/**
* POST /{item}/{id} <- CREATE an {item} with ID {id} using POST/PUT params
* @param Request $request
* @param array $params
* @return Reply
*/
public function Post(Request $request, $params = [])
{
// $params is unused in this implementation
$params = null;
$model = $this->getPostData($request);
if ($this->authUserFilter) {
if (!isset($this->authUser)) {
return new Reply(403, ['error' => 'Must be logged in to access this resource.']);
} else {
// Just change the $post's UserID to the user's. This will let the attacker add
// something, but to his own account, not someone else's. This actually has the
// somewhat dubious side effect of allowing someone to add something without
// the need to pass in their UserID.
$model[$this->authUserIDProperty] = $this->authUser->GetID();
}
}
try {
$new = $this->mapper->GetNew();
foreach ($model as $key => $value) {
$new->{$key} = $value;
}
$this->mapper->Save($new);
$response = new Reply(201, $new);
} catch (\InvalidArgumentException $e) {
$response = new Reply(422, ['error' => $e->getMessage()]);
} catch (UniqueConstraintViolationException $e) {
$response = new Reply(409, ['error' => 'Object already exists.']);
} catch (DBALException $e) {
$this->log('error', $e->getMessage());
$response = new Reply(500, ['error' => 'Database error. Please try again later.']);
} catch (\Exception $e) {
$response = new Reply(500, ['error' => $e->getMessage()]);
}
return $response;
}
