CRM/Api4/Page/AJAX.php

   1 <?php
   2
   3 /*
   4  +--------------------------------------------------------------------+
   5  | Copyright CiviCRM LLC. All rights reserved.                        |
   6  |                                                                    |
   7  | This work is published under the GNU AGPLv3 license with some      |
   8  | permitted exceptions and without any warranty. For full license    |
   9  | and copyright information, see https://civicrm.org/licensing       |
  10  +--------------------------------------------------------------------+
  11  */
  12
  13 /**
  14  *
  15  * @package CRM
  16  * @copyright CiviCRM LLC https://civicrm.org/licensing
  17  * $Id$
  18  *
  19  */
  20 class CRM_Api4_Page_AJAX extends CRM_Core_Page {
  21
  22   /**
  23    * Handler for api4 ajax requests
  24    */
  25   public function run() {
  26     $config = CRM_Core_Config::singleton();
  27     if (!$config->debug && (!array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) ||
  28         $_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest"
  29       )
  30     ) {
  31       $response = [
  32         'error_code' => 401,
  33         'error_message' => "SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
  34       ];
  35       Civi::log()->debug("SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
  36         [
  37           'IP' => $_SERVER['REMOTE_ADDR'],
  38           'level' => 'security',
  39           'referer' => $_SERVER['HTTP_REFERER'],
  40           'reason' => 'CSRF suspected',
  41         ]
  42       );
  43       CRM_Utils_System::setHttpHeader('Content-Type', 'application/json');
  44       echo json_encode($response);
  45       CRM_Utils_System::civiExit();
  46     }
  47     if ($_SERVER['REQUEST_METHOD'] == 'GET' &&
  48       strtolower(substr($this->urlPath[4], 0, 3)) != 'get') {
  49       $response = [
  50         'error_code' => 400,
  51         'error_message' => "SECURITY: All requests that modify the database must be http POST, not GET.",
  52       ];
  53       Civi::log()->debug("SECURITY: All requests that modify the database must be http POST, not GET.",
  54         [
  55           'IP' => $_SERVER['REMOTE_ADDR'],
  56           'level' => 'security',
  57           'referer' => $_SERVER['HTTP_REFERER'],
  58           'reason' => 'Destructive HTTP GET',
  59         ]
  60       );
  61       CRM_Utils_System::setHttpHeader('Content-Type', 'application/json');
  62       echo json_encode($response);
  63       CRM_Utils_System::civiExit();
  64     }
  65     try {
  66       // Call multiple
  67       if (empty($this->urlPath[3])) {
  68         $calls = CRM_Utils_Request::retrieve('calls', 'String', CRM_Core_DAO::$_nullObject, TRUE, NULL, 'POST', TRUE);
  69         $calls = json_decode($calls, TRUE);
  70         $response = [];
  71         foreach ($calls as $index => $call) {
  72           $response[$index] = call_user_func_array([$this, 'execute'], $call);
  73         }
  74       }
  75       // Call single
  76       else {
  77         $entity = $this->urlPath[3];
  78         $action = $this->urlPath[4];
  79         $params = CRM_Utils_Request::retrieve('params', 'String');
  80         $params = $params ? json_decode($params, TRUE) : [];
  81         $index = CRM_Utils_Request::retrieve('index', 'String');
  82         $response = $this->execute($entity, $action, $params, $index);
  83       }
  84     }
  85     catch (Exception $e) {
  86       http_response_code(500);
  87       $response = [
  88         'error_code' => $e->getCode(),
  89       ];
  90       if (CRM_Core_Permission::check('view debug output')) {
  91         $response['error_message'] = $e->getMessage();
  92         if (!empty($params['debug']) && \Civi::settings()->get('backtrace')) {
  93           $response['debug']['backtrace'] = $e->getTrace();
  94         }
  95       }
  96     }
  97     CRM_Utils_System::setHttpHeader('Content-Type', 'application/json');
  98     echo json_encode($response);
  99     CRM_Utils_System::civiExit();
 100   }
 101
 102   /**
 103    * Run api call & prepare result for json encoding
 104    *
 105    * @param string $entity
 106    * @param string $action
 107    * @param array $params
 108    * @param string $index
 109    * @return array
 110    */
 111   protected function execute($entity, $action, $params = [], $index = NULL) {
 112     $params['checkPermissions'] = TRUE;
 113
 114     // Handle numeric indexes later so we can get the count
 115     $itemAt = CRM_Utils_Type::validate($index, 'Integer', FALSE);
 116
 117     $result = civicrm_api4($entity, $action, $params, isset($itemAt) ? NULL : $index);
 118
 119     // Convert arrayObject into something more suitable for json
 120     $vals = ['values' => isset($itemAt) ? $result->itemAt($itemAt) : (array) $result];
 121     foreach (get_class_vars(get_class($result)) as $key => $val) {
 122       $vals[$key] = $result->$key;
 123     }
 124     $vals['count'] = $result->count();
 125     return $vals;
 126   }
 127
 128 }