1.0.0-beta

Civix upgrade should fix install error

README.md

@@ -1 +1,8 @@
-Documentation on CiviProxy can be found here: https://docs.civicrm.org/civiproxy/en/latest/
+## About
+CiviProxy is a tool to set up a security proxy server specifically for your CiviCRM instance. It uses whitelisting and parameter sanitation to allow only legitimate requests to pass through. 
+## Documentation
+The documentation on CiviProxy can be found here: https://docs.civicrm.org/civiproxy/en/latest/
+## We need your support
+This software is provided as Free and Open Source Software, and we are happy if you find it useful. However, we have put a lot of work into it (and continue to do so), much of it unpaid for. So if you benefit from our software, please consider making a financial contribution so we can continue to maintain and develop it further.
+
+If you are willing to support us in developing this tool, please send an email to info@systopia.de to get an invoice or agree a different payment method. Thank you! 

de.systopia.civiproxy/CRM/Civiproxy/Mailer.php

@@ -17,12 +17,23 @@ class CRM_Civiproxy_Mailer {
    * this is the orginal, wrapped mailer
    */
   protected $mailer = NULL;
+  /**
+   * @var Mail Driver
+   */
+  protected $driver = NULL;
+
+  /**
+   * @var array Mail Params, currently not used
+   */
+  protected $params = [];
 
   /**
    * construct this mailer wrapping another one
    */
-  public function __construct($mailer) {
+  public function __construct($mailer, $driver, $params) {
     $this->mailer = $mailer;
+    $this->driver = $driver;
+    $this->params = $params;
   }
 
   /**
@@ -81,4 +92,11 @@ class CRM_Civiproxy_Mailer {
       $value = preg_replace("#{$system_base}civicrm/mailing/{$function}#i", $new_url, $value);
     }
   }
+
+    /**
+     * @return Mail|null
+     */
+    public function getDriver() {
+        return $this->driver;
+    }
 }

de.systopia.civiproxy/civiproxy.civix.php

@@ -7,9 +7,9 @@
  * extension.
  */
 class CRM_Civiproxy_ExtensionUtil {
-  const SHORT_NAME = "civiproxy";
-  const LONG_NAME = "de.systopia.civiproxy";
-  const CLASS_PREFIX = "CRM_Civiproxy";
+  const SHORT_NAME = 'civiproxy';
+  const LONG_NAME = 'de.systopia.civiproxy';
+  const CLASS_PREFIX = 'CRM_Civiproxy';
 
   /**
    * Translate a string using the extension's domain.
@@ -24,7 +24,7 @@ class CRM_Civiproxy_ExtensionUtil {
    *   Translated text.
    * @see ts
    */
-  public static function ts($text, $params = []) {
+  public static function ts($text, $params = []): string {
     if (!array_key_exists('domain', $params)) {
       $params['domain'] = [self::LONG_NAME, NULL];
     }
@@ -41,7 +41,7 @@ class CRM_Civiproxy_ExtensionUtil {
    *   Ex: 'http://example.org/sites/default/ext/org.example.foo'.
    *   Ex: 'http://example.org/sites/default/ext/org.example.foo/css/foo.css'.
    */
-  public static function url($file = NULL) {
+  public static function url($file = NULL): string {
     if ($file === NULL) {
       return rtrim(CRM_Core_Resources::singleton()->getUrl(self::LONG_NAME), '/');
     }
@@ -75,6 +75,7 @@ class CRM_Civiproxy_ExtensionUtil {
     return self::CLASS_PREFIX . '_' . str_replace('\\', '_', $suffix);
   }
 
+
 }
 
 use CRM_Civiproxy_ExtensionUtil as E;
@@ -84,40 +85,17 @@ use CRM_Civiproxy_ExtensionUtil as E;
  *
  * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_config
  */
-function _civiproxy_civix_civicrm_config(&$config = NULL) {
+function _civiproxy_civix_civicrm_config($config = NULL) {
   static $configured = FALSE;
   if ($configured) {
     return;
   }
   $configured = TRUE;
 
-  $template =& CRM_Core_Smarty::singleton();
-
-  $extRoot = dirname(__FILE__) . DIRECTORY_SEPARATOR;
-  $extDir = $extRoot . 'templates';
-
-  if (is_array($template->template_dir)) {
-    array_unshift($template->template_dir, $extDir);
-  }
-  else {
-    $template->template_dir = [$extDir, $template->template_dir];
-  }
-
+  $extRoot = __DIR__ . DIRECTORY_SEPARATOR;
   $include_path = $extRoot . PATH_SEPARATOR . get_include_path();
   set_include_path($include_path);
-}
-
-/**
- * (Delegated) Implements hook_civicrm_xmlMenu().
- *
- * @param $files array(string)
- *
- * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_xmlMenu
- */
-function _civiproxy_civix_civicrm_xmlMenu(&$files) {
-  foreach (_civiproxy_civix_glob(__DIR__ . '/xml/Menu/*.xml') as $file) {
-    $files[] = $file;
-  }
+  // Based on <compatibility>, this does not currently require mixin/polyfill.php.
 }
 
 /**
@@ -127,35 +105,7 @@ function _civiproxy_civix_civicrm_xmlMenu(&$files) {
  */
 function _civiproxy_civix_civicrm_install() {
   _civiproxy_civix_civicrm_config();
-  if ($upgrader = _civiproxy_civix_upgrader()) {
-    $upgrader->onInstall();
-  }
-}
-
-/**
- * Implements hook_civicrm_postInstall().
- *
- * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_postInstall
- */
-function _civiproxy_civix_civicrm_postInstall() {
-  _civiproxy_civix_civicrm_config();
-  if ($upgrader = _civiproxy_civix_upgrader()) {
-    if (is_callable([$upgrader, 'onPostInstall'])) {
-      $upgrader->onPostInstall();
-    }
-  }
-}
-
-/**
- * Implements hook_civicrm_uninstall().
- *
- * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_uninstall
- */
-function _civiproxy_civix_civicrm_uninstall() {
-  _civiproxy_civix_civicrm_config();
-  if ($upgrader = _civiproxy_civix_upgrader()) {
-    $upgrader->onUninstall();
-  }
+  // Based on <compatibility>, this does not currently require mixin/polyfill.php.
 }
 
