tonyair
/
silverstripe-restfulserver
mirror of https://github.com/silverstripe/silverstripe-restfulserver
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

FIX Ensure a Member object is passed to canView etc methods if available

This commit is contained in:
Robbie Averill 2017-11-03 10:20:11 +13:00
parent a12e6d48f5
commit cb92696392
1 changed files with 119 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

228
code/RestfulServer.php
View File

@ -3,26 +3,26 @@
* Generic RESTful server, which handles webservice access to arbitrary DataObjects. * Generic RESTful server, which handles webservice access to arbitrary DataObjects.
* Relies on serialization/deserialization into different formats provided * Relies on serialization/deserialization into different formats provided
* by the DataFormatter APIs in core. * by the DataFormatter APIs in core.
* *
* @todo Finish RestfulServer_Item and RestfulServer_List implementation and re-enable $url_handlers * @todo Finish RestfulServer_Item and RestfulServer_List implementation and re-enable $url_handlers
* @todo Implement PUT/POST/DELETE for relations * @todo Implement PUT/POST/DELETE for relations
* @todo Access-Control for relations (you might be allowed to view Members and Groups, * @todo Access-Control for relations (you might be allowed to view Members and Groups,
* but not their relation with each other) * but not their relation with each other)
* @todo Make SearchContext specification customizeable for each class * @todo Make SearchContext specification customizeable for each class
* @todo Allow for range-searches (e.g. on Created column) * @todo Allow for range-searches (e.g. on Created column)
* @todo Filter relation listings by $api_access and canView() permissions * @todo Filter relation listings by $api_access and canView() permissions
* @todo Exclude relations when "fields" are specified through URL (they should be explicitly * @todo Exclude relations when "fields" are specified through URL (they should be explicitly
* requested in this case) * requested in this case)
* @todo Custom filters per DataObject subclass, e.g. to disallow showing unpublished pages in * @todo Custom filters per DataObject subclass, e.g. to disallow showing unpublished pages in
* SiteTree/Versioned/Hierarchy * SiteTree/Versioned/Hierarchy
* @todo URL parameter namespacing for search-fields, limit, fields, add_fields * @todo URL parameter namespacing for search-fields, limit, fields, add_fields
* (might all be valid dataobject properties) * (might all be valid dataobject properties)
* e.g. you wouldn't be able to search for a "limit" property on your subclass as * e.g. you wouldn't be able to search for a "limit" property on your subclass as
* its overlayed with the search logic * its overlayed with the search logic
* @todo i18n integration (e.g. Page/1.xml?lang=de_DE) * @todo i18n integration (e.g. Page/1.xml?lang=de_DE)
* @todo Access to extendable methods/relations like SiteTree/1/Versions or SiteTree/1/Version/22 * @todo Access to extendable methods/relations like SiteTree/1/Versions or SiteTree/1/Version/22
* @todo Respect $api_access array notation in search contexts * @todo Respect $api_access array notation in search contexts
* *
* @package framework * @package framework
* @subpackage api * @subpackage api
*/ */
@ -45,24 +45,24 @@ class RestfulServer extends Controller
* @var string * @var string
*/ */
public static $default_extension = "xml"; public static $default_extension = "xml";
/** /**
* If no extension is given, resolve the request to this mimetype. * If no extension is given, resolve the request to this mimetype.
