/** * @param array $cxn * @param string $entity * @param string $action * @param array $params * @return mixed */ public static function route($cxn, $entity, $action, $params) { $SUPER_PERM = array('administer CiviCRM'); require_once 'api/v3/utils.php'; // FIXME: Shouldn't the X-Forwarded-Proto check be part of CRM_Utils_System::isSSL()? if (CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, 'enableSSL') && !CRM_Utils_System::isSSL() && strtolower(CRM_Utils_Array::value('X_FORWARDED_PROTO', CRM_Utils_System::getRequestHeaders())) != 'https') { return civicrm_api3_create_error('System policy requires HTTPS.'); } // Note: $cxn and cxnId are authenticated before router is called. $dao = new CRM_Cxn_DAO_Cxn(); $dao->cxn_id = $cxn['cxnId']; if (empty($cxn['cxnId']) || !$dao->find(TRUE) || !$dao->cxn_id) { return civicrm_api3_create_error('Failed to lookup connection authorizations.'); } if (!$dao->is_active) { return civicrm_api3_create_error('Connection is inactive.'); } if (!is_string($entity) || !is_string($action) || !is_array($params)) { return civicrm_api3_create_error('API parameters are malformed.'); } if (empty($cxn['perm']['api']) || !is_array($cxn['perm']['api']) || empty($cxn['perm']['grant']) || !(is_array($cxn['perm']['grant']) || is_string($cxn['perm']['grant']))) { return civicrm_api3_create_error('Connection has no permissions.'); } $whitelist = \Civi\API\WhitelistRule::createAll($cxn['perm']['api']); \Civi::service('dispatcher')->addSubscriber(new \Civi\API\Subscriber\WhitelistSubscriber($whitelist)); CRM_Core_Config::singleton()->userPermissionTemp = new CRM_Core_Permission_Temp(); if ($cxn['perm']['grant'] === '*') { CRM_Core_Config::singleton()->userPermissionTemp->grant($SUPER_PERM); } else { CRM_Core_Config::singleton()->userPermissionTemp->grant($cxn['perm']['grant']); } $params['check_permissions'] = 'whitelist'; return civicrm_api($entity, $action, $params); }
/** * @param array $apiRequest * Array(entity=>$,action=>$,params=>$,expectedResults=>$). * @param array $rules * Whitelist - list of allowed API calls/patterns. * @param bool $expectSuccess * TRUE if the call should succeed. * Success implies that the 'expectedResults' are returned. * Failure implies that the standard error message is returned. * @dataProvider restrictionCases */ public function testEach($apiRequest, $rules, $expectSuccess) { \CRM_Core_DAO_AllCoreTables::init(TRUE); $recs = $this->getFixtures(); \CRM_Core_DAO_AllCoreTables::registerEntityType('Widget', 'CRM_Fake_DAO_Widget', 'fake_widget'); $widgetProvider = new \Civi\API\Provider\StaticProvider(3, 'Widget', array('id', 'widget_type', 'provider', 'title'), array(), $recs['widget']); \CRM_Core_DAO_AllCoreTables::registerEntityType('Sprocket', 'CRM_Fake_DAO_Sprocket', 'fake_sprocket'); $sprocketProvider = new \Civi\API\Provider\StaticProvider(3, 'Sprocket', array('id', 'sprocket_type', 'widget_id', 'provider', 'title', 'comment'), array(), $recs['sprocket']); $whitelist = WhitelistRule::createAll($rules); $dispatcher = new EventDispatcher(); $kernel = new Kernel($dispatcher); $kernel->registerApiProvider($sprocketProvider); $kernel->registerApiProvider($widgetProvider); $dispatcher->addSubscriber(new WhitelistSubscriber($whitelist)); $dispatcher->addSubscriber(new ChainSubscriber()); $apiRequest['params']['debug'] = 1; $apiRequest['params']['check_permissions'] = 'whitelist'; $result = $kernel->run($apiRequest['entity'], $apiRequest['action'], $apiRequest['params']); if ($expectSuccess) { $this->assertAPISuccess($result); $this->assertTrue(is_array($apiRequest['expectedResults'])); $this->assertTreeEquals($apiRequest['expectedResults'], $result['values']); } else { $this->assertAPIFailure($result); $this->assertRegExp('/The request does not match any active API authorizations./', $result['error_message']); } }