projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #14840 from MegaphoneJon/core-1130
[civicrm-core.git] / Civi / API / Subscriber / WhitelistSubscriber.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | CiviCRM version 5 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2019 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
26 */
27 namespace Civi\API\Subscriber;
28
29 use Civi\API\Events;
30 use Civi\API\Event\AuthorizeEvent;
31 use Civi\API\Event\RespondEvent;
32 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
33
34 /**
35 * The WhitelistSubscriber listens to API requests and matches them against
36 * a whitelist of allowed API calls. If an API call does NOT appear in the
37 * whitelist, then it generates an error.
38 *
39 * @package Civi
40 * @copyright CiviCRM LLC (c) 2004-2019
41 */
42 class WhitelistSubscriber implements EventSubscriberInterface {
43
44 /**
45 * @return array
46 */
47 public static function getSubscribedEvents() {
48 return [
49 Events::AUTHORIZE => ['onApiAuthorize', Events::W_EARLY],
50 Events::RESPOND => ['onApiRespond', Events::W_MIDDLE],
51 ];
52 }
53
54 /**
55 * Array(WhitelistRule).
56 *
57 * @var array
58 */
59 protected $rules;
60
61 /**
62 * Array (scalar $reqId => WhitelistRule $rule).
63 *
64 * @var array
65 */
66 protected $activeRules;
67
68 /**
69 * @param array $rules
70 * Array of WhitelistRule.
71 * @see WhitelistRule
72 * @throws \CRM_Core_Exception
73 */
74 public function __construct($rules) {
75 $this->rules = [];
76 foreach ($rules as $rule) {
77 /** @var \Civi\API\WhitelistRule $rule */
78 if ($rule->isValid()) {
79 $this->rules[] = $rule;
80 }
81 else {
82 throw new \CRM_Core_Exception("Invalid rule");
83 }
84 }
85 }
86
87 /**
88 * Determine which, if any, whitelist rules apply this request.
89 * Reject unauthorized requests.
90 *
91 * @param \Civi\API\Event\AuthorizeEvent $event
92 * @throws \CRM_Core_Exception
93 */
94 public function onApiAuthorize(AuthorizeEvent $event) {
95 $apiRequest = $event->getApiRequest();
96 if (empty($apiRequest['params']['check_permissions']) || $apiRequest['params']['check_permissions'] !== 'whitelist') {
97 return;
98 }
99 foreach ($this->rules as $rule) {
100 if (TRUE === $rule->matches($apiRequest)) {
101 $this->activeRules[$apiRequest['id']] = $rule;
102 return;
103 }
104 }
105 throw new \CRM_Core_Exception('The request does not match any active API authorizations.');
106 }
107
108 /**
109 * Apply any filtering rules based on the chosen whitelist rule.
110 * @param \Civi\API\Event\RespondEvent $event
111 */
112 public function onApiRespond(RespondEvent $event) {
113 $apiRequest = $event->getApiRequest();
114 $id = $apiRequest['id'];
115 if (isset($this->activeRules[$id])) {
116 $event->setResponse($this->activeRules[$id]->filter($apiRequest, $event->getResponse()));
117 unset($this->activeRules[$id]);
118 }
119 }
120
121 }