* *
* @var string * @var string
*/ */
protected static $default_mimetype = "text/xml"; protected static $default_mimetype = "text/xml";
/** /**
* @uses authenticate() * @uses authenticate()
* @var Member * @var Member
*/ */
protected $member; protected $member;
public static $allowed_actions = array( public static $allowed_actions = array(
'index' 'index'
); );
/* /*
function handleItem($request) { function handleItem($request) {
return new RestfulServer_Item(DataObject::get_by_id($request->param("ClassName"), $request->param("ID"))); return new RestfulServer_Item(DataObject::get_by_id($request->param("ClassName"), $request->param("ID")));
@ -97,7 +97,7 @@ class RestfulServer extends Controller
$className = $this->urlParams['ClassName']; $className = $this->urlParams['ClassName'];
$id = (isset($this->urlParams['ID'])) ? $this->urlParams['ID'] : null; $id = (isset($this->urlParams['ID'])) ? $this->urlParams['ID'] : null;
$relation = (isset($this->urlParams['Relation'])) ? $this->urlParams['Relation'] : null; $relation = (isset($this->urlParams['Relation'])) ? $this->urlParams['Relation'] : null;
// Check input formats // Check input formats
if (!class_exists($className)) { if (!class_exists($className)) {
return $this->notFound(); return $this->notFound();
@ -111,7 +111,7 @@ class RestfulServer extends Controller
) { ) {
return $this->notFound(); return $this->notFound();
} }
// if api access is disabled, don't proceed // if api access is disabled, don't proceed
$apiAccess = singleton($className)->stat('api_access'); $apiAccess = singleton($className)->stat('api_access');
if (!$apiAccess) { if (!$apiAccess) {
@ -125,11 +125,11 @@ class RestfulServer extends Controller
if ($this->request->isGET() || $this->request->isHEAD()) { if ($this->request->isGET() || $this->request->isHEAD()) {
return $this->getHandler($className, $id, $relation); return $this->getHandler($className, $id, $relation);
} }
if ($this->request->isPOST()) { if ($this->request->isPOST()) {
return $this->postHandler($className, $id, $relation); return $this->postHandler($className, $id, $relation);
} }
if ($this->request->isPUT()) { if ($this->request->isPUT()) {
return $this->putHandler($className, $id, $relation); return $this->putHandler($className, $id, $relation);
} }
@ -141,10 +141,10 @@ class RestfulServer extends Controller
// if no HTTP verb matches, return error // if no HTTP verb matches, return error
return $this->methodNotAllowed(); return $this->methodNotAllowed();
} }
/** /**
* Handler for object read. * Handler for object read.
* *
* The data object will be returned in the following format: * The data object will be returned in the following format:
* *
* <ClassName> * <ClassName>
@ -164,12 +164,12 @@ class RestfulServer extends Controller
* </ClassName> * </ClassName>
* *
* Access is controlled by two variables: * Access is controlled by two variables:
* *
* - static $api_access must be set. This enables the API on a class by class basis * - static $api_access must be set. This enables the API on a class by class basis
* - $obj->canView() must return true. This lets you implement record-level security * - $obj->canView() must return true. This lets you implement record-level security
* *
* @todo Access checking * @todo Access checking
* *
* @param String $className * @param String $className
* @param Int $id * @param Int $id
* @param String $relation * @param String $relation
@ -178,24 +178,24 @@ class RestfulServer extends Controller
protected function getHandler($className, $id, $relationName) protected function getHandler($className, $id, $relationName)
{ {
$sort = ''; $sort = '';
if ($this->request->getVar('sort')) { if ($this->request->getVar('sort')) {
$dir = $this->request->getVar('dir'); $dir = $this->request->getVar('dir');
$sort = array($this->request->getVar('sort') => ($dir ? $dir : 'ASC')); $sort = array($this->request->getVar('sort') => ($dir ? $dir : 'ASC'));
} }
$limit = array( $limit = array(
'start' => $this->request->getVar('start'), 'start' => $this->request->getVar('start'),
'limit' => $this->request->getVar('limit') 'limit' => $this->request->getVar('limit')
); );
$params = $this->request->getVars(); $params = $this->request->getVars();