 /**
@@ -163,212 +113,9 @@ function _civiproxy_civix_civicrm_uninstall() {
  *
  * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_enable
  */
-function _civiproxy_civix_civicrm_enable() {
+function _civiproxy_civix_civicrm_enable(): void {
   _civiproxy_civix_civicrm_config();
-  if ($upgrader = _civiproxy_civix_upgrader()) {
-    if (is_callable([$upgrader, 'onEnable'])) {
-      $upgrader->onEnable();
-    }
-  }
-}
-
-/**
- * (Delegated) Implements hook_civicrm_disable().
- *
- * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_disable
- * @return mixed
- */
-function _civiproxy_civix_civicrm_disable() {
-  _civiproxy_civix_civicrm_config();
-  if ($upgrader = _civiproxy_civix_upgrader()) {
-    if (is_callable([$upgrader, 'onDisable'])) {
-      $upgrader->onDisable();
-    }
-  }
-}
-
-/**
- * (Delegated) Implements hook_civicrm_upgrade().
- *
- * @param $op string, the type of operation being performed; 'check' or 'enqueue'
- * @param $queue CRM_Queue_Queue, (for 'enqueue') the modifiable list of pending up upgrade tasks
- *
- * @return mixed
- *   based on op. for 'check', returns array(boolean) (TRUE if upgrades are pending)
- *   for 'enqueue', returns void
- *
- * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_upgrade
- */
-function _civiproxy_civix_civicrm_upgrade($op, CRM_Queue_Queue $queue = NULL) {
-  if ($upgrader = _civiproxy_civix_upgrader()) {
-    return $upgrader->onUpgrade($op, $queue);
-  }
-}
-
-/**
- * @return CRM_Civiproxy_Upgrader
- */
-function _civiproxy_civix_upgrader() {
-  if (!file_exists(__DIR__ . '/CRM/Civiproxy/Upgrader.php')) {
-    return NULL;
-  }
-  else {
-    return CRM_Civiproxy_Upgrader_Base::instance();
-  }
-}
-
-/**
- * Search directory tree for files which match a glob pattern.
- *
- * Note: Dot-directories (like "..", ".git", or ".svn") will be ignored.
- * Note: In Civi 4.3+, delegate to CRM_Utils_File::findFiles()
- *
- * @param string $dir base dir
- * @param string $pattern , glob pattern, eg "*.txt"
- *
- * @return array
- */
-function _civiproxy_civix_find_files($dir, $pattern) {
-  if (is_callable(['CRM_Utils_File', 'findFiles'])) {
-    return CRM_Utils_File::findFiles($dir, $pattern);
-  }
-
-  $todos = [$dir];
-  $result = [];
-  while (!empty($todos)) {
-    $subdir = array_shift($todos);
-    foreach (_civiproxy_civix_glob("$subdir/$pattern") as $match) {
-      if (!is_dir($match)) {
-        $result[] = $match;
-      }
-    }
-    if ($dh = opendir($subdir)) {
-      while (FALSE !== ($entry = readdir($dh))) {
-        $path = $subdir . DIRECTORY_SEPARATOR . $entry;
-        if ($entry[0] == '.') {
-        }
-        elseif (is_dir($path)) {
-          $todos[] = $path;
-        }
-      }
-      closedir($dh);
-    }
-  }
-  return $result;
-}
-
-/**
- * (Delegated) Implements hook_civicrm_managed().
- *
- * Find any *.mgd.php files, merge their content, and return.
- *
- * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_managed
- */
-function _civiproxy_civix_civicrm_managed(&$entities) {
-  $mgdFiles = _civiproxy_civix_find_files(__DIR__, '*.mgd.php');
-  sort($mgdFiles);
-  foreach ($mgdFiles as $file) {
-    $es = include $file;
-    foreach ($es as $e) {
-      if (empty($e['module'])) {
-        $e['module'] = E::LONG_NAME;
-      }
-      if (empty($e['params']['version'])) {
-        $e['params']['version'] = '3';
-      }
-      $entities[] = $e;
-    }
-  }
-}
-
-/**
- * (Delegated) Implements hook_civicrm_caseTypes().
- *
- * Find any and return any files matching "xml/case/*.xml"
- *
- * Note: This hook only runs in CiviCRM 4.4+.
- *
- * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_caseTypes
- */
-function _civiproxy_civix_civicrm_caseTypes(&$caseTypes) {
-  if (!is_dir(__DIR__ . '/xml/case')) {
-    return;
-  }
-
-  foreach (_civiproxy_civix_glob(__DIR__ . '/xml/case/*.xml') as $file) {
-    $name = preg_replace('/\.xml$/', '', basename($file));
-    if ($name != CRM_Case_XMLProcessor::mungeCaseType($name)) {
-      $errorMessage = sprintf("Case-type file name is malformed (%s vs %s)", $name, CRM_Case_XMLProcessor::mungeCaseType($name));
-      throw new CRM_Core_Exception($errorMessage);
-    }
-    $caseTypes[$name] = [
-      'module' => E::LONG_NAME,
-      'name' => $name,
-      'file' => $file,
-    ];
-  }
-}
-
-/**
- * (Delegated) Implements hook_civicrm_angularModules().
- *
- * Find any and return any files matching "ang/*.ang.php"
- *
- * Note: This hook only runs in CiviCRM 4.5+.
- *
- * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_angularModules
- */
-function _civiproxy_civix_civicrm_angularModules(&$angularModules) {
-  if (!is_dir(__DIR__ . '/ang')) {
-    return;
-  }
-
-  $files = _civiproxy_civix_glob(__DIR__ . '/ang/*.ang.php');
-  foreach ($files as $file) {
-    $name = preg_replace(':\.ang\.php$:', '', basename($file));
-    $module = include $file;
-    if (empty($module['ext'])) {
-      $module['ext'] = E::LONG_NAME;
-    }
-    $angularModules[$name] = $module;
-  }
-}
-
-/**
- * (Delegated) Implements hook_civicrm_themes().
- *
- * Find any and return any files matching "*.theme.php"
- */
-function _civiproxy_civix_civicrm_themes(&$themes) {
-  $files = _civiproxy_civix_glob(__DIR__ . '/*.theme.php');
-  foreach ($files as $file) {
-    $themeMeta = include $file;
-    if (empty($themeMeta['name'])) {
-      $themeMeta['name'] = preg_replace(':\.theme\.php$:', '', basename($file));
-    }
-    if (empty($themeMeta['ext'])) {
-      $themeMeta['ext'] = E::LONG_NAME;
-    }
-    $themes[$themeMeta['name']] = $themeMeta;
-  }
-}
-
-/**
- * Glob wrapper which is guaranteed to return an array.
- *
- * The documentation for glob() says, "On some systems it is impossible to
- * distinguish between empty match and an error." Anecdotally, the return
- * result for an empty match is sometimes array() and sometimes FALSE.
- * This wrapper provides consistency.
- *
- * @link http://php.net/glob
- * @param string $pattern
- *
- * @return array
- */
-function _civiproxy_civix_glob($pattern) {
-  $result = glob($pattern);
-  return is_array($result) ? $result : [];
+  // Based on <compatibility>, this does not currently require mixin/polyfill.php.
 }
 
