diff --git a/proxy/config.php b/proxy/config.php index eeda1fc..1d90e38 100644 --- a/proxy/config.php +++ b/proxy/config.php @@ -74,11 +74,25 @@ $file_cache_include = array( /**************************************************************** ** REST API OPTIONS ** ****************************************************************/ +// whitelisting is done per IP address ($_SERVER['REMOTE_ADDR']) with a 'all' for the generic stuff that applies to all IP addresses +// - if a request comes in and the IP is not a key in the array, the whitelisted in 'all' are used +// - if a request comes in and the IP is indeed a key in the array, the whitelisted in the IP are checked first. If nothing is +// found ,the 'all' ones are checked next. $rest_allowed_actions = array( - // this is an example: - 'Contact' => array( - 'getsingle' => array( - 'email' => 'string' - ), - ) - ); + 'all' => array( + 'Contact' => array( + 'getsingle' => array( + 'email' => 'string', + ), + ), + ), + '123.45.678.1' => array( + 'Contact' => array( + 'getsingle' => array( + 'first_name' => 'string', + 'last_name' => 'string', + ), + ), + ), +); + diff --git a/proxy/proxy.php b/proxy/proxy.php index 1b2f87f..e6bbee9 100644 --- a/proxy/proxy.php +++ b/proxy/proxy.php @@ -255,3 +255,25 @@ function civicrm_api3($entity, $action, $data) { } } +/** + * Function to get the valid rest_allowed_actions key + * + * @param $action + * @param $rest_allowed_actions + * @return bool + */ +function civiproxy_get_valid_allowed_actions_key($action, $rest_allowed_actions) { + $remote_addr = $_SERVER['REMOTE_ADDR']; + // check IP specific whitelisting if specified for this address + if (isset($rest_allowed_actions[$remote_addr])) { + if (isset($rest_allowed_actions[$remote_addr][$action['entity']]) && isset($rest_allowed_actions[$remote_addr][$action['entity']][$action['action']])) { + $valid_key = $remote_addr; + } else { + $valid_key = 'all'; + } + } else { + $valid_key = 'all'; + } + return $valid_key; +} + diff --git a/proxy/rest.php b/proxy/rest.php index 21bdc97..e5b587b 100644 --- a/proxy/rest.php +++ b/proxy/rest.php @@ -46,11 +46,25 @@ $action = civiproxy_get_parameters(array('entity' => 'string', 'action' => 'stri if (!isset($action['version']) || $action['version'] != 3) { civiproxy_rest_error("Invalid entity/action."); } -if (isset($rest_allowed_actions[$action['entity']]) && isset($rest_allowed_actions[$action['entity']][$action['action']])) { - $valid_parameters = $rest_allowed_actions[$action['entity']][$action['action']]; + +// in release 0.4, allowed entity/actions per IP were introduced. To introduce backward compatibility, +// the previous test is still used when no 'all' key is found in the array +if (isset($rest_allowed_actions['all'])) { + // get valid key for the rest_allowed_actions + $valid_allowed_key = civiproxy_get_valid_allowed_actions_key($action, $rest_allowed_actions); + + if (isset($rest_allowed_actions[$valid_allowed_key][$action['entity']]) && isset($rest_allowed_actions[$valid_allowed_key][$action['entity']][$action['action']])) { + $valid_parameters = $rest_allowed_actions[$valid_allowed_key][$action['entity']][$action['action']]; + } else { + civiproxy_rest_error("Invalid entity/action."); + } } else { - civiproxy_rest_error("Invalid entity/action."); -} + if (isset($rest_allowed_actions[$action['entity']]) && isset($rest_allowed_actions[$action['entity']][$action['action']])) { + $valid_parameters = $rest_allowed_actions[$action['entity']][$action['action']]; + } else { + civiproxy_rest_error("Invalid entity/action."); + } +} // extract parameters and add credentials and action data $parameters = civiproxy_get_parameters($valid_parameters);