/**
* Implements RestfulAuthenticationInterface::authenticate().
*/
public function authenticate(array $request = array(), $method = \RestfulInterface::GET) {
if (!drupal_session_started() && !$this->isCli()) {
return;
}
global $user;
$account = user_load($user->uid);
if (!\RestfulBase::isWriteMethod($method) || empty($request['__application']['rest_call'])) {
// Request is done via API not CURL, or not a write operation, so we don't
// need to check for a CSRF token.
return $account;
}
if (empty($request['__application']['csrf_token'])) {
throw new \RestfulBadRequestException('No CSRF token passed in the HTTP header.');
}
if (!drupal_valid_token($request['__application']['csrf_token'], \RestfulBase::TOKEN_VALUE)) {
throw new \RestfulForbiddenException('CSRF token validation failed.');
}
// CSRF validation passed.
return $account;
}
/**
* {@inheritdoc}
*/
public function generateIdentifier($account = NULL)
{
$identifier = $this->resource->getResourceName() . PluginBase::DERIVATIVE_SEPARATOR;
if ($this->getPluginId() == 'global') {
// Don't split the id by resource if the event is global.
$identifier = '';
}
$identifier .= $this->getPluginId() . PluginBase::DERIVATIVE_SEPARATOR;
$identifier .= empty($account->uid) ? ip_address() : $account->uid;
return $identifier;
}
/**
* Constructs a RestfulDataProviderCToolsPlugins object.
*
* @param array $plugin
* Plugin definition.
* @param RestfulAuthenticationManager $auth_manager
* (optional) Injected authentication manager.
* @param DrupalCacheInterface $cache_controller
* (optional) Injected cache backend.
* @param string $language
* (optional) The language to return items in.
*/
public function __construct(array $plugin, \RestfulAuthenticationManager $auth_manager = NULL, \DrupalCacheInterface $cache_controller = NULL, $language = NULL) {
parent::__construct($plugin, $auth_manager, $cache_controller, $language);
// Validate keys exist in the plugin's "data provider options".
$required_keys = array(
'module',
'type',
);
$options = $this->processDataProviderOptions($required_keys);
$this->module = $options['module'];
$this->type = $options['type'];
ctools_include('plugins');
}
/**
* Adds query tags and metadata to the EntityFieldQuery.
*
* @param \EntityFieldQuery $query
* The query to enhance.
*/
protected function addExtraInfoToQuery($query) {
parent::addExtraInfoToQuery($query);
$entity_type = $this->getEntityType();
// The only time you need to add the access tags to a EFQ is when you don't
// have fieldConditions.
if (empty($query->fieldConditions)) {
// Add a generic entity access tag to the query.
$query->addTag($entity_type . '_access');
}
$query->addMetaData('restful_handler', $this);
}
/**
* Move the fields referencing other resources to the _embed key.
*
* Note that for multiple value entityreference
* fields $row[$public_field_name] will be an array of values rather than a
* single value.
*
* @param array $embedded
* Embedded array to be modified.
* @param array $row
* The row being processed.
* @param array $public_field
* The public field configuration array.
* @param string $public_field_name
* The name of the public field.
* @param array $output
* Output array to be modified.
*/
protected function moveReferencesToEmbeds(array &$embedded, array &$row, $public_field, $public_field_name, array &$output) {
$values_metadata = $this->handler->getValueMetadata($row['id'], $public_field_name);
// Wrap the row in an array if it isn't.
if (!is_array($row[$public_field_name])) {
$row[$public_field_name] = array();
}
$rows = RestfulBase::isArrayNumeric($row[$public_field_name]) ? $row[$public_field_name] : array($row[$public_field_name]);
foreach ($rows as $subindex => $subrow) {
$metadata = $values_metadata[$subindex];
// Loop through each value for the field.
foreach ($subrow as $index => $resource_row) {
if (empty($metadata[$index])) {
// No metadata.
continue;
}
// If there is no resource name in the metadata for this particular
// value, assume that we are referring to the first resource in the
// field definition.
$resource_name = NULL;
if (!empty($metadata['resource_name'])) {
// Make sure that the resource in the metadata exists in the list of
// resources available for this particular public field.
foreach ($public_field['resource'] as $resource) {
if ($resource['name'] != $metadata['resource_name']) {
continue;
}
$resource_name = $metadata['resource_name'];
}
}
if (empty($resource_name)) {
$resource = reset($public_field['resource']);
$resource_name = $resource['name'];
}
$curies_resource = $this->withCurie($resource_name);
$prepared_row = $this->prepareRow($subrow, $output);
if ($this->handler->isListRequest()) {
$embedded[$curies_resource][] = $prepared_row;
}
else {
$output['_embedded'][$curies_resource][] = $prepared_row;
}
}
}
// Remove the original reference.
unset($row[$public_field_name]);
}
/**
* {@inheritdoc}
*/
protected function addDefaultValuesToPublicFields(array $public_fields = array()) {
// Set defaults values.
$public_fields = parent::addDefaultValuesToPublicFields($public_fields);
foreach (array_keys($public_fields) as $key) {
$info = &$public_fields[$key];
$info += array(
'column_for_query' => FALSE,
);
}
return $public_fields;
}
/**
* Overrides RestfulBase::access().
*
* Expose resource only to authenticated users.
*/
public function access() {
$account = $this->getAccount();
return (bool) $account->uid && parent::access();
}
/**
* Check access on a property.
*
* @param string $op
* The operation that access should be checked for. Can be "view" or "edit".
* Defaults to "edit".
* @param string $public_field_name
* The name of the public field.
* @param EntityMetadataWrapper $property_wrapper
* The wrapped property.
* @param EntityMetadataWrapper $wrapper
* The wrapped entity.
*
* @return bool
* TRUE if the current user has access to set the property, FALSE otherwise.
*/
protected function checkPropertyAccess($op, $public_field_name, EntityMetadataWrapper $property_wrapper, EntityMetadataWrapper $wrapper) {
if (!$this->checkPropertyAccessByAccessCallbacks($op, $public_field_name, $property_wrapper, $wrapper)) {
// Access callbacks denied access.
return;
}
$account = $this->getAccount();
// Check format access for text fields.
if ($property_wrapper->type() == 'text_formatted' && $property_wrapper->value() && $property_wrapper->format->value()) {
$format = (object) array('format' => $property_wrapper->format->value());
// Only check filter access on write contexts.
if (\RestfulBase::isWriteMethod($this->getMethod()) && !filter_access($format, $account)) {
return FALSE;
}
}
$info = $property_wrapper->info();
if ($op == 'edit' && empty($info['setter callback'])) {
// Property does not allow setting.
return FALSE;
}
$access = $property_wrapper->access($op, $account);
return $access !== FALSE;
}
