projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
NFC - Short array syntax - auto-convert Civi dir
[civicrm-core.git] / Civi / API / Subscriber / WhitelistSubscriber.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | CiviCRM version 5 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2019 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
26 */
27 namespace Civi\API\Subscriber;
28
29 use Civi\API\Events;
30 use Civi\API\Event\AuthorizeEvent;
31 use Civi\API\Event\RespondEvent;
32 use Civi\API\WhitelistRule;
33 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
34
35 /**
36 * The WhitelistSubscriber listens to API requests and matches them against
37 * a whitelist of allowed API calls. If an API call does NOT appear in the
38 * whitelist, then it generates an error.
39 *
40 * @package Civi
41 * @copyright CiviCRM LLC (c) 2004-2019
42 */
43 class WhitelistSubscriber implements EventSubscriberInterface {
44
45 /**
46 * @return array
47 */
48 public static function getSubscribedEvents() {
49 return [
50 Events::AUTHORIZE => ['onApiAuthorize', Events::W_EARLY],
51 Events::RESPOND => ['onApiRespond', Events::W_MIDDLE],
52 ];
53 }
54
55 /**
56 * Array(WhitelistRule).
57 *
58 * @var array
59 */
60 protected $rules;
61
62 /**
63 * Array (scalar $reqId => WhitelistRule $rule).
64 *
65 * @var array
66 */
67 protected $activeRules;
68
69 /**
70 * @param array $rules
71 * Array of WhitelistRule.
72 * @see WhitelistRule
73 * @throws \CRM_Core_Exception
74 */
75 public function __construct($rules) {
76 $this->rules = [];
77 foreach ($rules as $rule) {
78 /** @var WhitelistRule $rule */
79 if ($rule->isValid()) {
80 $this->rules[] = $rule;
81 }
82 else {
83 throw new \CRM_Core_Exception("Invalid rule");
84 }
85 }
86 }
87
88 /**
89 * Determine which, if any, whitelist rules apply this request.
90 * Reject unauthorized requests.
91 *
92 * @param AuthorizeEvent $event
93 * @throws \CRM_Core_Exception
94 */
95 public function onApiAuthorize(AuthorizeEvent $event) {
96 $apiRequest = $event->getApiRequest();
97 if (empty($apiRequest['params']['check_permissions']) || $apiRequest['params']['check_permissions'] !== 'whitelist') {
98 return;
99 }
100 foreach ($this->rules as $rule) {
101 if (TRUE === $rule->matches($apiRequest)) {
102 $this->activeRules[$apiRequest['id']] = $rule;
103 return;
104 }
105 }
106 throw new \CRM_Core_Exception('The request does not match any active API authorizations.');
107 }
108
109 /**
110 * Apply any filtering rules based on the chosen whitelist rule.
111 * @param RespondEvent $event
112 */
113 public function onApiRespond(RespondEvent $event) {
114 $apiRequest = $event->getApiRequest();
115 $id = $apiRequest['id'];
116 if (isset($this->activeRules[$id])) {
117 $event->setResponse($this->activeRules[$id]->filter($apiRequest, $event->getResponse()));
118 unset($this->activeRules[$id]);
119 }
120 }
121
122 }