/** * Call * * Pulls out a anonymous sent from an http header * * Perform actions specific to this middleware and optionally * call the next downstream middleware. */ public function call() { /** * Finds overridable Application Model (default -> Named Application -> annotated 'option ApplicationModel') * There can only be one. * * @var $applicationModelClass \MABI\Model */ $applicationModelClass = '\\MABI\\DefaultApplicationModel'; $mabi = $this->getApp(); $modelClasses = $mabi->getModelClasses(); foreach ($modelClasses as $modelClass) { if (ReflectionHelper::stripClassName($modelClass) == 'Application') { $applicationModelClass = $modelClass; } $rClass = new \ReflectionClass($modelClass); $modelOptions = ReflectionHelper::getDocDirective($rClass->getDocComment(), 'model'); if (in_array('ApplicationModel', $modelOptions)) { $applicationModelClass = $modelClass; break; } } // Find the shared secret property (named sharedSecret or annotated 'field SharedSecret') $rClass = new \ReflectionClass($applicationModelClass); $modelProps = $rClass->getProperties(\ReflectionProperty::IS_PUBLIC); $sharedSecretProp = 'sharedSecret'; foreach ($modelProps as $modelProp) { $rProp = new \ReflectionProperty($applicationModelClass, $modelProp->name); $propOptions = ReflectionHelper::getDocDirective($rProp->getDocComment(), 'field'); if (in_array('SharedSecret', $propOptions)) { $sharedSecretProp = $modelProp->name; break; } } $this->apiApplication = $applicationModelClass::init($mabi); if (!$this->apiApplication->findByField($sharedSecretProp, $mabi->getRequest()->headers('SHARED-SECRET'))) { $this->apiApplication = FALSE; } $mabi->getRequest()->apiApplication = $this->apiApplication; if (!empty($this->next)) { $this->next->call(); } }
private function setUpRESTApp($env = array(), $withCache = false) { $this->setUpApp($env, $withCache); $dirControllerLoader = new \MABI\DirectoryControllerLoader('TestApp/TestControllerDir', $this->app, 'mabiTesting'); $this->controllerMock = $this->getMock('\\mabiTesting\\ModelBController', array('restGetTestFunc', 'restPostTestFunc', 'restPutTestFunc', 'restDeleteTestFunc'), array($this->app), 'ModelBController'); // Set up modelClass and base fields in the mock controller $modelClass = 'mabiTesting\\ModelB'; $refObject = new \ReflectionObject($this->controllerMock); $refModelClassProperty = $refObject->getProperty('modelClass'); $refModelClassProperty->setAccessible(TRUE); $refModelClassProperty->setValue($this->controllerMock, $modelClass); $refModelProperty = $refObject->getProperty('model'); $refModelProperty->setAccessible(TRUE); $refModelProperty->setValue($this->controllerMock, call_user_func($modelClass . '::init', $this->app)); $refBaseProperty = $refObject->getProperty('base'); $refBaseProperty->setAccessible(TRUE); $refBaseProperty->setValue($this->controllerMock, strtolower(\MABI\ReflectionHelper::stripClassName($modelClass))); $controllerLoader = new \MABI\ControllerLoader(); $controllerLoader->setControllers(array($this->controllerMock)); $this->app->setControllerLoaders(array($controllerLoader, new \MABI\GeneratedRESTModelControllerLoader(array_diff($this->app->getExtensionModelClasses(), array($modelClass)), $this->app))); }
/** * Call * * Pulls out a anonymous sent from an http header * * Perform actions specific to this middleware and optionally * call the next downstream middleware. */ public function call() { // Owner access does not apply for Collection level functions $callable = $this->getRouteCallable(); if (empty($callable) || $this->isCollectionCallable($callable[1])) { if (!empty($this->next)) { $this->next->call(); } return; } // A session is required to access these objects if (!isset($this->getApp()->getRequest()->session)) { $this->getApp()->returnError(DefaultAppErrors::$NOT_AUTHORIZED); } /** * @var $restController \MABI\RESTModelController * @var $session \MABI\Identity\Session */ $session = $this->getApp()->getRequest()->session; $restController = $this->getController(); $rClass = new \ReflectionClass($restController->getModelClass()); // Allow @field owner override otherwise the default owner field is $owner $ownerProperty = 'owner'; foreach ($rClass->getProperties() as $rProperty) { if (in_array('owner', ReflectionHelper::getDocDirective($rProperty->getDocComment(), 'field'))) { $ownerProperty = $rProperty->getName(); break; } } $model = $restController->getModel(); if (empty($session) || empty($model) || empty($session->userId) || empty($model->{$ownerProperty}) || $session->userId != $restController->getModel()->{$ownerProperty}) { // Don't give access to endpoint if the sessions don't match $this->getApp()->returnError(DefaultAppErrors::$NOT_AUTHORIZED); } if (!empty($this->next)) { $this->next->call(); } }