"ModelAdmin" (defined in mysite/_config.php) * - ModelAdmin will determine that SearchForm is controlled by a Form object returned by $this->SearchForm(), and pass control to that. * Matching $url_handlers: "$Action" => "$Action" (defined in RequestHandler class) * - Form will determine that field/Groups is controlled by the Groups field, a TreeMultiselectField, and pass control to that. * Matching $url_handlers: 'field/$FieldName!' => 'handleField' (defined in Form class) * - TreeMultiselectField will determine that treesegment/36 is handled by its treesegment() method. This method will return an HTML fragment that is output to the screen. * Matching $url_handlers: "$Action/$ID" => "handleItem" (defined in TreeMultiSelectField class) * * {@link RequestHandler::handleRequest()} is where this behaviour is implemented. * * @package sapphire * @subpackage control */ class RequestHandler extends ViewableData { protected $request = null; /** * This variable records whether RequestHandler::__construct() * was called or not. Useful for checking if subclasses have * called parent::__construct() * * @var boolean */ protected $brokenOnConstruct = true; /** * The default URL handling rules. This specifies that the next component of the URL corresponds to a method to * be called on this RequestHandlingData object. * * The keys of this array are parse rules. See {@link SS_HTTPRequest::match()} for a description of the rules available. * * The values of the array are the method to be called if the rule matches. If this value starts with a '$', then the * named parameter of the parsed URL wil be used to determine the method name. */ static $url_handlers = array( '$Action' => '$Action', ); /** * Define a list of action handling methods that are allowed to be called directly by URLs. * The variable should be an array of action names. This sample shows the different values that it can contain: * * * array( * 'someaction', // someaction can be accessed by anyone, any time * 'otheraction' => true, // So can otheraction * 'restrictedaction' => 'ADMIN', // restrictedaction can only be people with ADMIN privilege * 'complexaction' '->canComplexAction' // complexaction can only be accessed if $this->canComplexAction() returns true * ); * * * Form getters count as URL actions as well, and should be included in allowed_actions. * Form actions on the other handed (first argument to {@link FormAction()} should NOT be included, * these are handled separately through {@link Form->httpSubmission}. You can control access on form actions * either by conditionally removing {@link FormAction} in the form construction, * or by defining $allowed_actions in your {@link Form} class. */ static $allowed_actions = null; public function __construct() { $this->brokenOnConstruct = false; parent::__construct(); } /** * Handles URL requests. * * - ViewableData::handleRequest() iterates through each rule in {@link self::$url_handlers}. * - If the rule matches, the named method will be called. * - If there is still more URL to be processed, then handleRequest() * is called on the object that that method returns. * * Once all of the URL has been processed, the final result is returned. * However, if the final result is an array, this * array is interpreted as being additional template data to customise the * 2nd to last result with, rather than an object * in its own right. This is most frequently used when a Controller's * action will return an array of data with which to * customise the controller. * * @param $request The {@link SS_HTTPRequest} object that is reponsible for distributing URL parsing * @uses SS_HTTPRequest * @uses SS_HTTPRequest->match() * @return SS_HTTPResponse|RequestHandler|string|array */ function handleRequest(SS_HTTPRequest $request) { // $handlerClass is used to step up the class hierarchy to implement url_handlers inheritance $handlerClass = ($this->class) ? $this->class : get_class($this); if($this->brokenOnConstruct) { user_error("parent::__construct() needs to be called on {$handlerClass}::__construct()", E_USER_WARNING); } $this->request = $request; // We stop after RequestHandler; in other words, at ViewableData while($handlerClass && $handlerClass != 'ViewableData') { $urlHandlers = Object::get_static($handlerClass, 'url_handlers'); if($urlHandlers) foreach($urlHandlers as $rule => $action) { if(isset($_REQUEST['debug_request'])) Debug::message("Testing '$rule' with '" . $request->remaining() . "' on $this->class"); if($params = $request->match($rule, true)) { // FIXME: This unnecessary coupling was added to fix a bug in Image_Uploader. if($this instanceof Controller) $this->urlParams = $request->allParams(); // Backwards compatible setting of url parameters, please use SS_HTTPRequest->latestParam() instead //Director::setUrlParams($request->latestParams()); if(isset($_REQUEST['debug_request'])) { Debug::message("Rule '$rule' matched to action '$action' on $this->class. Latest request params: " . var_export($request->latestParams(), true)); } // Actions can reference URL parameters, eg, '$Action/$ID/$OtherID' => '$Action', if($action[0] == '$') $action = $params[substr($action,1)]; if($this->checkAccessAction($action)) { if(!$action) { if(isset($_REQUEST['debug_request'])) Debug::message("Action not set; using default action method name 'index'"); $action = "index"; } else if(!is_string($action)) { user_error("Non-string method name: " . var_export($action, true), E_USER_ERROR); } try { $result = $this->$action($request); } catch(SS_HTTPResponse_Exception $responseException) { $result = $responseException->getResponse(); } } else { return $this->httpError(403, "Action '$action' isn't allowed on class $this->class"); } if($result instanceof SS_HTTPResponse && $result->isError()) { if(isset($_REQUEST['debug_request'])) Debug::message("Rule resulted in HTTP error; breaking"); return $result; } // If we return a RequestHandler, call handleRequest() on that, even if there is no more URL to parse. // It might have its own handler. However, we only do this if we haven't just parsed an empty rule ourselves, // to prevent infinite loops. Also prevent further handling of controller actions which return themselves // to avoid infinite loops. if($this !