'error_code' => 401,
'error_message' => "SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
];
- Civi::log()->debug( "SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
+ Civi::log()->debug("SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
[
'IP' => $_SERVER['REMOTE_ADDR'],
'level' => 'security',
echo json_encode($response);
CRM_Utils_System::civiExit();
}
+ if ($_SERVER['REQUEST_METHOD'] == 'GET' &&
+ strtolower(substr($this->urlPath[4], 0, 3)) != 'get' &&
+ strtolower($this->urlPath[4] != 'check')) {
+ $response = [
+ 'error_code' => 400,
+ 'error_message' => "SECURITY: All requests that modify the database must be http POST, not GET.",
+ ];
+ Civi::log()->debug("SECURITY: All requests that modify the database must be http POST, not GET.",
+ [
+ 'IP' => $_SERVER['REMOTE_ADDR'],
+ 'level' => 'security',
+ 'referer' => $_SERVER['HTTP_REFERER'],
+ 'reason' => 'Destructive HTTP GET',
+ ]
+ );
+ CRM_Utils_System::setHttpHeader('Content-Type', 'application/json');
+ echo json_encode($response);
+ CRM_Utils_System::civiExit();
+ }
try {
// Call multiple
if (empty($this->urlPath[3])) {
$scope.execute = function() {
$scope.status = 'warning';
$scope.loading = true;
- $http.get(CRM.url('civicrm/ajax/api4/' + $scope.entity + '/' + $scope.action, {
+ $http.post(CRM.url('civicrm/ajax/api4/' + $scope.entity + '/' + $scope.action, {
params: angular.toJson(getParams()),
index: $scope.index
- }), {
+ }), null, {
headers: {
'X-Requested-With': 'XMLHttpRequest'
}
projects / civicrm-core.git / commitdiff