$responseFormatter = $this->getResponseDataFormatter($className); $responseFormatter = $this->getResponseDataFormatter($className);
if (!$responseFormatter) { if (!$responseFormatter) {
return $this->unsupportedMediaType(); return $this->unsupportedMediaType();
} }
// $obj can be either a DataObject or a SS_List, // $obj can be either a DataObject or a SS_List,
// depending on the request // depending on the request
if ($id) { if ($id) {
@ -204,7 +204,7 @@ class RestfulServer extends Controller
if (!$obj) { if (!$obj) {
return $this->notFound(); return $this->notFound();
} }
if (!$obj->canView()) { if (!$obj->canView($this->getMember())) {
return $this->permissionFailure(); return $this->permissionFailure();
} }
@ -214,7 +214,7 @@ class RestfulServer extends Controller
if (!$obj) { if (!$obj) {
return $this->notFound(); return $this->notFound();
} }
// TODO Avoid creating data formatter again for relation class (see above) // TODO Avoid creating data formatter again for relation class (see above)
$responseFormatter = $this->getResponseDataFormatter($obj->dataClass()); $responseFormatter = $this->getResponseDataFormatter($obj->dataClass());
} }
@ -222,9 +222,9 @@ class RestfulServer extends Controller
// Format: /api/v1/<MyClass> // Format: /api/v1/<MyClass>
$obj = $this->getObjectsQuery($className, $params, $sort, $limit); $obj = $this->getObjectsQuery($className, $params, $sort, $limit);
} }
$this->getResponse()->addHeader('Content-Type', $responseFormatter->getOutputContentType()); $this->getResponse()->addHeader('Content-Type', $responseFormatter->getOutputContentType());
$rawFields = $this->request->getVar('fields'); $rawFields = $this->request->getVar('fields');
$fields = $rawFields ? explode(',', $rawFields) : null; $fields = $rawFields ? explode(',', $rawFields) : null;
@ -232,7 +232,7 @@ class RestfulServer extends Controller
$responseFormatter->setTotalSize($obj->dataQuery()->query()->unlimitedRowCount()); $responseFormatter->setTotalSize($obj->dataQuery()->query()->unlimitedRowCount());
$objs = new ArrayList($obj->toArray()); $objs = new ArrayList($obj->toArray());
foreach ($objs as $obj) { foreach ($objs as $obj) {
if (!$obj->canView()) { if (!$obj->canView($this->getMember())) {
$objs->remove($obj); $objs->remove($obj);
} }
} }
@ -244,13 +244,13 @@ class RestfulServer extends Controller
return $responseFormatter->convertDataObject($obj, $fields); return $responseFormatter->convertDataObject($obj, $fields);
} }
} }
/** /**
* Uses the default {@link SearchContext} specified through * Uses the default {@link SearchContext} specified through
* {@link DataObject::getDefaultSearchContext()} to augument * {@link DataObject::getDefaultSearchContext()} to augument
* an existing query object (mostly a component query from {@link DataObject}) * an existing query object (mostly a component query from {@link DataObject})
* with search clauses. * with search clauses.
* *
* @todo Allow specifying of different searchcontext getters on model-by-model basis * @todo Allow specifying of different searchcontext getters on model-by-model basis
* *
* @param string $className * @param string $className
@ -267,12 +267,12 @@ class RestfulServer extends Controller
} }
return $searchContext->getQuery($params, $sort, $limit, $existingQuery); return $searchContext->getQuery($params, $sort, $limit, $existingQuery);
} }
/** /**
* Returns a dataformatter instance based on the request * Returns a dataformatter instance based on the request
* extension or mimetype. Falls back to {@link self::$default_extension}. * extension or mimetype. Falls back to {@link self::$default_extension}.
* *
* @param boolean $includeAcceptHeader Determines wether to inspect and prioritize any HTTP Accept headers * @param boolean $includeAcceptHeader Determines wether to inspect and prioritize any HTTP Accept headers
* @param String Classname of a DataObject * @param String Classname of a DataObject
* @return DataFormatter * @return DataFormatter
*/ */
@ -305,7 +305,7 @@ class RestfulServer extends Controller
if (!$formatter) { if (!$formatter) {
return false; return false;
} }
// set custom fields // set custom fields