 /**
@@ -387,7 +134,7 @@ function _civiproxy_civix_insert_navigation_menu(&$menu, $path, $item) {
   if (empty($path)) {
     $menu[] = [
       'attributes' => array_merge([
-        'label'      => CRM_Utils_Array::value('name', $item),
+        'label' => $item['name'] ?? NULL,
         'active' => 1,
       ], $item),
     ];
@@ -452,26 +199,3 @@ function _civiproxy_civix_fixNavigationMenuItems(&$nodes, &$maxNavID, $parentID)
     }
   }
 }
-
-/**
- * (Delegated) Implements hook_civicrm_alterSettingsFolders().
- *
- * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_alterSettingsFolders
- */
-function _civiproxy_civix_civicrm_alterSettingsFolders(&$metaDataFolders = NULL) {
-  $settingsDir = __DIR__ . DIRECTORY_SEPARATOR . 'settings';
-  if (!in_array($settingsDir, $metaDataFolders) && is_dir($settingsDir)) {
-    $metaDataFolders[] = $settingsDir;
-  }
-}
-
-/**
- * (Delegated) Implements hook_civicrm_entityTypes().
- *
- * Find any *.entityType.php files, merge their content, and return.
- *
- * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_entityTypes
- */
-function _civiproxy_civix_civicrm_entityTypes(&$entityTypes) {
-  $entityTypes = array_merge($entityTypes, []);
-}

de.systopia.civiproxy/civiproxy.php

@@ -15,7 +15,7 @@ require_once 'civiproxy.civix.php';
  * so we can mend all the URLs in outgoing emails
  */
 function civiproxy_civicrm_alterMailer(&$mailer, $driver, $params) {
-  $mailer = new CRM_Civiproxy_Mailer($mailer);
+  $mailer = new CRM_Civiproxy_Mailer($mailer, $driver, $params);
 }
 
 /**
@@ -25,15 +25,6 @@ function civiproxy_civicrm_config(&$config) {
   _civiproxy_civix_civicrm_config($config);
 }
 
-/**
- * Implementation of hook_civicrm_xmlMenu
- *
- * @param $files array(string)
- */
-function civiproxy_civicrm_xmlMenu(&$files) {
-  _civiproxy_civix_civicrm_xmlMenu($files);
-}
-
 /**
  * Implementation of hook_civicrm_install
  */
@@ -41,13 +32,6 @@ function civiproxy_civicrm_install() {
   return _civiproxy_civix_civicrm_install();
 }
 
-/**
- * Implementation of hook_civicrm_uninstall
- */
-function civiproxy_civicrm_uninstall() {
-  return _civiproxy_civix_civicrm_uninstall();
-}
-
 /**
  * Implementation of hook_civicrm_enable
  */
@@ -55,61 +39,9 @@ function civiproxy_civicrm_enable() {
   return _civiproxy_civix_civicrm_enable();
 }
 
-/**
- * Implementation of hook_civicrm_disable
- */
-function civiproxy_civicrm_disable() {
-  return _civiproxy_civix_civicrm_disable();
-}
-
-/**
- * Implementation of hook_civicrm_upgrade
- *
- * @param $op string, the type of operation being performed; 'check' or 'enqueue'
- * @param $queue CRM_Queue_Queue, (for 'enqueue') the modifiable list of pending up upgrade tasks
- *
- * @return mixed  based on op. for 'check', returns array(boolean) (TRUE if upgrades are pending)
- *                for 'enqueue', returns void
- */
-function civiproxy_civicrm_upgrade($op, CRM_Queue_Queue $queue = NULL) {
-  return _civiproxy_civix_civicrm_upgrade($op, $queue);
-}
-
-/**
- * Implementation of hook_civicrm_managed
- *
- * Generate a list of entities to create/deactivate/delete when this module
- * is installed, disabled, uninstalled.
- */
-function civiproxy_civicrm_managed(&$entities) {
-  return _civiproxy_civix_civicrm_managed($entities);
-}
-
-/**
- * Implementation of hook_civicrm_caseTypes
- *
- * Generate a list of case-types
- *
- * Note: This hook only runs in CiviCRM 4.4+.
- */
-function civiproxy_civicrm_caseTypes(&$caseTypes) {
-  _civiproxy_civix_civicrm_caseTypes($caseTypes);
-}
-
 /**
 * Implementation of hook_civicrm_alterSettingsFolders
 *
 * Scan for settings in custom folder and import them
 *
 */
-function civiproxy_civicrm_alterSettingsFolders(&$metaDataFolders = NULL){
-  static $configured = FALSE;
-  if ($configured) return;
-  $configured = TRUE;
-
-  $extRoot = dirname( __FILE__ ) . DIRECTORY_SEPARATOR;
-  $extDir = $extRoot . 'settings';
-  if(!in_array($extDir, $metaDataFolders)){
-    $metaDataFolders[] = $extDir;
-  }
-}

de.systopia.civiproxy/info.xml

@@ -8,14 +8,31 @@
     <author>B. Endres</author>
     <email>endres@systopia.de</email>
   </maintainer>
-  <releaseDate>2021-11-19</releaseDate>
-  <version>0.6-beta3</version>
+  <urls>
+    <url desc="Main Extension Page">https://github.com/systopia/CiviProxy</url>
+    <url desc="Documentation">https://docs.civicrm.org/civiproxy/en/latest/</url>
+    <url desc="Support">https://github.com/systopia/CiviProxy/issues</url>
+    <url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
+  </urls>
+  <releaseDate>2024-01-07</releaseDate>
+  <version>1.0.0-beta</version>
   <develStage>beta</develStage>
   <compatibility>
-    <ver>5.0</ver>
+    <ver>5.45</ver>
   </compatibility>
   <comments>This is the companion extension to SYSTOPIA's CiviProxy security system</comments>
   <civix>
     <namespace>CRM/Civiproxy</namespace>
+    <format>24.09.1</format>
   </civix>
+  <mixins>
+    <mixin>menu-xml@1.0.0</mixin>
+    <mixin>setting-php@1.0.0</mixin>
+    <mixin>smarty-v2@1.0.3</mixin>
+    <mixin>entity-types-php@2.0.0</mixin>
+  </mixins>
+  <classloader>
+    <psr0 prefix="CRM_" path="."/>
+    <psr4 prefix="Civi\" path="Civi"/>
+  </classloader>
 </extension>

