/** * Checks if operation is allowed from the configuration file * * @return object This method may be chained. * * @throws Exception */ public function isOperationAllowed() { // Check if webservice is published if (!RApiHalHelper::isPublishedWebservice($this->client, $this->webserviceName, $this->webserviceVersion) && !empty($this->webserviceName)) { throw new Exception(JText::sprintf('LIB_REDCORE_API_HAL_WEBSERVICE_IS_UNPUBLISHED', $this->webserviceName)); } // Check for allowed operations $allowedOperations = $this->getConfig('operations'); if (!isset($allowedOperations->{$this->operation})) { $customError = $this->triggerFunction('createCustomHttpError', 405, $this->apiErrors); $this->setStatusCode(405, $customError); return false; } $scope = $this->operation; $authorizationGroups = !empty($allowedOperations->{$this->operation}['authorization']) ? (string) $allowedOperations->{$this->operation}['authorization'] : ''; $terminateIfNotAuthorized = true; if ($this->operation == 'task') { $task = $this->options->get('task', ''); $scope .= '.' . $task; if (!isset($allowedOperations->task->{$task})) { $customError = $this->triggerFunction('createCustomHttpError', 405, $this->apiErrors); $this->setStatusCode(405, $customError); return false; } $authorizationGroups = !empty($allowedOperations->task->{$task}['authorization']) ? (string) $allowedOperations->task->{$task}['authorization'] : ''; if (isset($allowedOperations->task->{$task}['authorizationNeeded']) && strtolower($allowedOperations->task->{$task}['authorizationNeeded']) == 'false') { $terminateIfNotAuthorized = false; } } elseif ($this->operation == 'read') { // Disable authorization on operation read level if (isset($allowedOperations->{$this->operation}['authorizationNeeded']) && strtolower($allowedOperations->{$this->operation}['authorizationNeeded']) == 'false') { $terminateIfNotAuthorized = false; } else { $primaryKeys = array(); $isReadItem = $this->apiFillPrimaryKeys($primaryKeys); $readType = $isReadItem ? 'item' : 'list'; if (isset($allowedOperations->read->{$readType}['authorizationNeeded']) && strtolower($allowedOperations->read->{$readType}['authorizationNeeded']) == 'false') { $terminateIfNotAuthorized = false; } } } elseif (isset($allowedOperations->{$this->operation}['authorizationNeeded']) && strtolower($allowedOperations->{$this->operation}['authorizationNeeded']) == 'false') { $terminateIfNotAuthorized = false; } // Does user have permission // OAuth2 check if ($this->authorizationCheck == 'oauth2') { // Use scopes to authorize $scope = array($this->client . '.' . $this->webserviceName . '.' . $scope); // Add in Global scope check $scope[] = $this->client . '.' . $this->operation; return $this->isAuthorized($scope, $terminateIfNotAuthorized) || !$terminateIfNotAuthorized; } elseif ($this->authorizationCheck == 'joomla') { $isAuthorized = $this->isAuthorized($scope = null, $terminateIfNotAuthorized); // Use Joomla to authorize if ($isAuthorized && $terminateIfNotAuthorized && !empty($authorizationGroups)) { $authorizationGroups = explode(',', $authorizationGroups); $authorized = false; $configAssetName = !empty($this->configuration->config->authorizationAssetName) ? (string) $this->configuration->config->authorizationAssetName : null; foreach ($authorizationGroups as $authorizationGroup) { $authorization = explode(':', trim($authorizationGroup)); $action = $authorization[0]; $assetName = !empty($authorization[1]) ? $authorization[1] : $configAssetName; if (JFactory::getUser()->authorise(trim($action), trim($assetName))) { $authorized = true; break; } } if (!$authorized) { $customError = $this->triggerFunction('createCustomHttpError', 405, $this->apiErrors); $this->setStatusCode(405, $customError); return false; } } return $isAuthorized || !$terminateIfNotAuthorized; } return false; }