4 +--------------------------------------------------------------------+
5 | Copyright CiviCRM LLC. All rights reserved. |
7 | This work is published under the GNU AGPLv3 license with some |
8 | permitted exceptions and without any warranty. For full license |
9 | and copyright information, see https://civicrm.org/licensing |
10 +--------------------------------------------------------------------+
16 * @copyright CiviCRM LLC https://civicrm.org/licensing
20 class CRM_Api4_Page_AJAX
extends CRM_Core_Page
{
23 * Handler for api4 ajax requests
25 public function run() {
26 $config = CRM_Core_Config
::singleton();
27 if (!$config->debug
&& (!array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) ||
28 $_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest"
33 'error_message' => "SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
35 Civi
::log()->debug("SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
37 'IP' => $_SERVER['REMOTE_ADDR'],
38 'level' => 'security',
39 'referer' => $_SERVER['HTTP_REFERER'],
40 'reason' => 'CSRF suspected',
43 CRM_Utils_System
::setHttpHeader('Content-Type', 'application/json');
44 echo json_encode($response);
45 CRM_Utils_System
::civiExit();
47 if ($_SERVER['REQUEST_METHOD'] == 'GET' &&
48 strtolower(substr($this->urlPath
[4], 0, 3)) != 'get') {
51 'error_message' => "SECURITY: All requests that modify the database must be http POST, not GET.",
53 Civi
::log()->debug("SECURITY: All requests that modify the database must be http POST, not GET.",
55 'IP' => $_SERVER['REMOTE_ADDR'],
56 'level' => 'security',
57 'referer' => $_SERVER['HTTP_REFERER'],
58 'reason' => 'Destructive HTTP GET',
61 CRM_Utils_System
::setHttpHeader('Content-Type', 'application/json');
62 echo json_encode($response);
63 CRM_Utils_System
::civiExit();
67 if (empty($this->urlPath
[3])) {
68 $calls = CRM_Utils_Request
::retrieve('calls', 'String', CRM_Core_DAO
::$_nullObject, TRUE, NULL, 'POST', TRUE);
69 $calls = json_decode($calls, TRUE);
71 foreach ($calls as $index => $call) {
72 $response[$index] = call_user_func_array([$this, 'execute'], $call);
77 $entity = $this->urlPath
[3];
78 $action = $this->urlPath
[4];
79 $params = CRM_Utils_Request
::retrieve('params', 'String');
80 $params = $params ?
json_decode($params, TRUE) : [];
81 $index = CRM_Utils_Request
::retrieve('index', 'String');
82 $response = $this->execute($entity, $action, $params, $index);
85 catch (Exception
$e) {
86 http_response_code(500);
88 'error_code' => $e->getCode(),
90 if (CRM_Core_Permission
::check('view debug output')) {
91 $response['error_message'] = $e->getMessage();
92 if (!empty($params['debug']) && \Civi
::settings()->get('backtrace')) {
93 $response['debug']['backtrace'] = $e->getTrace();
97 CRM_Utils_System
::setHttpHeader('Content-Type', 'application/json');
98 echo json_encode($response);
99 CRM_Utils_System
::civiExit();
103 * Run api call & prepare result for json encoding
105 * @param string $entity
106 * @param string $action
107 * @param array $params
108 * @param string $index
111 protected function execute($entity, $action, $params = [], $index = NULL) {
112 $params['checkPermissions'] = TRUE;
114 // Handle numeric indexes later so we can get the count
115 $itemAt = CRM_Utils_Type
::validate($index, 'Integer', FALSE);
117 $result = civicrm_api4($entity, $action, $params, isset($itemAt) ?
NULL : $index);
119 // Convert arrayObject into something more suitable for json
120 $vals = ['values' => isset($itemAt) ?
$result->itemAt($itemAt) : (array) $result];
121 foreach (get_class_vars(get_class($result)) as $key => $val) {
122 $vals[$key] = $result->$key;
124 $vals['count'] = $result->count();