_Overview_: `civicrm/ajax/api4` and `returnJsonResponse()` inspect the
web-request to see if it comes via AJAX/REST. If so, the call is
allowed and formatted as JSON. The patch refines the test.
_Before_: `X-Requested-With:` signals that a call is AJAX/REST.
_After_: `X-Requested-With:` still signals that a call is AJAX/REST.
Additionally, if `authx` is enabled, then some requests will be treated as
AJAX/REST based on how they are authenticated (ie `xheader`/`X-Civi-Auth:`
and `param`/`?_authx=` are AJAX/REST).
*/
public function run() {
$config = CRM_Core_Config::singleton();
- if (!$config->debug && (!array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) ||
- $_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest"
- )
- ) {
+ if (!$config->debug && !CRM_Utils_REST::isWebServiceRequest()) {
$response = [
'error_code' => 401,
'error_message' => "SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
$output = json_encode($response);
// CRM-11831 @see http://www.malsup.com/jquery/form/#file-upload
- if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
+ // COMMENT: Wouldn't the `Accept:` header be more appropriate? Only use `X-Requested-With:` as a
+ // fallback where `Accept:` is missing?
+ if (CRM_Utils_REST::isWebServiceRequest()) {
CRM_Utils_System::setHttpHeader('Content-Type', 'application/json');
}
else {
projects / civicrm-core.git / commitdiff