private function validateAuthenticatedUser(ConduitAPIRequest $request, PhabricatorUser $user)
 {
     if ($user->getIsDisabled()) {
         return array('ERR-USER-DISABLED', 'User is disabled.');
     }
     if (PhabricatorUserEmail::isEmailVerificationRequired()) {
         $email = $user->loadPrimaryEmail();
         if (!$email) {
             return array('ERR-USER-NOEMAIL', 'User has no primary email address.');
         }
         if (!$email->getIsVerified()) {
             return array('ERR-USER-UNVERIFIED', 'User has unverified email address.');
         }
     }
     $request->setUser($user);
     return null;
 }
 private function validateAuthenticatedUser(ConduitAPIRequest $request, PhabricatorUser $user)
 {
     if (!$user->canEstablishAPISessions()) {
         return array('ERR-INVALID-AUTH', pht('User account is not permitted to use the API.'));
     }
     $request->setUser($user);
     return null;
 }
Exemple #3
0
    $method_class = newv($method_class_str, array());
} catch (Exception $e) {
    echo "usage: api.php <user_phid> <method>\n" . "method {$method_class_str} does not exist\n";
    exit(1);
}
$log = new PhabricatorConduitMethodCallLog();
$log->setMethod($method);
$params = @file_get_contents('php://stdin');
$params = json_decode($params, true);
if (!is_array($params)) {
    echo "provide method parameters on stdin as a JSON blob";
    exit(1);
}
// build a quick ConduitAPIRequest from stdin PLUS the authenticated user
$conduit_request = new ConduitAPIRequest($params);
$conduit_request->setUser($user);
try {
    $result = $method_class->executeMethod($conduit_request);
    $error_code = null;
    $error_info = null;
} catch (ConduitException $ex) {
    $result = null;
    $error_code = $ex->getMessage();
    if ($ex->getErrorDescription()) {
        $error_info = $ex->getErrorDescription();
    } else {
        $error_info = $method_handler->getErrorDescription($error_code);
    }
}
$time_end = microtime(true);
$response = id(new ConduitAPIResponse())->setResult($result)->setErrorCode($error_code)->setErrorInfo($error_info);
 /**
  * Authenticate the client making the request to a Phabricator user account.
  *
  * @param   ConduitAPIRequest Request being executed.
  * @param   dict              Request metadata.
  * @return  null|pair         Null to indicate successful authentication, or
  *                            an error code and error message pair.
  */
 private function authenticateUser(ConduitAPIRequest $api_request, array $metadata)
 {
     $request = $this->getRequest();
     if ($request->getUser()->getPHID()) {
         $api_request->setUser($request->getUser());
         return null;
     }
     // Handle sessionless auth. TOOD: This is super messy.
     if (isset($metadata['authUser'])) {
         $user = id(new PhabricatorUser())->loadOneWhere('userName = %s', $metadata['authUser']);
         if (!$user) {
             return array('ERR-INVALID-AUTH', 'Authentication is invalid.');
         }
         $token = idx($metadata, 'authToken');
         $signature = idx($metadata, 'authSignature');
         $certificate = $user->getConduitCertificate();
         if (sha1($token . $certificate) !== $signature) {
             return array('ERR-INVALID-AUTH', 'Authentication is invalid.');
         }
         $api_request->setUser($user);
         return null;
     }
     $session_key = idx($metadata, 'sessionKey');
     if (!$session_key) {
         return array('ERR-INVALID-SESSION', 'Session key is not present.');
     }
     $session = queryfx_one(id(new PhabricatorUser())->establishConnection('r'), 'SELECT * FROM %T WHERE sessionKey = %s', PhabricatorUser::SESSION_TABLE, $session_key);
     if (!$session) {
         return array('ERR-INVALID-SESSION', 'Session key is invalid.');
     }
     // TODO: Make sessions timeout.
     // TODO: When we pull a session, read connectionID from the session table.
     $user = id(new PhabricatorUser())->loadOneWhere('phid = %s', $session['userPHID']);
     if (!$user) {
         return array('ERR-INVALID-SESSION', 'Session is for nonexistent user.');
     }
     $api_request->setUser($user);
     return null;
 }
 /**
  * Authenticate the client making the request to a Phabricator user account.
  *
  * @param   ConduitAPIRequest Request being executed.
  * @param   dict              Request metadata.
  * @return  null|pair         Null to indicate successful authentication, or
  *                            an error code and error message pair.
  */
 private function authenticateUser(ConduitAPIRequest $api_request, array $metadata)
 {
     $request = $this->getRequest();
     if ($request->getUser()->getPHID()) {
         $request->validateCSRF();
         $api_request->setUser($request->getUser());
         return null;
     }
     // handle oauth
     // TODO - T897 (make error codes for OAuth more correct to spec)
     // and T891 (strip shield from Conduit response)
     $access_token = $request->getStr('access_token');
     $method_scope = $metadata['scope'];
     if ($access_token && $method_scope != PhabricatorOAuthServerScope::SCOPE_NOT_ACCESSIBLE) {
         $token = id(new PhabricatorOAuthServerAccessToken())->loadOneWhere('token = %s', $access_token);
         if (!$token) {
             return array('ERR-INVALID-AUTH', 'Access token does not exist.');
         }
         $oauth_server = new PhabricatorOAuthServer();
         $valid = $oauth_server->validateAccessToken($token, $method_scope);
         if (!$valid) {
             return array('ERR-INVALID-AUTH', 'Access token is invalid.');
         }
         // valid token, so let's log in the user!
         $user_phid = $token->getUserPHID();
         $user = id(new PhabricatorUser())->loadOneWhere('phid = %s', $user_phid);
         if (!$user) {
             return array('ERR-INVALID-AUTH', 'Access token is for invalid user.');
         }
         $api_request->setUser($user);
         return null;
     }
     // Handle sessionless auth. TOOD: This is super messy.
     if (isset($metadata['authUser'])) {
         $user = id(new PhabricatorUser())->loadOneWhere('userName = %s', $metadata['authUser']);
         if (!$user) {
             return array('ERR-INVALID-AUTH', 'Authentication is invalid.');
         }
         $token = idx($metadata, 'authToken');
         $signature = idx($metadata, 'authSignature');
         $certificate = $user->getConduitCertificate();
         if (sha1($token . $certificate) !== $signature) {
             return array('ERR-INVALID-AUTH', 'Authentication is invalid.');
         }
         $api_request->setUser($user);
         return null;
     }
     $session_key = idx($metadata, 'sessionKey');
     if (!$session_key) {
         return array('ERR-INVALID-SESSION', 'Session key is not present.');
     }
     $session = queryfx_one(id(new PhabricatorUser())->establishConnection('r'), 'SELECT * FROM %T WHERE sessionKey = %s', PhabricatorUser::SESSION_TABLE, $session_key);
     if (!$session) {
         return array('ERR-INVALID-SESSION', 'Session key is invalid.');
     }
     // TODO: Make sessions timeout.
     // TODO: When we pull a session, read connectionID from the session table.
     $user = id(new PhabricatorUser())->loadOneWhere('phid = %s', $session['userPHID']);
     if (!$user) {
         return array('ERR-INVALID-SESSION', 'Session is for nonexistent user.');
     }
     $api_request->setUser($user);
     return null;
 }
 private function validateAuthenticatedUser(ConduitAPIRequest $request, PhabricatorUser $user)
 {
     if (!$user->isUserActivated()) {
         return array('ERR-USER-DISABLED', pht('User account is not activated.'));
     }
     $request->setUser($user);
     return null;
 }