예제 #1
0
 /**
  * @param \Civi\API\Event\AuthorizeEvent $event
  */
 public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent $event)
 {
     $apiRequest = $event->getApiRequest();
     if (isset($apiRequest['is_metadata'])) {
         // if (\CRM_Core_Permission::check('access AJAX API') || \CRM_Core_Permission::check('access CiviCRM')) {
         $event->authorize();
         $event->stopPropagation();
         // }
     }
 }
예제 #2
0
 /**
  * @param \Civi\API\Event\AuthorizeEvent $event
  *   API authorization event.
  *
  * @throws \Civi\API\Exception\UnauthorizedException
  */
 public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent $event)
 {
     $apiRequest = $event->getApiRequest();
     if ($apiRequest['version'] < 4) {
         // return early unless we’re told explicitly to do the permission check
         if (empty($apiRequest['params']['check_permissions']) or $apiRequest['params']['check_permissions'] == FALSE) {
             $event->authorize();
             $event->stopPropagation();
             return;
         }
         require_once 'CRM/Core/DAO/permissions.php';
         $permissions = _civicrm_api3_permissions($apiRequest['entity'], $apiRequest['action'], $apiRequest['params']);
         // $params might’ve been reset by the alterAPIPermissions() hook
         if (isset($apiRequest['params']['check_permissions']) and $apiRequest['params']['check_permissions'] == FALSE) {
             $event->authorize();
             $event->stopPropagation();
             return;
         }
         if (!\CRM_Core_Permission::check($permissions) and !self::checkACLPermission($apiRequest)) {
             if (is_array($permissions)) {
                 foreach ($permissions as &$permission) {
                     if (is_array($permission)) {
                         $permission = '( ' . implode(' or ', $permission) . ' )';
                     }
                 }
                 $permissions = implode(' and ', $permissions);
             }
             // FIXME: Generating the exception ourselves allows for detailed error
             // but doesn't play well with multiple authz subscribers.
             throw new \Civi\API\Exception\UnauthorizedException("API permission check failed for {$apiRequest['entity']}/{$apiRequest['action']} call; insufficient permission: require {$permissions}");
         }
         $event->authorize();
         $event->stopPropagation();
     }
 }
예제 #3
0
 /**
  * @param \Civi\API\Event\AuthorizeEvent $event
  *   API authorization event.
  */
 public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent $event)
 {
     $apiRequest = $event->getApiRequest();
     if ($this->matchesRequest($apiRequest) && \CRM_Core_Permission::check($this->actions[strtolower($apiRequest['action'])]['perm'])) {
         $event->authorize();
         $event->stopPropagation();
     }
 }
예제 #4
0
 /**
  * Determine which, if any, whitelist rules apply this request.
  * Reject unauthorized requests.
  *
  * @param AuthorizeEvent $event
  * @throws \CRM_Core_Exception
  */
 public function onApiAuthorize(AuthorizeEvent $event)
 {
     $apiRequest = $event->getApiRequest();
     if (empty($apiRequest['params']['check_permissions']) || $apiRequest['params']['check_permissions'] !== 'whitelist') {
         return;
     }
     foreach ($this->rules as $rule) {
         if (TRUE === $rule->matches($apiRequest)) {
             $this->activeRules[$apiRequest['id']] = $rule;
             return;
         }
     }
     throw new \CRM_Core_Exception('The request does not match any active API authorizations.');
 }
예제 #5
0
 /**
  * @param \Civi\API\Event\AuthorizeEvent $event
  *   API authorization event.
  * @throws \API_Exception
  * @throws \Civi\API\Exception\UnauthorizedException
  */
 public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent $event)
 {
     $apiRequest = $event->getApiRequest();
     if ($apiRequest['version'] == 3 && \CRM_Utils_String::convertStringToCamel($apiRequest['entity']) == $this->entityName && in_array(strtolower($apiRequest['action']), $this->actions)) {
         if (isset($apiRequest['params']['field_name'])) {
             $fldIdx = \CRM_Utils_Array::index(array('field_name'), $this->getCustomFields());
             if (empty($fldIdx[$apiRequest['params']['field_name']])) {
                 throw new \Exception("Failed to map custom field to entity table");
             }
             $apiRequest['params']['entity_table'] = $fldIdx[$apiRequest['params']['field_name']]['entity_table'];
             unset($apiRequest['params']['field_name']);
         }
         if (empty($apiRequest['params']['id']) && empty($apiRequest['params']['entity_table'])) {
             throw new \API_Exception("Mandatory key(s) missing from params array: 'id' or 'entity_table'");
         }
         if (isset($apiRequest['params']['id'])) {
             list($isValidId, $entityTable, $entityId) = $this->getDelegate($apiRequest['params']['id']);
             if ($isValidId && $entityTable && $entityId) {
                 $this->authorizeDelegate($apiRequest['action'], $entityTable, $entityId, $apiRequest);
                 $this->preventReassignment($apiRequest['params']['id'], $entityTable, $entityId, $apiRequest);
                 return;
             } elseif ($isValidId) {
                 throw new \API_Exception("Failed to match record to related entity");
             } elseif (!$isValidId && strtolower($apiRequest['action']) == 'get') {
                 // The matches will be an empty set; doesn't make a difference if we
                 // reject or accept.
                 // To pass SyntaxConformanceTest, we won't veto "get" on empty-set.
                 return;
             }
         }
         if (isset($apiRequest['params']['entity_table'])) {
             $this->authorizeDelegate($apiRequest['action'], $apiRequest['params']['entity_table'], \CRM_Utils_Array::value('entity_id', $apiRequest['params'], NULL), $apiRequest);
             return;
         }
         throw new \API_Exception("Failed to run permission check");
     }
 }