public function __invoke(Request $request, Application $app)
{
/** @var EventDispatcherInterface $dispatcher */
$dispatcher = $app['dispatcher'];
$context = new Context(Context::CONTEXT_OAUTH2_TOKEN);
$dispatcher->dispatch(PhraseaEvents::PRE_AUTHENTICATE, new PreAuthenticate($request, $context));
$dispatcher->dispatch(PhraseaEvents::API_OAUTH2_START, new ApiOAuth2StartEvent());
/** @var \API_OAuth2_Adapter $oauth2 */
$oauth2 = $app['oauth2-server'];
if (false === $this->verifyAccessToken($oauth2)) {
$dispatcher->dispatch(PhraseaEvents::API_OAUTH2_END, new ApiOAuth2EndEvent());
return null;
}
$token = $app['token'];
if (!$token instanceof ApiOauthToken) {
throw new NotFoundHttpException('Provided token is not valid.');
}
$this->getSession($app)->set('token', $token);
$oAuth2Account = $token->getAccount();
$oAuth2App = $oAuth2Account->getApplication();
/** @var PropertyAccess $conf */
$conf = $app['conf'];
if ($oAuth2App->getClientId() == \API_OAuth2_Application_Navigator::CLIENT_ID && !$conf->get(['registry', 'api-clients', 'navigator-enabled'])) {
return Result::createError($request, 403, 'The use of Phraseanet Navigator is not allowed')->createResponse();
}
if ($oAuth2App->getClientId() == \API_OAuth2_Application_OfficePlugin::CLIENT_ID && !$conf->get(['registry', 'api-clients', 'office-enabled'])) {
return Result::createError($request, 403, 'The use of Office Plugin is not allowed.')->createResponse();
}
$authentication = $this->getAuthenticator($app);
if ($authentication->isAuthenticated()) {
$dispatcher->dispatch(PhraseaEvents::API_OAUTH2_END, new ApiOAuth2EndEvent());
$this->registerClosingAccountCallback($dispatcher, $app);
return null;
}
$authentication->openAccount($oAuth2Account->getUser());
$oauth2->rememberSession($app['session']);
$dispatcher->dispatch(PhraseaEvents::API_OAUTH2_END, new ApiOAuth2EndEvent());
$this->registerClosingAccountCallback($dispatcher, $app);
return null;
}
public function onSilexError(GetResponseForExceptionEvent $event)
{
$headers = [];
$e = $event->getException();
if ($e instanceof MethodNotAllowedHttpException) {
$code = 405;
} elseif ($e instanceof BadRequestHttpException) {
$code = 400;
} elseif ($e instanceof AccessDeniedHttpException) {
$code = 403;
} elseif ($e instanceof UnauthorizedHttpException) {
$code = 401;
} elseif ($e instanceof NotFoundHttpException) {
$code = 404;
} elseif ($e instanceof HttpExceptionInterface) {
if (503 === $e->getStatusCode()) {
$code = \API_V1_result::ERROR_MAINTENANCE;
} else {
if (406 === $e->getStatusCode()) {
$code = \API_V1_result::ERROR_UNACCEPTABLE;
} else {
$code = 500;
}
}
} else {
$code = 500;
}
if ($e instanceof HttpExceptionInterface) {
$headers = $e->getHeaders();
}
$response = Result::createError($event->getRequest(), $code, $e->getMessage())->createResponse();
$response->headers->set('X-Status-Code', $response->getStatusCode());
foreach ($headers as $key => $value) {
$response->headers->set($key, $value);
}
$event->setResponse($response);
}
public function onSilexError(GetResponseForExceptionEvent $event)
{
$headers = [];
$e = $event->getException();
if ($e instanceof MethodNotAllowedHttpException) {
$code = 405;
} elseif ($e instanceof BadRequestHttpException) {
$code = 400;
} elseif ($e instanceof AccessDeniedHttpException) {
$code = 403;
} elseif ($e instanceof UnauthorizedHttpException) {
$code = 401;
} elseif ($e instanceof NotFoundHttpException) {
$code = 404;
} elseif ($e instanceof HttpExceptionInterface) {
if (in_array($e->getStatusCode(), [400, 401, 403, 404, 405, 406, 503])) {
$code = $e->getStatusCode();
} else {
$code = 500;
}
} else {
$code = 500;
}
if ($code == 500) {
$this->logger->error($e->getMessage(), ['code' => $e->getCode(), 'trace' => $e->getTrace()]);
}
if ($e instanceof HttpExceptionInterface) {
$headers = $e->getHeaders();
}
$response = Result::createError($event->getRequest(), $code, $e->getMessage())->createResponse();
$response->headers->set('X-Status-Code', $response->getStatusCode());
foreach ($headers as $key => $value) {
$response->headers->set($key, $value);
}
$event->setResponse($response);
}
public function testCreateError()
{
$apiResult = Result::createError(new Request(), 400, 'detaillage');
$this->assertErrorMessage($apiResult, 400, Result::ERROR_BAD_REQUEST, 'Parameter is invalid or missing', 'detaillage');
$apiResult = Result::createError(new Request(), 401, 'detaillage');
$this->assertErrorMessage($apiResult, 401, Result::ERROR_UNAUTHORIZED, 'The OAuth token was provided but was invalid.', 'detaillage');
$apiResult = Result::createError(new Request(), 403, 'detaillage');
$this->assertErrorMessage($apiResult, 403, Result::ERROR_FORBIDDEN, 'Access to the requested resource is forbidden', 'detaillage');
$apiResult = Result::createError(new Request(), 404, 'detaillage');
$this->assertErrorMessage($apiResult, 404, Result::ERROR_NOTFOUND, 'Requested resource is not found', 'detaillage');
$apiResult = Result::createError(new Request(), 405, 'detaillage');
$this->assertErrorMessage($apiResult, 405, Result::ERROR_METHODNOTALLOWED, 'Attempting to use POST with a GET-only endpoint, or vice-versa', 'detaillage');
$apiResult = Result::createError(new Request(), 500, 'detaillage');
$this->assertErrorMessage($apiResult, 500, Result::ERROR_INTERNALSERVERERROR, 'Internal Server Error', 'detaillage');
}
public function ensureCanMoveRecord(Request $request, Application $app)
{
$user = $app['session']->get('token')->getAccount()->getUser();
$record = $app['phraseanet.appbox']->get_databox($request->attributes->get('databox_id'))->get_record($request->attributes->get('record_id'));
if (!$app['acl']->get($user)->has_right('addrecord') && !$app['acl']->get($user)->has_right('deleterecord') || !$app['acl']->get($user)->has_right_on_base($record->get_base_id(), 'candeleterecord')) {
return Result::createError($request, 401, 'You are not authorized')->createResponse();
}
}
public function ensureCanMoveRecord(Request $request)
{
$user = $this->getApiAuthenticatedUser();
$record = $this->findDataboxById($request->attributes->get('databox_id'))->get_record($request->attributes->get('record_id'));
// TODO: Check comparison. seems to be a mismatch
if (!$this->getAclForUser($user)->has_right('addrecord') && !$this->getAclForUser($user)->has_right('deleterecord') || !$this->getAclForUser($user)->has_right_on_base($record->getBaseId(), 'candeleterecord')) {
return Result::createError($request, 401, 'You are not authorized')->createResponse();
}
return null;
}