de.systopia.civiproxy/mixin/entity-types-php@2.0.0.mixin.php

@@ -0,0 +1,40 @@
+<?php
+
+/**
+ * Auto-register entity declarations from `schema/*.entityType.php`.
+ *
+ * @mixinName entity-types-php
+ * @mixinVersion 2.0.0
+ * @since 5.73
+ *
+ * Changelog:
+ *  - v2.0 scans /schema directory instead of /xml/schema/*
+ *  - v2.0 supports only one entity per file
+ *  - v2.0 adds 'module' key to each entity
+ *
+ * @param CRM_Extension_MixInfo $mixInfo
+ *   On newer deployments, this will be an instance of MixInfo. On older deployments, Civix may polyfill with a work-a-like.
+ * @param \CRM_Extension_BootCache $bootCache
+ *   On newer deployments, this will be an instance of BootCache. On older deployments, Civix may polyfill with a work-a-like.
+ */
+return function ($mixInfo, $bootCache) {
+
+  /**
+   * @param \Civi\Core\Event\GenericHookEvent $e
+   * @see CRM_Utils_Hook::entityTypes()
+   */
+  Civi::dispatcher()->addListener('hook_civicrm_entityTypes', function ($e) use ($mixInfo) {
+    // When deactivating on a polyfill/pre-mixin system, listeners may not cleanup automatically.
+    if (!$mixInfo->isActive() || !is_dir($mixInfo->getPath('schema'))) {
+      return;
+    }
+
+    $files = (array) glob($mixInfo->getPath('schema/*.entityType.php'));
+    foreach ($files as $file) {
+      $entity = include $file;
+      $entity['module'] = $mixInfo->longName;
+      $e->entityTypes[$entity['name']] = $entity;
+    }
+  });
+
+};

de.systopia.civiproxy/mixin/smarty-v2@1.0.3.mixin.php

@@ -0,0 +1,78 @@
+<?php
+
+/**
+ * Auto-register "templates/" folder.
+ *
+ * @mixinName smarty-v2
+ * @mixinVersion 1.0.3
+ * @since 5.59
+ *
+ * @deprecated - it turns out that the mixin is not version specific so the 'smarty'
+ * mixin is preferred over smarty-v2 (they are the same but not having the version
+ * in the name is less misleading.)
+ *
+ * @param CRM_Extension_MixInfo $mixInfo
+ *   On newer deployments, this will be an instance of MixInfo. On older deployments, Civix may polyfill with a work-a-like.
+ * @param \CRM_Extension_BootCache $bootCache
+ *   On newer deployments, this will be an instance of MixInfo. On older deployments, Civix may polyfill with a work-a-like.
+ */
+return function ($mixInfo, $bootCache) {
+  $dir = $mixInfo->getPath('templates');
+  if (!file_exists($dir)) {
+    return;
+  }
+
+  $register = function($newDirs) {
+    $smarty = CRM_Core_Smarty::singleton();
+    $v2 = isset($smarty->_version) && version_compare($smarty->_version, 3, '<');
+    $templateDirs = (array) ($v2 ? $smarty->template_dir : $smarty->getTemplateDir());
+    $templateDirs = array_merge($newDirs, $templateDirs);
+    $templateDirs = array_unique(array_map(function($v) {
+      $v = str_replace(DIRECTORY_SEPARATOR, '/', $v);
+      $v = rtrim($v, '/') . '/';
+      return $v;
+    }, $templateDirs));
+    if ($v2) {
+      $smarty->template_dir = $templateDirs;
+    }
+    else {
+      $smarty->setTemplateDir($templateDirs);
+    }
+  };
+
+  // Let's figure out what environment we're in -- so that we know the best way to call $register().
+
+  if (!empty($GLOBALS['_CIVIX_MIXIN_POLYFILL'])) {
+    // Polyfill Loader (v<=5.45): We're already in the middle of firing `hook_config`.
+    if ($mixInfo->isActive()) {
+      $register([$dir]);
+    }
+    return;
+  }
+
+  if (CRM_Extension_System::singleton()->getManager()->extensionIsBeingInstalledOrEnabled($mixInfo->longName)) {
+    // New Install, Standard Loader: The extension has just been enabled, and we're now setting it up.
+    // System has already booted. New templates may be needed for upcoming installation steps.
+    $register([$dir]);
+    return;
+  }
+
+  // Typical Pageview, Standard Loader: Defer the actual registration for a moment -- to ensure that Smarty is online.
+  // We need to bundle-up all dirs -- Smarty 3/4/5 is inefficient with processing repeated calls to `getTemplateDir()`+`setTemplateDir()`
+  if (!isset(Civi::$statics[__FILE__]['event'])) {
+    Civi::$statics[__FILE__]['event'] = 'civi.smarty-v2.addPaths.' . md5(__FILE__);
+    Civi::dispatcher()->addListener('hook_civicrm_config', function() use ($register) {
+      $dirs = [];
+      $event = \Civi\Core\Event\GenericHookEvent::create(['dirs' => &$dirs]);
+      Civi::dispatcher()->dispatch(Civi::$statics[__FILE__]['event'], $event);
+      $register($dirs);
+    });
+  }
+
+  Civi::dispatcher()->addListener(Civi::$statics[__FILE__]['event'], function($event) use ($mixInfo, $dir) {
+    if ($mixInfo->isActive()) {
+      array_unshift($event->dirs, $dir);
+    }
+  });
+
+};

docs/requirements.md

@@ -3,7 +3,7 @@
 There shouldn't be any requirements that any web hoster wouldn't comply with, but here they are:
 
  1. PHP 5.3+
- 2. PHP PEAR (to install on Debian/Ubunto, run `apt-get install php-pear`)
+ 2. PHP PEAR (to install on Debian/Ubuntu, run `apt-get install php-pear`)
  3. The `php-curl` module
  4. Read/write permissions on your webspace
  5. Reasonable amount of protection, i.e. only authorised users (you) can upload/download the files

proxy/.htaccess

@@ -0,0 +1,6 @@
+# Serve
+<IfModule mod_rewrite.c>
+  RewriteEngine on
+  RewriteCond %{REQUEST_URI} ^/civicrm/ajax/api4
+  RewriteRule ^civicrm/ajax/api4/([^/]*)/([^/]*) rest4.php?entity=$1&action=$2 [QSA,B]
+</IfModule>