if ($customAddFields = $this->request->getVar('add_fields')) { if ($customAddFields = $this->request->getVar('add_fields')) {
$formatter->setCustomAddFields(explode(',', $customAddFields)); $formatter->setCustomAddFields(explode(',', $customAddFields));
@ -314,7 +314,7 @@ class RestfulServer extends Controller
$formatter->setCustomFields(explode(',', $customFields)); $formatter->setCustomFields(explode(',', $customFields));
} }
$formatter->setCustomRelations($this->getAllowedRelations($className)); $formatter->setCustomRelations($this->getAllowedRelations($className));
$apiAccess = singleton($className)->stat('api_access'); $apiAccess = singleton($className)->stat('api_access');
if (is_array($apiAccess)) { if (is_array($apiAccess)) {
$formatter->setCustomAddFields( $formatter->setCustomAddFields(
@ -341,10 +341,10 @@ class RestfulServer extends Controller
if (is_numeric($relationDepth)) { if (is_numeric($relationDepth)) {
$formatter->relationDepth = (int)$relationDepth; $formatter->relationDepth = (int)$relationDepth;
} }
return $formatter; return $formatter;
} }
/** /**
* @param String Classname of a DataObject * @param String Classname of a DataObject
* @return DataFormatter * @return DataFormatter
@ -353,7 +353,7 @@ class RestfulServer extends Controller
{ {
return $this->getDataFormatter(false, $className); return $this->getDataFormatter(false, $className);
} }
/** /**
* @param String Classname of a DataObject * @param String Classname of a DataObject
* @return DataFormatter * @return DataFormatter
@ -362,7 +362,7 @@ class RestfulServer extends Controller
{ {
return $this->getDataFormatter(true, $className); return $this->getDataFormatter(true, $className);
} }
/** /**
* Handler for object delete * Handler for object delete
*/ */
@ -372,12 +372,12 @@ class RestfulServer extends Controller
if (!$obj) { if (!$obj) {
return $this->notFound(); return $this->notFound();
} }
if (!$obj->canDelete()) { if (!$obj->canDelete($this->getMember())) {
return $this->permissionFailure(); return $this->permissionFailure();
} }
$obj->delete(); $obj->delete();
$this->getResponse()->setStatusCode(204); // No Content $this->getResponse()->setStatusCode(204); // No Content
return true; return true;
} }
@ -391,22 +391,22 @@ class RestfulServer extends Controller
if (!$obj) { if (!$obj) {
return $this->notFound(); return $this->notFound();
} }
if (!$obj->canEdit()) { if (!$obj->canEdit($this->getMember())) {
return $this->permissionFailure(); return $this->permissionFailure();
} }
$reqFormatter = $this->getRequestDataFormatter($className); $reqFormatter = $this->getRequestDataFormatter($className);
if (!$reqFormatter) { if (!$reqFormatter) {
return $this->unsupportedMediaType(); return $this->unsupportedMediaType();
} }
$responseFormatter = $this->getResponseDataFormatter($className); $responseFormatter = $this->getResponseDataFormatter($className);
if (!$responseFormatter) { if (!$responseFormatter) {
return $this->unsupportedMediaType(); return $this->unsupportedMediaType();
} }
$obj = $this->updateDataObject($obj, $reqFormatter); $obj = $this->updateDataObject($obj, $reqFormatter);
$this->getResponse()->setStatusCode(200); // Success $this->getResponse()->setStatusCode(200); // Success
$this->getResponse()->addHeader('Content-Type', $responseFormatter->getOutputContentType()); $this->getResponse()->addHeader('Content-Type', $responseFormatter->getOutputContentType());
@ -420,13 +420,13 @@ class RestfulServer extends Controller
$objHref = Director::absoluteURL(self::$api_base . "$obj->class/$obj->ID" . $type); $objHref = Director::absoluteURL(self::$api_base . "$obj->class/$obj->ID" . $type);
$this->getResponse()->addHeader('Location', $objHref); $this->getResponse()->addHeader('Location', $objHref);
return $responseFormatter->convertDataObject($obj); return $responseFormatter->convertDataObject($obj);
} }
/** /**
* Handler for object append / method call. * Handler for object append / method call.
* *
* @todo Posting to an existing URL (without a relation) * @todo Posting to an existing URL (without a relation)
* current resolves in creatig a new element, * current resolves in creatig a new element,
* rather than a "Conflict" message. * rather than a "Conflict" message.
