3 +--------------------------------------------------------------------+
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2019 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
27 namespace Civi\API\Subscriber
;
30 use Civi\API\Event\AuthorizeEvent
;
31 use Civi\API\Event\RespondEvent
;
32 use Civi\API\WhitelistRule
;
33 use Symfony\Component\EventDispatcher\EventSubscriberInterface
;
36 * The WhitelistSubscriber listens to API requests and matches them against
37 * a whitelist of allowed API calls. If an API call does NOT appear in the
38 * whitelist, then it generates an error.
41 * @copyright CiviCRM LLC (c) 2004-2019
43 class WhitelistSubscriber
implements EventSubscriberInterface
{
48 public static function getSubscribedEvents() {
50 Events
::AUTHORIZE
=> ['onApiAuthorize', Events
::W_EARLY
],
51 Events
::RESPOND
=> ['onApiRespond', Events
::W_MIDDLE
],
56 * Array(WhitelistRule).
63 * Array (scalar $reqId => WhitelistRule $rule).
67 protected $activeRules;
71 * Array of WhitelistRule.
73 * @throws \CRM_Core_Exception
75 public function __construct($rules) {
77 foreach ($rules as $rule) {
78 /** @var WhitelistRule $rule */
79 if ($rule->isValid()) {
80 $this->rules
[] = $rule;
83 throw new \
CRM_Core_Exception("Invalid rule");
89 * Determine which, if any, whitelist rules apply this request.
90 * Reject unauthorized requests.
92 * @param AuthorizeEvent $event
93 * @throws \CRM_Core_Exception
95 public function onApiAuthorize(AuthorizeEvent
$event) {
96 $apiRequest = $event->getApiRequest();
97 if (empty($apiRequest['params']['check_permissions']) ||
$apiRequest['params']['check_permissions'] !== 'whitelist') {
100 foreach ($this->rules
as $rule) {
101 if (TRUE === $rule->matches($apiRequest)) {
102 $this->activeRules
[$apiRequest['id']] = $rule;
106 throw new \
CRM_Core_Exception('The request does not match any active API authorizations.');
110 * Apply any filtering rules based on the chosen whitelist rule.
111 * @param RespondEvent $event
113 public function onApiRespond(RespondEvent
$event) {
114 $apiRequest = $event->getApiRequest();
115 $id = $apiRequest['id'];
116 if (isset($this->activeRules
[$id])) {
117 $event->setResponse($this->activeRules
[$id]->filter($apiRequest, $event->getResponse()));
118 unset($this->activeRules
[$id]);