Cavemanon/piratepoet
7
Fork 0
Code Pull Requests Actions Releases 16 Activity

Modifies JSON API to use AccessControl

Browse Source
This commit is contained in:
Vlad
2017-08-13 21:56:57 -04:00
parent 632bce7894
commit a241d0c7bc
16 changed files with 139 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
lib/API/JSON/API.php
View File

@ -1,6 +1,7 @@
<?php <?php
namespace MailPoet\API\JSON; namespace MailPoet\API\JSON;
use MailPoet\Config\AccessControl;
use MailPoet\Config\Env; use MailPoet\Config\Env;
use MailPoet\Util\Helpers; use MailPoet\Util\Helpers;
use MailPoet\Util\Security; use MailPoet\Util\Security;
@ -130,17 +131,11 @@ class API {
// check the accessibility of the requested endpoint's action // check the accessibility of the requested endpoint's action
// by default, an endpoint's action is considered "private" // by default, an endpoint's action is considered "private"
$permissions = $endpoint->permissions; if(!$this->validatePermissions($this->_request_method, $endpoint->permissions)) {
if(array_key_exists($this->_request_method, $permissions) === false || $error_message = __('You do not have the required permissions.', 'mailpoet');
$permissions[$this->_request_method] !== Access::ALL $error_response = $this->createErrorResponse(Error::FORBIDDEN, $error_message, Response::STATUS_FORBIDDEN);
) { return $error_response;
if($this->checkPermissions() === false) {
$error_message = __('You do not have the required permissions.', 'mailpoet');
$error_response = $this->createErrorResponse(Error::FORBIDDEN, $error_message, Response::STATUS_FORBIDDEN);
return $error_response;
}
} }
$response = $endpoint->{$this->_request_method}($this->_request_data); $response = $endpoint->{$this->_request_method}($this->_request_data);
return $response; return $response;
} catch(\Exception $e) { } catch(\Exception $e) {
@ -150,8 +145,15 @@ class API {
} }
} }
function checkPermissions() { function validatePermissions($request_method, $permissions) {
return current_user_can(Env::$required_permission); // if method permission is defined, validate it
if (!empty($permissions['methods'][$request_method])) {
return ($permissions['methods'][$request_method] === Access::ALL) ?
true :
AccessControl::validatePermission($permissions['methods'][$request_method]);
}
// use global permission
return AccessControl::validatePermission($permissions['global']);
} }
function checkToken() { function checkToken() {

11
lib/API/JSON/Endpoint.php
View File

@ -1,11 +1,16 @@
<?php <?php
namespace MailPoet\API\JSON; namespace MailPoet\API\JSON;
use MailPoet\Config\AccessControl;
if(!defined('ABSPATH')) exit; if(!defined('ABSPATH')) exit;
abstract class Endpoint { abstract class Endpoint {
public $permissions = array(
public $permissions = array(); 'global' => array(AccessControl::PERMISSION_MANAGE_SETTINGS),
'methods' => array()
);
function successResponse( function successResponse(
$data = array(), $meta = array(), $status = Response::STATUS_OK $data = array(), $meta = array(), $status = Response::STATUS_OK
@ -18,7 +23,7 @@ abstract class Endpoint {
) { ) {
if(empty($errors)) { if(empty($errors)) {
$errors = array( $errors = array(
Error::UNKNOWN => __('An unknown error occurred.', 'mailpoet') Error::UNKNOWN => __('An unknown error occurred.', 'mailpoet')
); );
} }
return new ErrorResponse($errors, $meta, $status); return new ErrorResponse($errors, $meta, $status);

