/**
* @param array $cxn
* @param string $entity
* @param string $action
* @param array $params
* @return mixed
*/
public static function route($cxn, $entity, $action, $params)
{
$SUPER_PERM = array('administer CiviCRM');
require_once 'api/v3/utils.php';
// FIXME: Shouldn't the X-Forwarded-Proto check be part of CRM_Utils_System::isSSL()?
if (CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, 'enableSSL') && !CRM_Utils_System::isSSL() && strtolower(CRM_Utils_Array::value('X_FORWARDED_PROTO', CRM_Utils_System::getRequestHeaders())) != 'https') {
return civicrm_api3_create_error('System policy requires HTTPS.');
}
// Note: $cxn and cxnId are authenticated before router is called.
$dao = new CRM_Cxn_DAO_Cxn();
$dao->cxn_id = $cxn['cxnId'];
if (empty($cxn['cxnId']) || !$dao->find(TRUE) || !$dao->cxn_id) {
return civicrm_api3_create_error('Failed to lookup connection authorizations.');
}
if (!$dao->is_active) {
return civicrm_api3_create_error('Connection is inactive.');
}
if (!is_string($entity) || !is_string($action) || !is_array($params)) {
return civicrm_api3_create_error('API parameters are malformed.');
}
if (empty($cxn['perm']['api']) || !is_array($cxn['perm']['api']) || empty($cxn['perm']['grant']) || !(is_array($cxn['perm']['grant']) || is_string($cxn['perm']['grant']))) {
return civicrm_api3_create_error('Connection has no permissions.');
}
$whitelist = \Civi\API\WhitelistRule::createAll($cxn['perm']['api']);
\Civi::service('dispatcher')->addSubscriber(new \Civi\API\Subscriber\WhitelistSubscriber($whitelist));
CRM_Core_Config::singleton()->userPermissionTemp = new CRM_Core_Permission_Temp();
if ($cxn['perm']['grant'] === '*') {
CRM_Core_Config::singleton()->userPermissionTemp->grant($SUPER_PERM);
} else {
CRM_Core_Config::singleton()->userPermissionTemp->grant($cxn['perm']['grant']);
}
$params['check_permissions'] = 'whitelist';
return civicrm_api($entity, $action, $params);
}
/**
* @param array $apiRequest
* Array(entity=>$,action=>$,params=>$,expectedResults=>$).
* @param array $rules
* Whitelist - list of allowed API calls/patterns.
* @param bool $expectSuccess
* TRUE if the call should succeed.
* Success implies that the 'expectedResults' are returned.
* Failure implies that the standard error message is returned.
* @dataProvider restrictionCases
*/
public function testEach($apiRequest, $rules, $expectSuccess)
{
\CRM_Core_DAO_AllCoreTables::init(TRUE);
$recs = $this->getFixtures();
\CRM_Core_DAO_AllCoreTables::registerEntityType('Widget', 'CRM_Fake_DAO_Widget', 'fake_widget');
$widgetProvider = new \Civi\API\Provider\StaticProvider(3, 'Widget', array('id', 'widget_type', 'provider', 'title'), array(), $recs['widget']);
\CRM_Core_DAO_AllCoreTables::registerEntityType('Sprocket', 'CRM_Fake_DAO_Sprocket', 'fake_sprocket');
$sprocketProvider = new \Civi\API\Provider\StaticProvider(3, 'Sprocket', array('id', 'sprocket_type', 'widget_id', 'provider', 'title', 'comment'), array(), $recs['sprocket']);
$whitelist = WhitelistRule::createAll($rules);
$dispatcher = new EventDispatcher();
$kernel = new Kernel($dispatcher);
$kernel->registerApiProvider($sprocketProvider);
$kernel->registerApiProvider($widgetProvider);
$dispatcher->addSubscriber(new WhitelistSubscriber($whitelist));
$dispatcher->addSubscriber(new ChainSubscriber());
$apiRequest['params']['debug'] = 1;
$apiRequest['params']['check_permissions'] = 'whitelist';
$result = $kernel->run($apiRequest['entity'], $apiRequest['action'], $apiRequest['params']);
if ($expectSuccess) {
$this->assertAPISuccess($result);
$this->assertTrue(is_array($apiRequest['expectedResults']));
$this->assertTreeEquals($apiRequest['expectedResults'], $result['values']);
} else {
$this->assertAPIFailure($result);
$this->assertRegExp('/The request does not match any active API authorizations./', $result['error_message']);
}
}