@ -438,57 +438,57 @@ class RestfulServer extends Controller
$this->response->setStatusCode(409); $this->response->setStatusCode(409);
return 'Conflict'; return 'Conflict';
} }
$obj = DataObject::get_by_id($className, $id); $obj = DataObject::get_by_id($className, $id);
if (!$obj) { if (!$obj) {
return $this->notFound(); return $this->notFound();
} }
if (!$obj->hasMethod($relation)) { if (!$obj->hasMethod($relation)) {
return $this->notFound(); return $this->notFound();
} }
if (!$obj->stat('allowed_actions') || !in_array($relation, $obj->stat('allowed_actions'))) { if (!$obj->stat('allowed_actions') || !in_array($relation, $obj->stat('allowed_actions'))) {
return $this->permissionFailure(); return $this->permissionFailure();
} }
$obj->$relation(); $obj->$relation();
$this->getResponse()->setStatusCode(204); // No Content $this->getResponse()->setStatusCode(204); // No Content
return true; return true;
} else {
if (!singleton($className)->canCreate()) {
return $this->permissionFailure();
}
$obj = new $className();
$reqFormatter = $this->getRequestDataFormatter($className);
if (!$reqFormatter) {
return $this->unsupportedMediaType();
}
$responseFormatter = $this->getResponseDataFormatter($className);
$obj = $this->updateDataObject($obj, $reqFormatter);
$this->getResponse()->setStatusCode(201); // Created
$this->getResponse()->addHeader('Content-Type', $responseFormatter->getOutputContentType());
// Append the default extension for the output format to the Location header
// or else we'll use the default (XML)
$types = $responseFormatter->supportedExtensions();
$type = '';
if (count($types)) {
$type = ".{$types[0]}";
}
$objHref = Director::absoluteURL(self::$api_base . "$obj->class/$obj->ID" . $type);
$this->getResponse()->addHeader('Location', $objHref);
return $responseFormatter->convertDataObject($obj);
} }
if (!singleton($className)->canCreate($this->getMember())) {
return $this->permissionFailure();
}
$obj = new $className();
$reqFormatter = $this->getRequestDataFormatter($className);
if (!$reqFormatter) {
return $this->unsupportedMediaType();
}
$responseFormatter = $this->getResponseDataFormatter($className);
$obj = $this->updateDataObject($obj, $reqFormatter);
$this->getResponse()->setStatusCode(201); // Created
$this->getResponse()->addHeader('Content-Type', $responseFormatter->getOutputContentType());
// Append the default extension for the output format to the Location header
// or else we'll use the default (XML)
$types = $responseFormatter->supportedExtensions();
$type = '';
if (count($types)) {
$type = ".{$types[0]}";
}
$objHref = Director::absoluteURL(self::$api_base . "$obj->class/$obj->ID" . $type);
$this->getResponse()->addHeader('Location', $objHref);
return $responseFormatter->convertDataObject($obj);
} }
/** /**
* Converts either the given HTTP Body into an array * Converts either the given HTTP Body into an array
* (based on the DataFormatter instance), or returns * (based on the DataFormatter instance), or returns
@ -508,17 +508,17 @@ class RestfulServer extends Controller
$this->getResponse()->setStatusCode(204); // No Content $this->getResponse()->setStatusCode(204); // No Content
return 'No Content'; return 'No Content';
} }
if (!empty($body)) { if (!empty($body)) {
$data = $formatter->convertStringToArray($body); $data = $formatter->convertStringToArray($body);
} else { } else {
// assume application/x-www-form-urlencoded which is automatically parsed by PHP // assume application/x-www-form-urlencoded which is automatically parsed by PHP
$data = $this->request->postVars(); $data = $this->request->postVars();
} }
// @todo Disallow editing of certain keys in database // @todo Disallow editing of certain keys in database
$data = array_diff_key($data, array('ID', 'Created')); $data = array_diff_key($data, array('ID', 'Created'));
$apiAccess = singleton($this->urlParams['ClassName'])->stat('api_access'); $apiAccess = singleton($this->urlParams['ClassName'])->stat('api_access');
if (is_array($apiAccess) && isset($apiAccess['edit'])) { if (is_array($apiAccess) && isset($apiAccess['edit'])) {
$data = array_intersect_key($data, array_combine($apiAccess['edit'], $apiAccess['edit'])); $data = array_intersect_key($data, array_combine($apiAccess['edit'], $apiAccess['edit']));
@ -526,14 +526,14 @@ class RestfulServer extends Controller
$obj->update($data); $obj->update($data);
$obj->write(); $obj->write();
return $obj; return $obj;
} }
/** /**