proxy/checks.php

@@ -0,0 +1,82 @@
+<?php
+
+/**
+ * generates a CiviCRM REST API compliant error
+ * and ends processing
+ */
+function civiproxy_rest_error($message) {
+  $error = array( 'is_error'      => 1,
+                  'error_message' => $message);
+  // TODO: Implement header();
+  print json_encode($error);
+  exit();
+}
+
+/**
+ * Updates $credentials['api_key'] in-place, or displays an error if api key
+ * is missing or does not correspond to an entry in $api_key_map (which should
+ * be set in config.php).
+ * @param array $credentials
+ * @param array $api_key_map
+ */
+function civiproxy_map_api_key(array &$credentials, array $api_key_map) {
+  if (empty($credentials['api_key'])) {
+    civiproxy_rest_error("No API key given");
+  }
+  else {
+    if (isset($api_key_map[$credentials['api_key']])) {
+      $credentials['api_key'] = $api_key_map[$credentials['api_key']];
+    }
+    else {
+      civiproxy_rest_error("Invalid api key");
+    }
+  }
+}
+
+/**
+ * Updates $credentials['key'] in-place, or displays an error if site key
+ * is missing or does not correspond to an entry in $sys_key_map (which should
+ * be set in config.php).
+ * @param array $credentials
+ * @param array $sys_key_map
+ */
+function civiproxy_map_site_key(array &$credentials, array $sys_key_map) {
+  if (empty($credentials['key'])) {
+    civiproxy_rest_error("No site key given");
+  }
+  else {
+    if (isset($sys_key_map[$credentials['key']])) {
+      $credentials['key'] = $sys_key_map[$credentials['key']];
+    }
+	else {
+      civiproxy_rest_error("Invalid site key");
+    }
+  }
+}
+
+/**
+ * @param array $action should have both 'entity' and 'action' keys set
+ * @param array $rest_allowed_actions from config.php
+ * @return array
+ */
+function civiproxy_get_valid_parameters(array $action, array $rest_allowed_actions) {
+  // in release 0.4, allowed entity/actions per IP were introduced. To introduce backward compatibility,
+  // the previous test is still used when no 'all' key is found in the array
+  if (isset($rest_allowed_actions['all'])) {
+    // get valid key for the rest_allowed_actions
+    $valid_allowed_key = civiproxy_get_valid_allowed_actions_key($action, $rest_allowed_actions);
+    $valid_parameters = civiproxy_retrieve_api_parameters($valid_allowed_key, $action['entity'], $action['action'], $rest_allowed_actions);
+    if (!$valid_parameters) {
+      civiproxy_rest_error("Invalid entity/action.");
+    }
+  }
+  else {
+    if (isset($rest_allowed_actions[$action['entity']]) && isset($rest_allowed_actions[$action['entity']][$action['action']])) {
+      $valid_parameters = $rest_allowed_actions[$action['entity']][$action['action']];
+    }
+    else {
+      civiproxy_rest_error("Invalid entity/action.");
+    }
+  }
+  return $valid_parameters;
+}

proxy/config.dist.php

@@ -41,6 +41,8 @@ $target_civicrm = 'https://your.civicrm.installation.org';
 
 // default paths, override if you want. Set to NULL to disable
 $target_rest      = $target_civicrm . '/sites/all/modules/civicrm/extern/rest.php';
+// base URL for api4 calls. Will append entity and action path segments
+$target_rest4     = $target_civicrm . '/civicrm/ajax/api4/';
 $target_file      = $target_civicrm . '/sites/default/files/civicrm/persist/';
 $target_mosaico   = NULL; // (disabled by default): $target_civicrm . '/civicrm/mosaico/img?src=';
 $target_mosaico_template_url = NULL; // (disabled by default): $target_civicrm . '/wp-content/uploads/civicrm/ext/uk.co.vedaconsulting.mosaico/packages/mosaico/templates/';
@@ -49,9 +51,8 @@ $target_url       = $target_civicrm . '/civicrm/mailing/url';
 $target_open      = $target_civicrm . '/civicrm/mailing/open';
 
 // CAUTION: use the following for CiviCRM < 5.27 or "Extern URL Style" = "Standalone Scripts" 
-#$target_url       = $target_civicrm . '/sites/all/modules/civicrm/extern/url.php';
-#$target_open      = $target_civicrm . '/sites/all/modules/civicrm/extern/open.php';
-
+//$target_url       = $target_civicrm . '/sites/all/modules/civicrm/extern/url.php';
+//$target_open      = $target_civicrm . '/sites/all/modules/civicrm/extern/open.php';
 
 /****************************************************************
  **                    GENERAL OPTIONS                         **
@@ -75,6 +76,10 @@ $debug                      = NULL; //'LUXFbiaoz4dVWuAHEcuBAe7YQ4YP96rN4MCDmKj89
 // This is useful in some VPN configurations (see CURLOPT_INTERFACE)
 $target_interface           = NULL;
 
+
+/***************************************************************
+ **                Authentication Options                     **
+ ***************************************************************/
 // API and SITE keys (you may add keys here)
 $api_key_map = [
   'my_api_key'   => 'my_api_key',   // use this to allow API key
@@ -91,6 +96,36 @@ if (file_exists(dirname(__FILE__)."/secrets.php")) {
   require "secrets.php";
 }
 
+// Parameter whitelisting for open tracking and URL tracking
+// basic civicrm URL/open parameter are u, q and qid (as int)
+// If additional parameters are needed, best practise would be to whitelist each one as needed in
+// $valid_url_parameters and/or $valid_open_parameters.
+// Alternatively it is also possible to allow all parameters with the wildcard parameter '*' => 'string'
+$valid_url_parameters = [
+    'u'   => 'int',
+    'q'   => 'int',
+    'qid' => 'int',
+//    '*'   => 'string'     // whildcard, whitelist all url parameters
+];
+$valid_open_parameters = [
+    'u'   => 'int',
+    'q'   => 'int',
+    'qid' => 'int',
+//    '*'   => 'string'     // wildcard, whitelist *all* open parameters
+];
+// CiviCRM's API can authenticate with different flows
+// https://docs.civicrm.org/dev/en/latest/framework/authx/#flows
+// CiviProxy supports 'header', 'xheader', 'legacyrest', and 'param'.
+// These flows are supported for API4 but could be extended to API3.
+// $authx_internal_flow controls how CiviProxy sends credentials to CiviCRM, and
+// $authx_external_flow where CiviProxy looks for credentials on incoming requests.
+// The internal setting needs to have a single scalar value, but the
+// external setting can be an array of accepted flows.
+// There is no standard header for site key, so in both header and xheader
+// flows it uses X-Civi-Key
+$authx_internal_flow = 'header';
+$authx_external_flow = ['legacyrest'];
+
 
 /****************************************************************
  **                   File Caching Options                     **

proxy/error.php

@@ -15,7 +15,6 @@ require_once "proxy.php";
  <head>
   <meta charset="UTF-8">
   <title>CiviProxy Error</title>
-  <link href="http://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" type="text/css">
   <style type="text/css">
     body {
       margin: 0;

proxy/index.php

@@ -16,7 +16,6 @@ require_once "proxy.php";
  <head>
   <meta charset="UTF-8">
   <title>CiviProxy Version <?php echo $civiproxy_version;?></title>
-  <link href="http://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" type="text/css">
   <style type="text/css">
     body {
       margin: 0;

proxy/libs/Cache/Lite.php

@@ -564,7 +564,7 @@ class Cache_Lite
     */
     function raiseError($msg, $code)
     {
-        error_log("[code] $msg");
+        return PEAR::raiseError($msg, $code, $this->_pearErrorMode);
     }
 
     /**
@@ -638,7 +638,7 @@ class Cache_Lite
                 return true;
             }
         }
-        if (!($dh = opendir($dir))) {
+        if (!($dh = @opendir($dir))) {
             return $this->raiseError('Cache_Lite : Unable to open cache directory !', -4);
         }
         $result = true;

proxy/mailing/confirm.php

@@ -19,7 +19,7 @@ civiproxy_security_check('mail-confirm');
 // basic restraints
 $valid_parameters = array(    'sid'          => 'int',
                               'cid'          => 'int', 
-                              'h'            => 'hex');
+                              'h'            => 'string');
 $parameters = civiproxy_get_parameters($valid_parameters);
 
