projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #24187 from colemanw/removeCiviAuction
[civicrm-core.git] / CRM / Api4 / Page / AJAX.php
1 <?php
2
3 /*
4 +--------------------------------------------------------------------+
5 | Copyright CiviCRM LLC. All rights reserved. |
6 | |
7 | This work is published under the GNU AGPLv3 license with some |
8 | permitted exceptions and without any warranty. For full license |
9 | and copyright information, see https://civicrm.org/licensing |
10 +--------------------------------------------------------------------+
11 */
12
13 /**
14 *
15 * @package CRM
16 * @copyright CiviCRM LLC https://civicrm.org/licensing
17 */
18 class CRM_Api4_Page_AJAX extends CRM_Core_Page {
19
20 /**
21 * Handler for api4 ajax requests
22 */
23 public function run() {
24 $config = CRM_Core_Config::singleton();
25 if (!$config->debug && !CRM_Utils_REST::isWebServiceRequest()) {
26 $response = [
27 'error_code' => 401,
28 'error_message' => "SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
29 ];
30 Civi::log()->debug("SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
31 [
32 'IP' => $_SERVER['REMOTE_ADDR'],
33 'level' => 'security',
34 'referer' => $_SERVER['HTTP_REFERER'],
35 'reason' => 'CSRF suspected',
36 ]
37 );
38 CRM_Utils_System::setHttpHeader('Content-Type', 'application/json');
39 echo json_encode($response);
40 CRM_Utils_System::civiExit();
41 }
42 if ($_SERVER['REQUEST_METHOD'] == 'GET' &&
43 strtolower(substr($this->urlPath[4], 0, 3)) != 'get') {
44 $response = [
45 'error_code' => 400,
46 'error_message' => "SECURITY: All requests that modify the database must be http POST, not GET.",
47 ];
48 Civi::log()->debug("SECURITY: All requests that modify the database must be http POST, not GET.",
49 [
50 'IP' => $_SERVER['REMOTE_ADDR'],
51 'level' => 'security',
52 'referer' => $_SERVER['HTTP_REFERER'],
53 'reason' => 'Destructive HTTP GET',
54 ]
55 );
56 CRM_Utils_System::setHttpHeader('Content-Type', 'application/json');
57 echo json_encode($response);
58 CRM_Utils_System::civiExit();
59 }
60 try {
61 // Two call formats. Which one was used? Note: CRM_Api4_Permission::check() and CRM_Api4_Page_AJAX::run() should have matching conditionals.
62 if (empty($this->urlPath[3])) {
63 // Received multi-call format
64 $calls = CRM_Utils_Request::retrieve('calls', 'String', CRM_Core_DAO::$_nullObject, TRUE, NULL, 'POST');
65 $calls = json_decode($calls, TRUE);
66 $response = [];
67 foreach ($calls as $index => $call) {
68 $response[$index] = call_user_func_array([$this, 'execute'], $call);
69 }
70 }
71 else {
72 // Received single-call format
73 $entity = $this->urlPath[3];
74 $action = $this->urlPath[4];
75 $params = CRM_Utils_Request::retrieve('params', 'String');
76 $params = $params ? json_decode($params, TRUE) : [];
77 $index = CRM_Utils_Request::retrieve('index', 'String');
78 $response = $this->execute($entity, $action, $params, $index);
79 }
80 }
81 catch (Exception $e) {
82 $statusMap = [
83 \Civi\API\Exception\UnauthorizedException::class => 403,
84 ];
85 http_response_code($statusMap[get_class($e)] ?? 500);
86 $response = [];
87 if (CRM_Core_Permission::check('view debug output')) {
88 $response['error_code'] = $e->getCode();
89 $response['error_message'] = $e->getMessage();
90 if (!empty($params['debug'])) {
91 if (method_exists($e, 'getUserInfo')) {
92 $response['debug']['info'] = $e->getUserInfo();
93 }
94 $cause = method_exists($e, 'getCause') ? $e->getCause() : $e;
95 if ($cause instanceof \DB_Error) {
96 $response['debug']['db_error'] = \DB::errorMessage($cause->getCode());
97 $response['debug']['sql'][] = $cause->getDebugInfo();
98 }
99 if (\Civi::settings()->get('backtrace')) {
100 // Would prefer getTrace() but that causes json_encode to bomb
101 $response['debug']['backtrace'] = $e->getTraceAsString();
102 }
103 }
104 }
105 else {
106 $error_id = rtrim(chunk_split(CRM_Utils_String::createRandom(12, CRM_Utils_String::ALPHANUMERIC), 4, '-'), '-');
107 $response['error_code'] = '1';
108 $response['error_message'] = ts('Sorry an error occurred and your request was not completed. (Error ID: %1)', [
109 1 => $error_id,
110 ]);
111 \Civi::log()->debug('AJAX Error ({error_id}): failed with exception', [
112 'error_id' => $error_id,
113 'exception' => $e,
114 ]);
115 }
116 }
117 CRM_Utils_System::setHttpHeader('Content-Type', 'application/json');
118 echo json_encode($response);
119 CRM_Utils_System::civiExit();
120 }
121
122 /**
123 * Run api call & prepare result for json encoding
124 *
125 * @param string $entity
126 * @param string $action
127 * @param array $params
128 * @param string $index
129 * @return array
130 */
131 protected function execute($entity, $action, $params = [], $index = NULL) {
132 $params['checkPermissions'] = TRUE;
133
134 // Handle numeric indexes later so we can get the count
135 $itemAt = CRM_Utils_Type::validate($index, 'Integer', FALSE);
136
137 $result = civicrm_api4($entity, $action, $params, isset($itemAt) ? NULL : $index);
138
139 // Convert arrayObject into something more suitable for json
140 $vals = ['values' => isset($itemAt) ? $result->itemAt($itemAt) : (array) $result];
141 foreach (get_class_vars(get_class($result)) as $key => $val) {
142 $vals[$key] = $result->$key;
143 }
144 unset($vals['rowCount']);
145 $vals['count'] = $result->count();
146 $vals['countFetched'] = $result->countFetched();
147 if (in_array('row_count', $params['select'] ?? [])) {
148 // We can only return countMatched (whose value is independent of LIMIT clauses) if row_count was in the select.
149 $vals['countMatched'] = $result->count();
150 }
151
152 return $vals;
153 }
154
155 }