/** * POST /{item}/{id} <- CREATE an {item} with ID {id} using POST/PUT params * @param Request $request * @param array $params * @return Reply */ public function Post(Request $request, $params = []) { // $params is unused in this implementation $params = null; $model = $this->getPostData($request); if ($this->authUserFilter) { if (!isset($this->authUser)) { return new Reply(403, ['error' => 'Must be logged in to access this resource.']); } else { // Just change the $post's UserID to the user's. This will let the attacker add // something, but to his own account, not someone else's. This actually has the // somewhat dubious side effect of allowing someone to add something without // the need to pass in their UserID. $model[$this->authUserIDProperty] = $this->authUser->GetID(); } } try { $new = $this->mapper->GetNew(); foreach ($model as $key => $value) { $new->{$key} = $value; } $this->mapper->Save($new); $response = new Reply(201, $new); } catch (\InvalidArgumentException $e) { $response = new Reply(422, ['error' => $e->getMessage()]); } catch (UniqueConstraintViolationException $e) { $response = new Reply(409, ['error' => 'Object already exists.']); } catch (DBALException $e) { $this->log('error', $e->getMessage()); $response = new Reply(500, ['error' => 'Database error. Please try again later.']); } catch (\Exception $e) { $response = new Reply(500, ['error' => $e->getMessage()]); } return $response; }