public function execute(Request $request, array $routeConfig) { // only relevant if the request comes from a browser if (false === mb_strpos($request->getHeader('Accept'), 'text/html')) { return; } // these methods do not require CSRF protection as they are not // supposed to have side effects on the server $safeMethods = ['GET', 'HEAD', 'OPTIONS']; if (!in_array($request->getMethod(), $safeMethods)) { $referrer = $request->getHeader('HTTP_REFERER'); $rootUrl = $request->getUrl()->getRootUrl(); if (null === $referrer) { throw new BadRequestException('HTTP_REFERER header missing'); } if (0 !== mb_strpos($referrer, $rootUrl)) { throw new BadRequestException('HTTP_REFERER has unexpected value'); } } }
public function deleteDocument(Request $request, TokenInfo $tokenInfo) { $path = new Path($request->getUrl()->getPathInfo()); if ($path->getUserId() !== $tokenInfo->getUserId()) { throw new ForbiddenException('path does not match authorized subject'); } if (!$this->hasWriteScope($tokenInfo->getScope(), $path->getModuleName())) { throw new ForbiddenException('path does not match authorized scope'); } // need to get the version before the delete $documentVersion = $this->remoteStorage->getVersion($path); $ifMatch = $this->stripQuotes($request->getHeader('If-Match')); // if document does not exist, and we have If-Match header set we should // return a 412 instead of a 404 if (null !== $ifMatch && !in_array($documentVersion, $ifMatch)) { throw new PreconditionFailedException('version mismatch'); } if (null === $documentVersion) { throw new NotFoundException(sprintf('document "%s" not found', $path->getPath())); } $ifMatch = $this->stripQuotes($request->getHeader('If-Match')); if (null !== $ifMatch && !in_array($documentVersion, $ifMatch)) { throw new PreconditionFailedException('version mismatch'); } $x = $this->remoteStorage->deleteDocument($path, $ifMatch); $rsr = new Response(); $rsr->setHeader('ETag', '"' . $documentVersion . '"'); $rsr->setBody($x); return $rsr; }