implementing #16
This commit is contained in:
systopia
parent
053c3f5fb9
commit
3c825a8f55
|
|
@ -91,6 +91,10 @@ $rest_allowed_actions = array(
|
|||
'getsingle' => array(
|
||||
'first_name' => 'string',
|
||||
'last_name' => 'string',
|
||||
// the following means *all* remaining parameters will be
|
||||
// added and sanitised as 'string'. Better leave it out
|
||||
// if you know which parameters you expect
|
||||
'*' => 'string',
|
||||
),
|
||||
),
|
||||
),
|
||||
|
|
|
|||
|
|
@ -152,10 +152,38 @@ function civiproxy_security_check($target, $quit=TRUE) {
|
|||
*/
|
||||
function civiproxy_get_parameters($valid_parameters) {
|
||||
$result = array();
|
||||
$default_sanitation = NULL;
|
||||
|
||||
foreach ($valid_parameters as $name => $type) {
|
||||
if ($name == '*') {
|
||||
// this sets default_sanitation
|
||||
$default_sanitation = $type;
|
||||
continue;
|
||||
}
|
||||
|
||||
if (isset($_REQUEST[$name])) {
|
||||
$value = $_REQUEST[$name];
|
||||
$result[$name] = civiproxy_sanitise($_REQUEST[$name], $type);
|
||||
}
|
||||
}
|
||||
|
||||
// process wildcard elements
|
||||
if ($default_sanitation !== NULL) {
|
||||
// i.e. we want the others too
|
||||
$remove_parameters = array('key', 'api_key', 'version', 'entity', 'action');
|
||||
foreach ($_REQUEST as $name => $value) {
|
||||
if (!in_array($name, $remove_parameters) && !isset($valid_parameters[$name])) {
|
||||
$result[$name] = civiproxy_sanitise($value, $default_sanitation);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return $result;
|
||||
}
|
||||
|
||||
/**
|
||||
* sanitise the given value with the given sanitiation type
|
||||
*/
|
||||
function civiproxy_sanitise($value, $type) {
|
||||
if ($type=='int') {
|
||||
$value = (int) $value;
|
||||
} elseif ($type == 'string') {
|
||||
|
|
@ -190,12 +218,8 @@ function civiproxy_get_parameters($valid_parameters) {
|
|||
error_log("CiviProxy: unknown type '$type'. Ignored.");
|
||||
$value = '';
|
||||
}
|
||||
$result[$name] = $value;
|
||||
}
|
||||
}
|
||||
|
||||
return $result;
|
||||
}
|
||||
|
||||
/**
|
||||
* generates a CiviCRM REST API compliant error
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@ if (empty($credentials['api_key'])) {
|
|||
// check if the call itself is allowed
|
||||
$action = civiproxy_get_parameters(array('entity' => 'string', 'action' => 'string', 'version' => 'int', 'json' => 'int', 'sequential' => 'int'));
|
||||
if (!isset($action['version']) || $action['version'] != 3) {
|
||||
civiproxy_rest_error("Invalid entity/action.");
|
||||
civiproxy_rest_error("API 'version' information missing.");
|
||||
}
|
||||
|
||||
// in release 0.4, allowed entity/actions per IP were introduced. To introduce backward compatibility,
|
||||
|
|
|
|||
Loading…
Reference in New Issue