3 +--------------------------------------------------------------------+
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2020 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
27 namespace Civi\API\Subscriber
;
30 use Civi\API\Event\AuthorizeEvent
;
31 use Civi\API\Event\RespondEvent
;
32 use Symfony\Component\EventDispatcher\EventSubscriberInterface
;
35 * The WhitelistSubscriber listens to API requests and matches them against
36 * a whitelist of allowed API calls. If an API call does NOT appear in the
37 * whitelist, then it generates an error.
40 * @copyright CiviCRM LLC https://civicrm.org/licensing
42 class WhitelistSubscriber
implements EventSubscriberInterface
{
47 public static function getSubscribedEvents() {
49 Events
::AUTHORIZE
=> ['onApiAuthorize', Events
::W_EARLY
],
50 Events
::RESPOND
=> ['onApiRespond', Events
::W_MIDDLE
],
55 * Array(WhitelistRule).
62 * Array (scalar $reqId => WhitelistRule $rule).
66 protected $activeRules;
70 * Array of WhitelistRule.
72 * @throws \CRM_Core_Exception
74 public function __construct($rules) {
76 foreach ($rules as $rule) {
77 /** @var \Civi\API\WhitelistRule $rule */
78 if ($rule->isValid()) {
79 $this->rules
[] = $rule;
82 throw new \
CRM_Core_Exception("Invalid rule");
88 * Determine which, if any, whitelist rules apply this request.
89 * Reject unauthorized requests.
91 * @param \Civi\API\Event\AuthorizeEvent $event
92 * @throws \CRM_Core_Exception
94 public function onApiAuthorize(AuthorizeEvent
$event) {
95 $apiRequest = $event->getApiRequest();
96 if (empty($apiRequest['params']['check_permissions']) ||
$apiRequest['params']['check_permissions'] !== 'whitelist') {
99 foreach ($this->rules
as $rule) {
100 if (TRUE === $rule->matches($apiRequest)) {
101 $this->activeRules
[$apiRequest['id']] = $rule;
105 throw new \
CRM_Core_Exception('The request does not match any active API authorizations.');
109 * Apply any filtering rules based on the chosen whitelist rule.
110 * @param \Civi\API\Event\RespondEvent $event
112 public function onApiRespond(RespondEvent
$event) {
113 $apiRequest = $event->getApiRequest();
114 $id = $apiRequest['id'];
115 if (isset($this->activeRules
[$id])) {
116 $event->setResponse($this->activeRules
[$id]->filter($apiRequest, $event->getResponse()));
117 unset($this->activeRules
[$id]);