public function execute(Request $request, array $routeConfig)
{
// only relevant if the request comes from a browser
if (false === mb_strpos($request->getHeader('Accept'), 'text/html')) {
return;
}
// these methods do not require CSRF protection as they are not
// supposed to have side effects on the server
$safeMethods = ['GET', 'HEAD', 'OPTIONS'];
if (!in_array($request->getMethod(), $safeMethods)) {
$referrer = $request->getHeader('HTTP_REFERER');
$rootUrl = $request->getUrl()->getRootUrl();
if (null === $referrer) {
throw new BadRequestException('HTTP_REFERER header missing');
}
if (0 !== mb_strpos($referrer, $rootUrl)) {
throw new BadRequestException('HTTP_REFERER has unexpected value');
}
}
}
public function deleteDocument(Request $request, TokenInfo $tokenInfo)
{
$path = new Path($request->getUrl()->getPathInfo());
if ($path->getUserId() !== $tokenInfo->getUserId()) {
throw new ForbiddenException('path does not match authorized subject');
}
if (!$this->hasWriteScope($tokenInfo->getScope(), $path->getModuleName())) {
throw new ForbiddenException('path does not match authorized scope');
}
// need to get the version before the delete
$documentVersion = $this->remoteStorage->getVersion($path);
$ifMatch = $this->stripQuotes($request->getHeader('If-Match'));
// if document does not exist, and we have If-Match header set we should
// return a 412 instead of a 404
if (null !== $ifMatch && !in_array($documentVersion, $ifMatch)) {
throw new PreconditionFailedException('version mismatch');
}
if (null === $documentVersion) {
throw new NotFoundException(sprintf('document "%s" not found', $path->getPath()));
}
$ifMatch = $this->stripQuotes($request->getHeader('If-Match'));
if (null !== $ifMatch && !in_array($documentVersion, $ifMatch)) {
throw new PreconditionFailedException('version mismatch');
}
$x = $this->remoteStorage->deleteDocument($path, $ifMatch);
$rsr = new Response();
$rsr->setHeader('ETag', '"' . $documentVersion . '"');
$rsr->setBody($x);
return $rsr;
}