== $result && !$request->isEmptyPattern($rule) && is_object($result) && $result instanceof RequestHandler) { $returnValue = $result->handleRequest($request); // Array results can be used to handle if(is_array($returnValue)) $returnValue = $this->customise($returnValue); return $returnValue; // If we return some other data, and all the URL is parsed, then return that } else if($request->allParsed()) { return $result; // But if we have more content on the URL and we don't know what to do with it, return an error. } else { return $this->httpError(404, "I can't handle sub-URLs of a $this->class object."); } return $this; } } $handlerClass = get_parent_class($handlerClass); } // If nothing matches, return this object return $this; } /** * Get a unified array of allowed actions on this controller (if such data is available) from both the controller * ancestry and any extensions. * * @return array|null */ public function allowedActions() { $actions = Object::combined_static(get_class($this), 'allowed_actions', 'RequestHandler'); foreach($this->extension_instances as $extension) { if($extensionActions = Object::get_static(get_class($extension), 'allowed_actions')) { $actions = array_merge($actions, $extensionActions); } } if($actions) { // convert all keys and values to lowercase to // allow for easier comparison, unless it is a permission code $actions = array_change_key_case($actions, CASE_LOWER); foreach($actions as $key => $value) { if(is_numeric($key)) $actions[$key] = strtolower($value); } return $actions; } } /** * Checks if this request handler has a specific action (even if the current user cannot access it). * * @param string $action * @return bool */ public function hasAction($action) { if($action == 'index') return true; $action = strtolower($action); $actions = $this->allowedActions(); // Check if the action is defined in the allowed actions as either a // key or value. Note that if the action is numeric, then keys are not // searched for actions to prevent actual array keys being recognised // as actions. if(is_array($actions)) { $isKey = !is_numeric($action) && array_key_exists($action, $actions); $isValue = in_array($action, $actions, true); $isWildcard = (in_array('*', $actions) && $this->checkAccessAction($action)); if($isKey || $isValue || $isWildcard) return true; } if(!is_array($actions) || !$this->uninherited('allowed_actions')) { if($action != 'init' && $action != 'run' && method_exists($this, $action)) return true; } return false; } /** * Check that the given action is allowed to be called from a URL. * It will interrogate {@link self::$allowed_actions} to determine this. */ function checkAccessAction($action) { $actionOrigCasing = $action; $action = strtolower($action); $allowedActions = $this->allowedActions(); if($allowedActions) { // check for specific action rules first, and fall back to global rules defined by asterisk foreach(array($action,'*') as $actionOrAll) { // check if specific action is set if(isset($allowedActions[$actionOrAll])) { $test = $allowedActions[$actionOrAll]; if($test === true || $test === 1 || $test === '1') { // Case 1: TRUE should always allow access return true; } elseif(substr($test, 0, 2) == '->') { // Case 2: Determined by custom method with "->" prefix return $this->{substr($test, 2)}(); } else { // Case 3: Value is a permission code to check the current member against return Permission::check($test); } } elseif((($key = array_search($actionOrAll, $allowedActions)) !== false) && is_numeric($key)) { // Case 4: Allow numeric array notation (search for array value as action instead of key) return true; } } } // If we get here an the action is 'index', then it hasn't been specified, which means that // it should be allowed. if($action == 'index' || empty($action)) return true; // Get actions defined for this specific class $relevantActions = null; if($allowedActions !== null && method_exists($this, $action)) { $r = new ReflectionClass(get_class($this)); $m = $r->getMethod($actionOrigCasing); $relevantActions = Object::uninherited_static( $m->getDeclaringClass()->getName(), 'allowed_actions' ); } // If no allowed_actions are provided on in the whole inheritance chain, // or they aren't provided on the specific class... if($allowedActions === null || $relevantActions === null) { // ... only let through actions that aren't handled by // magic methods we test this by calling the unmagic method_exists. if(method_exists($this, $action)) { $r = new ReflectionClass(get_class($this)); if($r->hasMethod($actionOrigCasing)) { $m = $r->getMethod($actionOrigCasing); return ($m && is_subclass_of($m->getDeclaringClass()->getName(), 'RequestHandler')); } else { throw new Exception("method_exists() true but ReflectionClass can't find method"); } } else if(!$this->hasMethod($action)){ // Return true so that a template can handle this action return true; } } return false; } /** * Throws a HTTP error response encased in a {@link SS_HTTPResponse_Exception}, which is later caught in * {@link RequestHandler::handleAction()} and returned to the user. * * @param int $errorCode * @param string $errorMessage Plaintext error message * @uses SS_HTTPResponse_Exception */ public function httpError($errorCode, $errorMessage = null) { $e = new SS_HTTPResponse_Exception($errorMessage, $errorCode); // Error responses should always be considered plaintext, for security reasons $e->getResponse()->addHeader('Content-Type', 'text/plain'); throw $e; } /** * Returns the SS_HTTPRequest object that this controller is using. * * @return SS_HTTPRequest */ function getRequest() { return $this->request; } }