Adds access management to router and updates endpoints accordingly

This commit is contained in:
Vlad
2017-08-17 18:25:26 -04:00
parent 5553817f9a
commit 1b756ef0b2
5 changed files with 46 additions and 9 deletions

View File

@@ -1,6 +1,8 @@
<?php
namespace MailPoet\Router;
use MailPoet\Config\AccessControl;
use MailPoet\Util\Helpers;
if(!defined('ABSPATH')) exit;
@@ -19,12 +21,13 @@ class Router {
$this->endpoint = isset($api_data['endpoint']) ?
Helpers::underscoreToCamelCase($api_data['endpoint']) :
false;
$this->action = isset($api_data['action']) ?
$this->endpoint_action = isset($api_data['action']) ?
Helpers::underscoreToCamelCase($api_data['action']) :
false;
$this->data = isset($api_data['data']) ?
self::decodeRequestData($api_data['data']) :
false;
$this->access_control = new AccessControl();
}
function init() {
@@ -33,15 +36,18 @@ class Router {
if(!$this->endpoint || !class_exists($endpoint_class)) {
return $this->terminateRequest(self::RESPONSE_ERROR, __('Invalid router endpoint', 'mailpoet'));
}
$endpoint = new $endpoint_class($this->data);
if(!method_exists($endpoint, $this->action) || !in_array($this->action, $endpoint->allowed_actions)) {
$endpoint = new $endpoint_class($this->data, $this->access_control);
if(!method_exists($endpoint, $this->endpoint_action) || !in_array($this->endpoint_action, $endpoint->allowed_actions)) {
return $this->terminateRequest(self::RESPONSE_ERROR, __('Invalid router endpoint action', 'mailpoet'));
}
if(!$this->validatePermissions($this->endpoint_action, $endpoint->permissions)) {
return $this->terminateRequest(self::RESPONSE_ERROR, __('You do not have the required permissions.', 'mailpoet'));
}
do_action('mailpoet_conflict_resolver_router_url_query_parameters');
return call_user_func(
array(
$endpoint,
$this->action
$this->endpoint_action
)
);
}
@@ -74,4 +80,17 @@ class Router {
status_header($code, $message);
exit;
}
function validatePermissions($endpoint_action, $permissions) {
// if method permission is defined, validate it
if(!empty($permissions['methods'][$endpoint_action])) {
return ($permissions['methods'][$endpoint_action] === AccessControl::NO_ACCESS_RESTRICTION) ?
true :
$this->access_control->validatePermission($permissions['methods'][$endpoint_action]);
}
// use global permission
return ($permissions['global'] === AccessControl::NO_ACCESS_RESTRICTION) ?
true :
$this->access_control->validatePermission($permissions['global']);
}
}