 // check if parameters specified
@@ -45,7 +45,6 @@ if (!empty($group_query['is_error'])) {
  <head>
   <meta charset="UTF-8">
   <title>CiviProxy Version <?php echo $civiproxy_version;?></title>
-  <link href="http://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" type="text/css">
   <style type="text/css">
     body {
       margin: 0;

proxy/mailing/mail.php

@@ -17,7 +17,7 @@ if (!$target_mail_view) civiproxy_http_error("Feature disabled", 405);
 civiproxy_security_check('mail-view');
 
 // basic restraints
-$valid_parameters = array(  'id'   => 'int'  );
+$valid_parameters = array(  'id'   => 'int', 'cid' => 'int', 'cs' => 'string'  );
 $parameters = civiproxy_get_parameters($valid_parameters);
 
 // check if id specified

proxy/mailing/resubscribe.php

@@ -19,7 +19,7 @@ civiproxy_security_check('mail-resubscribe');
 // basic restraints
 $valid_parameters = array(    'jid'          => 'int',
                               'qid'          => 'int', 
-                              'h'            => 'hex');
+                              'h'            => 'string');
 $parameters = civiproxy_get_parameters($valid_parameters);
 
 // check if parameters specified
@@ -45,7 +45,6 @@ if (!empty($group_query['is_error'])) {
  <head>
   <meta charset="UTF-8">
   <title>CiviProxy Version <?php echo $civiproxy_version;?></title>
-  <link href="http://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" type="text/css">
   <style type="text/css">
     body {
       margin: 0;

proxy/mailing/subscribe.php

@@ -83,7 +83,6 @@ if (!empty($_REQUEST['email'])) {
  <head>
   <meta charset="UTF-8">
   <title>CiviProxy Version <?php echo $civiproxy_version;?></title>
-  <link href="http://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" type="text/css">
   <style type="text/css">
     body {
       margin: 0;

proxy/mailing/unsubscribe.php

@@ -19,7 +19,7 @@ civiproxy_security_check('mail-unsubscribe');
 // basic restraints
 $valid_parameters = array(    'jid'          => 'int',
                               'qid'          => 'int', 
-                              'h'            => 'hex');
+                              'h'            => 'string');
 $parameters = civiproxy_get_parameters($valid_parameters);
 
 // check if parameters specified
@@ -45,7 +45,6 @@ if (!empty($group_query['is_error'])) {
  <head>
   <meta charset="UTF-8">
   <title>CiviProxy Version <?php echo $civiproxy_version;?></title>
-  <link href="http://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" type="text/css">
   <style type="text/css">
     body {
       margin: 0;

proxy/open.php

@@ -16,8 +16,5 @@ if (!$target_open) civiproxy_http_error("Feature disabled", 405);
 // basic check
 civiproxy_security_check('open');
 
-// basic restraints
-$valid_parameters = array(  'q'   => 'int'  );
-
-$parameters = civiproxy_get_parameters($valid_parameters);
+$parameters = civiproxy_get_parameters($valid_open_parameters);
 civiproxy_redirect($target_open, $parameters);

proxy/proxy.php

@@ -8,7 +8,7 @@
 +---------------------------------------------------------*/
 
 require_once "config.php";
-$civiproxy_version = '0.6-beta3';
+$civiproxy_version = '1.0.0-beta';
 
 /**
  * this will redirect the request to another URL,
@@ -90,6 +90,148 @@ function civiproxy_redirect($url_requested, $parameters) {
   curl_close ($curlSession);
 }
 
+/**
+ * this will redirect the request to an API4 URL,
+ *  i.e. will pass the reply on to this request
+ *
+ * @see losely based on https://code.google.com/p/php-proxy/
+ *
+ * @param $url_requested string the URL to which the request should be sent
+ * @param $parameters array
+ * @param $credentials array
+ */
+function civiproxy_redirect4($url_requested, $parameters, $credentials) {
+  global $target_interface, $authx_internal_flow;
+  $url = $url_requested;
+  $curlSession = curl_init();
+  $credential_params = civiproxy_build_credential_params($credentials, $authx_internal_flow);
+  $credential_headers = civiproxy_build_credential_headers($credentials, $authx_internal_flow);
+
+  if ($_SERVER['REQUEST_METHOD'] == 'POST'){
+    // POST requests should be passed on as POST
+    curl_setopt($curlSession, CURLOPT_POST, 1);
+    $urlparams = 'params=' . urlencode(json_encode($parameters)) . $credential_params;
+    curl_setopt($curlSession, CURLOPT_POSTFIELDS, $urlparams);
+  } else {
+    // GET requests will get the parameters as url params
+    if (!empty($parameters)) {
+      $url .= '?params=' . urlencode(json_encode($parameters)) . $credential_params;
+    }
+  }
+
+  curl_setopt($curlSession, CURLOPT_HTTPHEADER, array_merge([
+    'Content-Type: application/x-www-form-urlencoded'
+  ], $credential_headers));
+  curl_setopt($curlSession, CURLOPT_URL, $url);
+  curl_setopt($curlSession, CURLOPT_HEADER, 1);
+  curl_setopt($curlSession, CURLOPT_RETURNTRANSFER,1);
+  curl_setopt($curlSession, CURLOPT_TIMEOUT, 30);
+  curl_setopt($curlSession, CURLOPT_SSL_VERIFYHOST, 2);
+  if (!empty($target_interface)) {
+    curl_setopt($curlSession, CURLOPT_INTERFACE, $target_interface);
+  }
+  if (file_exists(dirname(__FILE__).'/target.pem')) {
+    curl_setopt($curlSession, CURLOPT_CAINFO, dirname(__FILE__).'/target.pem');
+  }
+
+  //Send the request and store the result in an array
+  $response = curl_exec($curlSession);
+
+  // Check that a connection was made
+  if (curl_error($curlSession)){
+    civiproxy_http_error(curl_error($curlSession), curl_errno($curlSession));
+
+  } else {
+    //clean duplicate header that seems to appear on fastcgi with output buffer on some servers!!
+    $response = str_replace("HTTP/1.1 100 Continue\r\n\r\n","",$response);
+
+    // split header / content
+    $content = explode("\r\n\r\n", $response, 2);
+    $header = $content[0];
+    $body = $content[1];
+
+    // handle headers - simply re-outputing them
+    $header_ar = explode(chr(10), $header);
+    foreach ($header_ar as $header_line){
+      if (!preg_match("/^Transfer-Encoding/", $header_line)){
+        civiproxy_mend_URLs($header_line);
+        header(trim($header_line));
+      }
+    }
+
+    //rewrite all hard coded urls to ensure the links still work!
+    civiproxy_mend_URLs($body);
+
+    print $body;
+  }
+
+  curl_close($curlSession);
+}
+
+/**
+ * Creates a string with the API credentials to be appended to an API4 GET or POST request.
+ * When $api4_internal_auth_flow is 'header' or 'xheader', returns a blank string
+ *
+ * @param array $credentials
+ * @param string $authx_internal_flow
+ * @return string credential string, including leading '&'
+ */
+function civiproxy_build_credential_params(array $credentials, string $authx_internal_flow): string {
+  switch($authx_internal_flow) {
+    case 'legacyrest':
+      $map = ['api_key' => 'api_key', 'key' => 'key'];
+      break;
+    case 'param':
+      $map = ['api_key' => '_authx', 'key' => '_authxSiteKey'];
+      break;
+    default:
+      return '';
+  }
+  $params = [];
+  foreach($map as $credential_key => $param_name) {
+    if (isset($credentials[$credential_key])) {
+      $credential_value = $credentials[$credential_key];
+      if ($param_name === '_authx') {
+        $credential_value = 'Bearer ' . $credential_value;
+      }
+      $params[$param_name] = $credential_value;
+    }
+  }
+
+  $param_string = http_build_query($params);
+  if (!empty($param_string)) {
+    $param_string = '&' . $param_string;
+  }
+  return $param_string;
+}
+
+/**
+ * Builds an array of headers to send on an API4 request. When $api4_internal_auth_flow
+ * is 'param' or 'legacyrest', will always return an empty array.
+ *
+ * @param array $credentials
+ * @param string $authx_internal_flow
+ * @return array
+ */
+function civiproxy_build_credential_headers(array $credentials, string $authx_internal_flow): array {
+  switch($authx_internal_flow) {
+    case 'header':
+      $map = ['api_key' => 'Authorization: Bearer', 'key' => 'X-Civi-Key:'];
+      break;
+    case 'xheader':
+      $map = ['api_key' => 'X-Civi-Auth: Bearer', 'key' => 'X-Civi-Key:'];
+      break;
+    default:
+      return [];
+  }
+  $headers = [];
+  foreach($map as $credential_key => $header_prefix) {
+    if (isset($credentials[$credential_key])) {
+      $headers[] = $header_prefix . ' ' . $credentials[$credential_key];
+    }
+  }
+  return $headers;
+}
 
