Introduce GET only API endpoints

[MAILPOET-2378]

lib/API/JSON/API.php

@@ -1,6 +1,7 @@
 <?php
 namespace MailPoet\API\JSON;
 
+use MailPoet\API\JSON\Endpoint;
 use MailPoet\Config\AccessControl;
 use MailPoet\Settings\SettingsController;
 use MailPoet\Subscription\Captcha;
@@ -18,6 +19,7 @@ class API {
   private $_request_endpoint;
   private $_request_method;
   private $_request_token;
+  private $_request_type;
   private $_request_endpoint_class;
   private $_request_data = [];
   private $_endpoint_namespaces = [];
@@ -79,10 +81,11 @@ class API {
 
   function setupAjax() {
     $this->wp->doAction('mailpoet_api_setup', [$this]);
+
     if (isset($_POST['api_version'])) {
-      $this->setRequestData($_POST);
+      $this->setRequestData($_POST, Endpoint::TYPE_POST);
     } else {
-      $this->setRequestData($_GET);
+      $this->setRequestData($_GET, Endpoint::TYPE_GET);
     }
 
     $ignoreToken = (
@@ -101,7 +104,7 @@ class API {
     $response->send();
   }
 
-  function setRequestData($data) {
+  function setRequestData($data, $request_type) {
     $this->_request_api_version = !empty($data['api_version']) ? $data['api_version'] : false;
 
     $this->_request_endpoint = isset($data['endpoint'])
@@ -113,6 +116,7 @@ class API {
     $this->_request_method = isset($data[$method_param_name])
       ? Helpers::underscoreToCamelCase(trim($data[$method_param_name]))
       : null;
+    $this->_request_type = $request_type;
 
     $this->_request_token = isset($data['token'])
       ? trim($data['token'])
@@ -170,6 +174,10 @@ class API {
         throw new \Exception(__('Invalid API endpoint method.', 'mailpoet'));
       }
 
+      if (!$endpoint->isMethodAllowed($this->_request_method, $this->_request_type)) {
+        throw new \Exception(__('HTTP request method not allowed.', 'mailpoet'));
+      }
+
       if (class_exists(Debugger::class)) {
         ApiPanel::init($endpoint, $this->_request_method, $this->_request_data);
         DIPanel::init();

lib/API/JSON/Endpoint.php

@@ -6,11 +6,16 @@ use MailPoet\Config\AccessControl;
 use MailPoet\WP\Functions as WPFunctions;
 
 abstract class Endpoint {
+  const TYPE_POST = 'POST';
+  const TYPE_GET = 'GET';
+
   public $permissions = [
     'global' => AccessControl::PERMISSION_MANAGE_SETTINGS,
     'methods' => [],
   ];
 
+  protected static $get_methods = [];
+
   function successResponse(
     $data = [], $meta = [], $status = Response::STATUS_OK
   ) {
@@ -36,4 +41,14 @@ abstract class Endpoint {
     }
     return new ErrorResponse($errors, $meta, Response::STATUS_BAD_REQUEST);
   }
+
+  public function isMethodAllowed($name, $type) {
+    if ($type === self::TYPE_GET && !in_array($name, static::$get_methods)) {
+      return false;
+    }
+    if ($type === self::TYPE_POST && in_array($name, static::$get_methods)) {
+      return false;
+    }
+    return true;
+  }
 }

lib/API/JSON/v1/NewsletterTemplates.php

@@ -13,6 +13,10 @@ class NewsletterTemplates extends APIEndpoint {
     'global' => AccessControl::PERMISSION_MANAGE_EMAILS,
   ];
 
+  protected static $get_methods = [
+    'getAll',
+  ];
+
   function get($data = []) {
     $id = (isset($data['id']) ? (int)$data['id'] : false);
     $template = NewsletterTemplate::findOne($id);