 // Would prefer getTrace() but that causes json_encode to bomb
101 $response['debug']['backtrace'] = $e->getTraceAsString();
106 $error_id = rtrim(chunk_split(CRM_Utils_String
::createRandom(12, CRM_Utils_String
::ALPHANUMERIC
), 4, '-'), '-');
107 $response['error_code'] = '1';
108 $response['error_message'] = ts('Sorry an error occurred and your request was not completed. (Error ID: %1)', [
111 \Civi
::log()->debug('AJAX Error ({error_id}): failed with exception', [
112 'error_id' => $error_id,
117 CRM_Utils_System
::setHttpHeader('Content-Type', 'application/json');
118 echo json_encode($response);
119 CRM_Utils_System
::civiExit();
123 * Run api call & prepare result for json encoding
125 * @param string $entity
126 * @param string $action
127 * @param array $params
128 * @param string $index
131 protected function execute($entity, $action, $params = [], $index = NULL) {
132 $params['checkPermissions'] = TRUE;
134 // Handle numeric indexes later so we can get the count
135 $itemAt = CRM_Utils_Type
::validate($index, 'Integer', FALSE);
137 $result = civicrm_api4($entity, $action, $params, isset($itemAt) ?
NULL : $index);
139 // Convert arrayObject into something more suitable for json
140 $vals = ['values' => isset($itemAt) ?
$result->itemAt($itemAt) : (array) $result];
141 foreach (get_class_vars(get_class($result)) as $key => $val) {
142 $vals[$key] = $result->$key;
144 unset($vals['rowCount']);
145 $vals['count'] = $result->count();
146 $vals['countFetched'] = $result->countFetched();
147 if (in_array('row_count', $params['select'] ??
[])) {
148 // We can only return countMatched (whose value is independent of LIMIT clauses) if row_count was in the select.
149 $vals['countMatched'] = $result->count();