/** * Implements RestfulAuthenticationInterface::authenticate(). */ public function authenticate(array $request = array(), $method = \RestfulInterface::GET) { if (!drupal_session_started() && !$this->isCli()) { return; } global $user; $account = user_load($user->uid); if (!\RestfulBase::isWriteMethod($method) || empty($request['__application']['rest_call'])) { // Request is done via API not CURL, or not a write operation, so we don't // need to check for a CSRF token. return $account; } if (empty($request['__application']['csrf_token'])) { throw new \RestfulBadRequestException('No CSRF token passed in the HTTP header.'); } if (!drupal_valid_token($request['__application']['csrf_token'], \RestfulBase::TOKEN_VALUE)) { throw new \RestfulForbiddenException('CSRF token validation failed.'); } // CSRF validation passed. return $account; }
/** * Check access on a property. * * @param string $op * The operation that access should be checked for. Can be "view" or "edit". * Defaults to "edit". * @param string $public_field_name * The name of the public field. * @param EntityMetadataWrapper $property_wrapper * The wrapped property. * @param EntityMetadataWrapper $wrapper * The wrapped entity. * * @return bool * TRUE if the current user has access to set the property, FALSE otherwise. */ protected function checkPropertyAccess($op, $public_field_name, EntityMetadataWrapper $property_wrapper, EntityMetadataWrapper $wrapper) { if (!$this->checkPropertyAccessByAccessCallbacks($op, $public_field_name, $property_wrapper, $wrapper)) { // Access callbacks denied access. return; } $account = $this->getAccount(); // Check format access for text fields. if ($property_wrapper->type() == 'text_formatted' && $property_wrapper->value() && $property_wrapper->format->value()) { $format = (object) array('format' => $property_wrapper->format->value()); // Only check filter access on write contexts. if (\RestfulBase::isWriteMethod($this->getMethod()) && !filter_access($format, $account)) { return FALSE; } } $info = $property_wrapper->info(); if ($op == 'edit' && empty($info['setter callback'])) { // Property does not allow setting. return FALSE; } $access = $property_wrapper->access($op, $account); return $access !== FALSE; }