/** * Implements RestfulAuthenticationInterface::authenticate(). */ public function authenticate(array $request = array(), $method = \RestfulInterface::GET) { if (!drupal_session_started() && !$this->isCli()) { return; } global $user; $account = user_load($user->uid); if (!\RestfulBase::isWriteMethod($method) || empty($request['__application']['rest_call'])) { // Request is done via API not CURL, or not a write operation, so we don't // need to check for a CSRF token. return $account; } if (empty($request['__application']['csrf_token'])) { throw new \RestfulBadRequestException('No CSRF token passed in the HTTP header.'); } if (!drupal_valid_token($request['__application']['csrf_token'], \RestfulBase::TOKEN_VALUE)) { throw new \RestfulForbiddenException('CSRF token validation failed.'); } // CSRF validation passed. return $account; }
/** * {@inheritdoc} */ public function generateIdentifier($account = NULL) { $identifier = $this->resource->getResourceName() . PluginBase::DERIVATIVE_SEPARATOR; if ($this->getPluginId() == 'global') { // Don't split the id by resource if the event is global. $identifier = ''; } $identifier .= $this->getPluginId() . PluginBase::DERIVATIVE_SEPARATOR; $identifier .= empty($account->uid) ? ip_address() : $account->uid; return $identifier; }
/** * Constructs a RestfulDataProviderCToolsPlugins object. * * @param array $plugin * Plugin definition. * @param RestfulAuthenticationManager $auth_manager * (optional) Injected authentication manager. * @param DrupalCacheInterface $cache_controller * (optional) Injected cache backend. * @param string $language * (optional) The language to return items in. */ public function __construct(array $plugin, \RestfulAuthenticationManager $auth_manager = NULL, \DrupalCacheInterface $cache_controller = NULL, $language = NULL) { parent::__construct($plugin, $auth_manager, $cache_controller, $language); // Validate keys exist in the plugin's "data provider options". $required_keys = array( 'module', 'type', ); $options = $this->processDataProviderOptions($required_keys); $this->module = $options['module']; $this->type = $options['type']; ctools_include('plugins'); }
/** * Adds query tags and metadata to the EntityFieldQuery. * * @param \EntityFieldQuery $query * The query to enhance. */ protected function addExtraInfoToQuery($query) { parent::addExtraInfoToQuery($query); $entity_type = $this->getEntityType(); // The only time you need to add the access tags to a EFQ is when you don't // have fieldConditions. if (empty($query->fieldConditions)) { // Add a generic entity access tag to the query. $query->addTag($entity_type . '_access'); } $query->addMetaData('restful_handler', $this); }
/** * Move the fields referencing other resources to the _embed key. * * Note that for multiple value entityreference * fields $row[$public_field_name] will be an array of values rather than a * single value. * * @param array $embedded * Embedded array to be modified. * @param array $row * The row being processed. * @param array $public_field * The public field configuration array. * @param string $public_field_name * The name of the public field. * @param array $output * Output array to be modified. */ protected function moveReferencesToEmbeds(array &$embedded, array &$row, $public_field, $public_field_name, array &$output) { $values_metadata = $this->handler->getValueMetadata($row['id'], $public_field_name); // Wrap the row in an array if it isn't. if (!is_array($row[$public_field_name])) { $row[$public_field_name] = array(); } $rows = RestfulBase::isArrayNumeric($row[$public_field_name]) ? $row[$public_field_name] : array($row[$public_field_name]); foreach ($rows as $subindex => $subrow) { $metadata = $values_metadata[$subindex]; // Loop through each value for the field. foreach ($subrow as $index => $resource_row) { if (empty($metadata[$index])) { // No metadata. continue; } // If there is no resource name in the metadata for this particular // value, assume that we are referring to the first resource in the // field definition. $resource_name = NULL; if (!empty($metadata['resource_name'])) { // Make sure that the resource in the metadata exists in the list of // resources available for this particular public field. foreach ($public_field['resource'] as $resource) { if ($resource['name'] != $metadata['resource_name']) { continue; } $resource_name = $metadata['resource_name']; } } if (empty($resource_name)) { $resource = reset($public_field['resource']); $resource_name = $resource['name']; } $curies_resource = $this->withCurie($resource_name); $prepared_row = $this->prepareRow($subrow, $output); if ($this->handler->isListRequest()) { $embedded[$curies_resource][] = $prepared_row; } else { $output['_embedded'][$curies_resource][] = $prepared_row; } } } // Remove the original reference. unset($row[$public_field_name]); }
/** * {@inheritdoc} */ protected function addDefaultValuesToPublicFields(array $public_fields = array()) { // Set defaults values. $public_fields = parent::addDefaultValuesToPublicFields($public_fields); foreach (array_keys($public_fields) as $key) { $info = &$public_fields[$key]; $info += array( 'column_for_query' => FALSE, ); } return $public_fields; }
/** * Overrides RestfulBase::access(). * * Expose resource only to authenticated users. */ public function access() { $account = $this->getAccount(); return (bool) $account->uid && parent::access(); }
/** * Check access on a property. * * @param string $op * The operation that access should be checked for. Can be "view" or "edit". * Defaults to "edit". * @param string $public_field_name * The name of the public field. * @param EntityMetadataWrapper $property_wrapper * The wrapped property. * @param EntityMetadataWrapper $wrapper * The wrapped entity. * * @return bool * TRUE if the current user has access to set the property, FALSE otherwise. */ protected function checkPropertyAccess($op, $public_field_name, EntityMetadataWrapper $property_wrapper, EntityMetadataWrapper $wrapper) { if (!$this->checkPropertyAccessByAccessCallbacks($op, $public_field_name, $property_wrapper, $wrapper)) { // Access callbacks denied access. return; } $account = $this->getAccount(); // Check format access for text fields. if ($property_wrapper->type() == 'text_formatted' && $property_wrapper->value() && $property_wrapper->format->value()) { $format = (object) array('format' => $property_wrapper->format->value()); // Only check filter access on write contexts. if (\RestfulBase::isWriteMethod($this->getMethod()) && !filter_access($format, $account)) { return FALSE; } } $info = $property_wrapper->info(); if ($op == 'edit' && empty($info['setter callback'])) { // Property does not allow setting. return FALSE; } $access = $property_wrapper->access($op, $account); return $access !== FALSE; }