From 12739440a07a4e059d074ae9ab22ddf66a298665 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Fri, 10 Dec 2021 22:12:30 -0800
Subject: [PATCH] (REF) CRM_Utils_REST - Extract method `isWebServiceRequest()`

---
 CRM/Utils/REST.php | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/CRM/Utils/REST.php b/CRM/Utils/REST.php
index 0604758d1a..bf8a0104c0 100644
--- a/CRM/Utils/REST.php
+++ b/CRM/Utils/REST.php
@@ -399,9 +399,7 @@ class CRM_Utils_REST {
     unset($param['q']);
     $smarty->assign_by_ref("request", $param);
 
-    if (!array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) ||
-      $_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest"
-    ) {
+    if (!self::isWebServiceRequest()) {
 
       $smarty->assign('tplFile', $tpl);
       $config = CRM_Core_Config::singleton();
@@ -434,10 +432,7 @@ class CRM_Utils_REST {
 
     require_once 'api/v3/utils.php';
     $config = CRM_Core_Config::singleton();
-    if (!$config->debug && (!array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) ||
-        $_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest"
-      )
-    ) {
+    if (!$config->debug && !self::isWebServiceRequest()) {
       $error = civicrm_api3_create_error("SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api3().",
         [
           'IP' => $_SERVER['REMOTE_ADDR'],
@@ -499,11 +494,7 @@ class CRM_Utils_REST {
     // restrict calls to this etc
     // the request has to be sent by an ajax call. First line of protection against csrf
     $config = CRM_Core_Config::singleton();
-    if (!$config->debug &&
-      (!array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) ||
-        $_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest"
-      )
-    ) {
+    if (!$config->debug && !self::isWebServiceRequest()) {
       require_once 'api/v3/utils.php';
       $error = civicrm_api3_create_error("SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api3().",
         [
@@ -636,4 +627,15 @@ class CRM_Utils_REST {
     }
   }
 
+  /**
+   * Does this request appear to be a web-service request?
+   *
+   * @return bool
+   *   TRUE if the current request appears to be web-service request (ie AJAX).
+   *   FALSE if the current request appears to be a standalone browser page-view.
+   */
+  protected static function isWebServiceRequest(): bool {
+    return array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) && $_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest';
+  }
+
 }
-- 
2.25.1