 /**
  * Will mend all the URLs in the string that point to the target,
@@ -131,11 +273,12 @@ function civiproxy_mend_URLs(&$string) {
  * unauthorized access quantities, etc.
  *
  * @param $target
- * @param $quit    if TRUE, quit immediately if access denied
+ * @param $quit bool if TRUE, quit immediately if access denied
+ * @param $log_headers array add these headers (sanitized) to log data
  *
  * @return TRUE if allowed, FALSE if not (or quits if $quit is set)
  */
-function civiproxy_security_check($target, $quit=TRUE) {
+function civiproxy_security_check($target, $quit=TRUE, $log_headers = []) {
   // verify that we're SSL encrypted
   if ($_SERVER['HTTPS'] != "on") {
     civiproxy_http_error("This CiviProxy installation requires SSL encryption.", 400);
@@ -145,11 +288,16 @@ function civiproxy_security_check($target, $quit=TRUE) {
   if (!empty($debug)) {
     // filter log data
     $log_data = $_REQUEST;
-    if (isset($log_data['api_key'])) {
-      $log_data['api_key'] = substr($log_data['api_key'], 0, 4) . '...';
+    $sanitize_params = ['api_key', 'key', '_authxSiteKey', '_authx'];
+    foreach ($sanitize_params as $param) {
+      if (isset($log_data[$param])) {
+        $log_data[$param] = substr($log_data[$param], 0, 4) . '...';
       }
-    if (isset($log_data['key'])) {
-      $log_data['key'] = substr($log_data['key'], 0, 4) . '...';
+    }
+
+    foreach($log_headers as $header) {
+      if (!empty($_SERVER[$header]))
+      $log_data[$header] = substr($_SERVER[$header], 0, 4) . '...';
     }
 
     // log
@@ -205,7 +353,7 @@ function civiproxy_get_parameters($valid_parameters, $request = NULL) {
   // process wildcard elements
   if ($default_sanitation !== NULL) {
     // i.e. we want the others too
-    $remove_parameters = array('key', 'api_key', 'version', 'entity', 'action');
+    $remove_parameters = array('key', 'api_key', '_authx', '_authxSiteKey', 'version', 'entity', 'action');
     foreach ($request as $name => $value) {
       if (!in_array($name, $remove_parameters) && !isset($valid_parameters[$name])) {
         $result[$name] = civiproxy_sanitise($value, $default_sanitation);
@@ -216,6 +364,26 @@ function civiproxy_get_parameters($valid_parameters, $request = NULL) {
   return $result;
 }
 
+/**
+ * Get the value of a header on the incoming request
+ *
+ * @param string $header name of the header, in all uppercase
+ * @param string $prefix to be stripped off the value of the header
+ * @return string|null value of the header, or null if not found.
+ */
+function civiproxy_get_header($header, $prefix = ''): ?string {
+  if (!empty($_SERVER['HTTP_' . $header])) {
+    $value = $_SERVER['HTTP_' . $header];
+    if ($prefix === '') {
+      return $value;
+    }
+    if (strpos($value, $prefix) === 0) {
+      return trim(substr($value, strlen($prefix)));
+    }
+  }
+  return NULL;
+}
+
 /**
  * sanitise the given value with the given sanitiation type
  */

proxy/rest.php

@@ -9,11 +9,11 @@
 
 require_once "config.php";
 require_once "proxy.php";
+require_once "checks.php";
 
 // see if REST API is enabled
 if (!$target_rest) civiproxy_http_error("Feature disabled", 405);
 
-
 // basic check
 if (!civiproxy_security_check('rest')) {
   civiproxy_rest_error("Access denied.");
@@ -21,25 +21,9 @@ if (!civiproxy_security_check('rest')) {
 
 // check credentials
 $credentials = civiproxy_get_parameters(array('key' => 'string', 'api_key' => 'string'));
-if (empty($credentials['key'])) {
-  civiproxy_rest_error("No site key given");
-} else {
-  if (isset($sys_key_map[$credentials['key']])) {
-    $credentials['key'] = $sys_key_map[$credentials['key']];
-  } else {
-    civiproxy_rest_error("Invalid site key");
-  }
-}
 
-if (empty($credentials['api_key'])) {
-  civiproxy_rest_error("No API key given");
-} else {
-  if (isset($api_key_map[$credentials['api_key']])) {
-    $credentials['api_key'] = $api_key_map[$credentials['api_key']];
-  } else {
-    civiproxy_rest_error("Invalid api key");
-  }
-}
+civiproxy_map_site_key($credentials, $sys_key_map);
+civiproxy_map_api_key($credentials, $api_key_map);
 