* Gets a single DataObject by ID, * Gets a single DataObject by ID,
* through a request like /api/v1/<MyClass>/<MyID> * through a request like /api/v1/<MyClass>/<MyID>
* *
* @param string $className * @param string $className
* @param int $id * @param int $id
* @param array $params * @param array $params
@ -543,7 +543,7 @@ class RestfulServer extends Controller
{ {
return DataList::create($className)->byIDs(array($id)); return DataList::create($className)->byIDs(array($id));
} }
/** /**
* @param DataObject $obj * @param DataObject $obj
* @param array $params * @param array $params
@ -555,8 +555,8 @@ class RestfulServer extends Controller
{ {
return $this->getSearchQuery($className, $params, $sort, $limit); return $this->getSearchQuery($className, $params, $sort, $limit);
} }
/** /**
* @param DataObject $obj * @param DataObject $obj
* @param array $params * @param array $params
@ -575,16 +575,16 @@ class RestfulServer extends Controller
} else { } else {
$list = $obj->$relationName(); $list = $obj->$relationName();
} }
$apiAccess = singleton($list->dataClass())->stat('api_access'); $apiAccess = singleton($list->dataClass())->stat('api_access');
if (!$apiAccess) { if (!$apiAccess) {
return false; return false;
} }
return $this->getSearchQuery($list->dataClass(), $params, $sort, $limit, $list); return $this->getSearchQuery($list->dataClass(), $params, $sort, $limit, $list);
} }
} }
protected function permissionFailure() protected function permissionFailure()
{ {
// return a 401 // return a 401
@ -601,21 +601,21 @@ class RestfulServer extends Controller
$this->getResponse()->addHeader('Content-Type', 'text/plain'); $this->getResponse()->addHeader('Content-Type', 'text/plain');
return "That object wasn't found"; return "That object wasn't found";
} }
protected function methodNotAllowed() protected function methodNotAllowed()
{ {
$this->getResponse()->setStatusCode(405); $this->getResponse()->setStatusCode(405);
$this->getResponse()->addHeader('Content-Type', 'text/plain'); $this->getResponse()->addHeader('Content-Type', 'text/plain');
return "Method Not Allowed"; return "Method Not Allowed";
} }
protected function unsupportedMediaType() protected function unsupportedMediaType()
{ {
$this->response->setStatusCode(415); // Unsupported Media Type $this->response->setStatusCode(415); // Unsupported Media Type
$this->getResponse()->addHeader('Content-Type', 'text/plain'); $this->getResponse()->addHeader('Content-Type', 'text/plain');
return "Unsupported Media Type"; return "Unsupported Media Type";
} }
/** /**
* A function to authenticate a user * A function to authenticate a user
* *
@ -626,11 +626,11 @@ class RestfulServer extends Controller
$authClass = self::config()->authenticator; $authClass = self::config()->authenticator;
return $authClass::authenticate(); return $authClass::authenticate();
} }
/** /**
* Return only relations which have $api_access enabled. * Return only relations which have $api_access enabled.
* @todo Respect field level permissions once they are available in core * @todo Respect field level permissions once they are available in core
* *
* @param string $class * @param string $class
* @param Member $member * @param Member $member
* @return array * @return array
@ -649,11 +649,21 @@ class RestfulServer extends Controller
} }
return $allowedRelations; return $allowedRelations;
} }
/**
* Get the current Member, if available
*
* @return Member|null
*/
protected function getMember()
{
return Member::currentUser();
}
} }
/** /**
* Restful server handler for a SS_List * Restful server handler for a SS_List
* *
* @package framework * @package framework
* @subpackage api * @subpackage api
*/ */
@ -667,7 +677,7 @@ class RestfulServer_List
{ {
$this->list = $list; $this->list = $list;
} }
public function handleItem($request) public function handleItem($request)
{ {
return new RestulServer_Item($this->list->getById($request->param('ID'))); return new RestulServer_Item($this->list->getById($request->param('ID')));
@ -676,7 +686,7 @@ class RestfulServer_List
/** /**
* Restful server handler for a single DataObject * Restful server handler for a single DataObject
* *
* @package framework * @package framework
* @subpackage api * @subpackage api
*/ */
@ -690,7 +700,7 @@ class RestfulServer_Item
{ {
$this->item = $item; $this->item = $item;
} }
public function handleRelation($request) public function handleRelation($request)
{ {
$funcName = $request('Relation'); $funcName = $request('Relation');