public function testCheckAuthz() { $cases = array(); $cases[] = array('method', 'CRM_Foo', FALSE, 'method'); $cases[] = array('method', 'CRM_Foo_Page_AJAX_Bar', FALSE, 'method'); $cases[] = array('method', 'CRM_Contact_Page_AJAX', TRUE, 'getAddressDisplay'); $cases[] = array('method', 'CRM_Foo_Page_AJAX', FALSE, 'method('); $cases[] = array('method', 'CRM_Foo_Page_AJAX', FALSE, 'method()'); $cases[] = array('method', 'othermethod;CRM_Foo_Page_AJAX', FALSE, 'method'); $cases[] = array('method', 'CRM_Foo_Page_AJAX;othermethod', FALSE, 'method'); $cases[] = array('method', 'CRM_Foo_Page_Inline_Bar', FALSE, ''); $cases[] = array('method', 'CRM_Foo_Page_Inline_Bar', FALSE, 'method'); $cases[] = array('method', 'CRM_Foo->method', FALSE); $cases[] = array('page', 'CRM_Foo', FALSE); $cases[] = array('page', 'CRM_Foo_Bar', FALSE); $cases[] = array('page', 'CRM_Foo_Page', FALSE); $cases[] = array('page', 'CRM_Foo_Page_Bar', FALSE); $cases[] = array('page', 'CRM_Foo_Page_Inline', FALSE); $cases[] = array('page', 'CRM_Contact_Page_Inline_CommunicationPreferences', TRUE); $cases[] = array('page', 'CRM_Foo_Page_Inline_Bar_Bang', FALSE); $cases[] = array('page', 'othermethod;CRM_Foo_Page_Inline_Bar', FALSE); $cases[] = array('page', 'CRM_Foo_Page_Inline_Bar;othermethod', FALSE); $cases[] = array('page', 'CRM_Foo_Form', FALSE); $cases[] = array('page', 'CRM_Foo_Form_Bar', FALSE); $cases[] = array('page', 'CRM_Foo_Form_Inline', FALSE); $cases[] = array('page', 'CRM_Contact_Form_Inline_Email', TRUE); $cases[] = array('page', 'CRM_Foo_Form_Inline_Bar_Bang', FALSE); $cases[] = array('page', 'othermethod;CRM_Foo_Form_Inline_Bar', FALSE); $cases[] = array('page', 'CRM_Foo_Form_Inline_Bar;othermethod', FALSE); // aliases for 'page' $cases[] = array('class', 'CRM_Foo_Bar', FALSE); $cases[] = array('class', 'CRM_Contact_Page_Inline_Phone', TRUE); $cases[] = array('', 'CRM_Foo_Bar', FALSE); $cases[] = array('', 'CRM_Contact_Page_Inline_Demographics', TRUE); // invalid type $cases[] = array('invalidtype', 'CRM_Foo_Page_Inline_Bar', FALSE); $cases[] = array('invalidtype', 'CRM_Foo_Page_AJAX::method', FALSE); foreach ($cases as $case) { list($type, $className, $expectedResult) = $case; $methodName = CRM_Utils_Array::value(3, $case); $actualResult = CRM_Core_Page_AJAX::checkAuthz($type, $className, $methodName); if ($methodName) { $this->assertEquals($expectedResult, $actualResult, sprintf('Check type=[%s] value=[%s] method=[%s]', $type, $className, $methodName)); } else { $this->assertEquals($expectedResult, $actualResult, sprintf('Check type=[%s] value=[%s]', $type, $className)); } } }
/** * @param $args * @param array $params * * @return array|int */ public static function process(&$args, $params) { $params['check_permissions'] = TRUE; $fnName = $apiFile = NULL; // clean up all function / class names. they should be alphanumeric and _ only for ($i = 1; $i <= 3; $i++) { if (!empty($args[$i])) { $args[$i] = CRM_Utils_String::munge($args[$i]); } } // incase of ajax functions className is passed in url if (isset($params['className'])) { $params['className'] = CRM_Utils_String::munge($params['className']); // functions that are defined only in AJAX.php can be called via // rest interface if (!CRM_Core_Page_AJAX::checkAuthz('method', $params['className'], $params['fnName'])) { return self::error('Unknown function invocation.'); } return call_user_func(array($params['className'], $params['fnName']), $params); } if (!array_key_exists('version', $params)) { $params['version'] = 3; } if ($params['version'] == 2) { $result['is_error'] = 1; $result['error_message'] = "FATAL: API v2 not accessible from ajax/REST"; $result['deprecated'] = "Please upgrade to API v3"; return $result; } if ($_SERVER['REQUEST_METHOD'] == 'GET' && strtolower(substr($args[2], 0, 3)) != 'get' && strtolower($args[2] != 'check')) { // get only valid for non destructive methods require_once 'api/v3/utils.php'; return civicrm_api3_create_error("SECURITY: All requests that modify the database must be http POST, not GET.", array('IP' => $_SERVER['REMOTE_ADDR'], 'level' => 'security', 'referer' => $_SERVER['HTTP_REFERER'], 'reason' => 'Destructive HTTP GET')); } // trap all fatal errors $errorScope = CRM_Core_TemporaryErrorScope::create(array('CRM_Utils_REST', 'fatal')); $result = civicrm_api($args[1], $args[2], $params); unset($errorScope); if ($result === FALSE) { return self::error('Unknown error.'); } return $result; }