 // check if the call itself is allowed
 $action = civiproxy_get_parameters(array('entity' => 'string', 'action' => 'string', 'version' => 'int', 'json' => 'int', 'sequential' => 'int'));
@@ -47,22 +31,7 @@ if (!isset($action['version']) || $action['version'] != 3) {
   civiproxy_rest_error("API 'version' information missing.");
 }
 
-// in release 0.4, allowed entity/actions per IP were introduced. To introduce backward compatibility,
-// the previous test is still used when no 'all' key is found in the array
-if (isset($rest_allowed_actions['all'])) {
-	// get valid key for the rest_allowed_actions
-	$valid_allowed_key = civiproxy_get_valid_allowed_actions_key($action, $rest_allowed_actions);
-  $valid_parameters = civiproxy_retrieve_api_parameters($valid_allowed_key, $action['entity'], $action['action'], $rest_allowed_actions);
-	if (!$valid_parameters) {
-		civiproxy_rest_error("Invalid entity/action.");
-	}
-} else {
-	if (isset($rest_allowed_actions[$action['entity']]) && isset($rest_allowed_actions[$action['entity']][$action['action']])) {
-		$valid_parameters = $rest_allowed_actions[$action['entity']][$action['action']];
-	} else {
-		civiproxy_rest_error("Invalid entity/action.");
-	}
-}
+$valid_parameters= civiproxy_get_valid_parameters($action, $rest_allowed_actions);
 
 // extract parameters and add credentials and action data
 $parameters = civiproxy_get_parameters($valid_parameters);
@@ -88,17 +57,3 @@ if ($rest_evaluate_json_parameter) {
 // finally execute query
 civiproxy_log($target_rest);
 civiproxy_redirect($target_rest, $parameters);
-
-
-/**
- * generates a CiviCRM REST API compliant error
- * and ends processing
- */
-function civiproxy_rest_error($message) {
-  $error = array( 'is_error'      => 1,
-                  'error_message' => $message);
-  // TODO: Implement
-  //header();
-  print json_encode($error);
-  exit();
-}

proxy/rest4.php

@@ -0,0 +1,89 @@
+<?php
+/*--------------------------------------------------------+
+| SYSTOPIA CiviProxy                                      |
+|  a simple proxy solution for external access to CiviCRM |
+| Copyright (C) 2015-2021 SYSTOPIA                        |
+| Author: B. Endres (endres -at- systopia.de)             |
+| http://www.systopia.de/                                 |
++---------------------------------------------------------*/
+
+require_once "config.php";
+require_once "proxy.php";
+require_once "checks.php";
+
+// see if REST API is enabled
+if (!$target_rest4) {
+  civiproxy_http_error("Feature disabled");
+}
+$valid_flows = ['header', 'xheader', 'legacyrest', 'param'];
+$headers_by_flow = [
+ 'header' => ['HTTP_AUTHORIZATION', 'HTTP_X_CIVI_KEY'],
+ 'xheader' => ['HTTP_X_CIVI_AUTH', 'HTTP_X_CIVI_KEY'],
+ 'legacyrest' => [],
+ 'param' => [],
+];
+if (!in_array($authx_internal_flow, $valid_flows)) {
+  civiproxy_http_error("Invalid internal auth flow '$authx_internal_flow'", 500);
+}
+$headers_to_log = [];
+foreach ($authx_external_flow as $external_flow) {
+  if (!in_array($external_flow, $valid_flows)) {
+    civiproxy_http_error("Invalid external auth flow '$external_flow'", 500);
+  }
+  $headers_to_log = array_merge($headers_to_log, $headers_by_flow[$external_flow]);
+}
+
+// basic check
+if (!civiproxy_security_check('rest', TRUE, $headers_to_log)) {
+  civiproxy_rest_error("Access denied.");
+}
+
+$credentials = [];
+// Find credentials on the incoming request
+foreach ($authx_external_flow as $external_flow) {
+  switch($external_flow) {
+    case 'header':
+      $credentials['api_key'] = civiproxy_get_header('AUTHORIZATION', 'Bearer ');
+      $credentials['key'] = civiproxy_get_header('HTTP_X_CIVI_KEY');
+      break;
+    case 'xheader':
+      $credentials['api_key'] = civiproxy_get_header('X_CIVI_AUTH', 'Bearer ');
+      $credentials['key'] = civiproxy_get_header('HTTP_X_CIVI_KEY');
+      break;
+    case 'legacyrest':
+      $credentials = civiproxy_get_parameters(array('api_key' => 'string', 'key' => 'string'));
+      break;
+    case 'param':
+      $authx_credentials = civiproxy_get_parameters(array('_authx' => 'string', '_authxSiteKey' => 'string'));
+      if (!empty($authx_credentials['_authx'])) {
+        // Snip off leading 'Bearer ' or 'Bearer+'
+        if (substr($authx_credentials['_authx'], 0, 6) === 'Bearer') {
+          $credentials['api_key'] = substr($authx_credentials['_authx'], 7);
+        }
+      }
+      if (!empty($authx_credentials['_authxSiteKey'])) {
+        $credentials['key'] = $authx_credentials['_authxSiteKey'];
+      }
+      break;
+  }
+  if (!empty($credentials['api_key'])) {
+    break;
+  }
+}
+
+civiproxy_map_api_key($credentials, $api_key_map);
+if (!empty($credentials['key'])) {
+  civiproxy_map_site_key( $credentials, $sys_key_map);
+}
+
+// check if the call itself is allowed
+$action = civiproxy_get_parameters(array('entity' => 'string', 'action' => 'string'));
+
+$valid_parameters = civiproxy_get_valid_parameters($action, $rest_allowed_actions);
+
+// extract parameters and add action data
+$parameters = civiproxy_get_parameters($valid_parameters, json_decode($_REQUEST['params'], true));
+
+// finally execute query
+civiproxy_log($target_rest4);
+civiproxy_redirect4($target_rest4 . $action['entity'] . '/' . $action['action'] , $parameters, $credentials);

proxy/url.php

@@ -16,10 +16,5 @@ if (!$target_url) civiproxy_http_error("Feature disabled", 405);
 // basic check
 civiproxy_security_check('url');
 
-// basic restraints
-$valid_parameters = array(  'u'   => 'int',
-                            'q'   => 'int',
-                            'qid' => 'int');
-
-$parameters = civiproxy_get_parameters($valid_parameters);
+$parameters = civiproxy_get_parameters($valid_url_parameters);
 civiproxy_redirect($target_url, $parameters);

proxy/webhook2api.php

@@ -126,7 +126,7 @@ function webhook2api_processConfiguration($configuration, $post_input) {
     }
     if (!empty($result['values']['http_code'])) {
       $http_code = $result['values']['http_code'];
-    } else {
+    } elseif ($result['is_error'] != 0) {
         $http_code = 403;
     }
   }