protected function _mapResources(array $allRoutes, array &$map, $version = 1) { foreach ($allRoutes as $fullPath => $routes) { $path = explode('/', $fullPath); $resource = isset($path[0]) ? $path[0] : ''; if ($resource == 'resources' || String::endsWith($resource, 'index')) { continue; } foreach ($routes as $httpMethod => $route) { if (in_array($httpMethod, static::$excludedHttpMethods)) { continue; } if (!static::verifyAccess($route)) { continue; } foreach (static::$excludedPaths as $exclude) { if (empty($exclude)) { if ($fullPath == $exclude) { continue 2; } } elseif (String::beginsWith($fullPath, $exclude)) { continue 2; } } $res = $resource ? $version == 1 ? "/resources/{$resource}" : "/v{$version}/resources/{$resource}-v{$version}" : ($version == 1 ? "/resources/root" : "/v{$version}/resources/root-v{$version}"); if (empty($map[$res])) { $map[$res] = isset($route['metadata']['classDescription']) ? $route['metadata']['classDescription'] : ''; } } } }
/** * Access verification method. * * API access will be denied when this method returns false * * @return boolean true when api access is allowed false otherwise * * @throws RestException 403 security violation */ public function __isAllowed() { if (session_id() == '') { session_start(); } /** @var Restler $restler */ $restler = $this->restler; $url = $restler->url; foreach (static::$excludedPaths as $exclude) { if (empty($exclude)) { if ($url == $exclude) { return true; } } elseif (String::beginsWith($url, $exclude)) { return true; } } $check = static::$filterFormRequestsOnly ? $restler->requestFormat instanceof UrlEncodedFormat || $restler->requestFormat instanceof UploadFormat : true; if (!empty($_POST) && $check) { if (isset($_POST[static::FORM_KEY]) && ($target = Util::getRequestMethod() . ' ' . $restler->url) && isset($_SESSION[static::FORM_KEY][$target]) && $_POST[static::FORM_KEY] == $_SESSION[static::FORM_KEY][$target]) { return true; } throw new RestException(403, 'Insecure form submission'); } return true; }