6
lib/API/JSON/v1/AutomatedLatestContent.php
View File

@ -1,12 +1,18 @@
<?php <?php
namespace MailPoet\API\JSON\v1; namespace MailPoet\API\JSON\v1;
use MailPoet\API\JSON\Endpoint as APIEndpoint; use MailPoet\API\JSON\Endpoint as APIEndpoint;
use MailPoet\Config\AccessControl;
use MailPoet\WP\Posts as WPPosts; use MailPoet\WP\Posts as WPPosts;
if(!defined('ABSPATH')) exit; if(!defined('ABSPATH')) exit;
class AutomatedLatestContent extends APIEndpoint { class AutomatedLatestContent extends APIEndpoint {
public $ALC; public $ALC;
public $permissions = array(
'global' => AccessControl::PERMISSION_MANAGE_EMAILS
);
function __construct() { function __construct() {
$this->ALC = new \MailPoet\Newsletter\AutomatedLatestContent(); $this->ALC = new \MailPoet\Newsletter\AutomatedLatestContent();

7
lib/API/JSON/v1/CustomFields.php
View File

@ -1,12 +1,19 @@
<?php <?php
namespace MailPoet\API\JSON\v1; namespace MailPoet\API\JSON\v1;
use MailPoet\API\JSON\Endpoint as APIEndpoint; use MailPoet\API\JSON\Endpoint as APIEndpoint;
use MailPoet\API\JSON\Error as APIError; use MailPoet\API\JSON\Error as APIError;
use MailPoet\Config\AccessControl;
use MailPoet\Models\CustomField; use MailPoet\Models\CustomField;
if(!defined('ABSPATH')) exit; if(!defined('ABSPATH')) exit;
class CustomFields extends APIEndpoint { class CustomFields extends APIEndpoint {
public $permissions = array(
'global' => AccessControl::PERMISSION_MANAGE_FORMS
);
function getAll() { function getAll() {
$collection = CustomField::orderByAsc('created_at')->findMany(); $collection = CustomField::orderByAsc('created_at')->findMany();
$custom_fields = array_map(function($custom_field) { $custom_fields = array_map(function($custom_field) {

14
lib/API/JSON/v1/Forms.php
View File

@ -1,17 +1,23 @@
<?php <?php
namespace MailPoet\API\JSON\v1; namespace MailPoet\API\JSON\v1;
use MailPoet\API\JSON\Endpoint as APIEndpoint; use MailPoet\API\JSON\Endpoint as APIEndpoint;
use MailPoet\API\JSON\Error as APIError; use MailPoet\API\JSON\Error as APIError;
use MailPoet\Config\AccessControl;
use MailPoet\Form\Renderer as FormRenderer;
use MailPoet\Form\Util;
use MailPoet\Listing;
use MailPoet\Models\Form; use MailPoet\Models\Form;
use MailPoet\Models\StatisticsForms; use MailPoet\Models\StatisticsForms;
use MailPoet\Form\Renderer as FormRenderer;
use MailPoet\Listing;
use MailPoet\Form\Util;
if(!defined('ABSPATH')) exit; if(!defined('ABSPATH')) exit;
class Forms extends APIEndpoint { class Forms extends APIEndpoint {
public $permissions = array(
'global' => AccessControl::PERMISSION_MANAGE_FORMS
);
function get($data = array()) { function get($data = array()) {
$id = (isset($data['id']) ? (int)$data['id'] : false); $id = (isset($data['id']) ? (int)$data['id'] : false);
$form = Form::findOne($id); $form = Form::findOne($id);

12
lib/API/JSON/v1/ImportExport.php
View File

@ -1,13 +1,19 @@
<?php <?php
namespace MailPoet\API\JSON\v1;
use MailPoet\API\JSON\Endpoint as APIEndpoint;
use MailPoet\Subscribers\ImportExport\Import\MailChimp; namespace MailPoet\API\JSON\v1;
use MailPoet\API\JSON\Endpoint as APIEndpoint;
use MailPoet\Config\AccessControl;
use MailPoet\Models\Segment; use MailPoet\Models\Segment;
use MailPoet\Subscribers\ImportExport\Import\MailChimp;
if(!defined('ABSPATH')) exit; if(!defined('ABSPATH')) exit;
class ImportExport extends APIEndpoint { class ImportExport extends APIEndpoint {
public $permissions = array(
'global' => AccessControl::PERMISSION_MANAGE_SUBSCRIBERS
);
function getMailChimpLists($data) { function getMailChimpLists($data) {
try { try {
$mailChimp = new MailChimp($data['api_key']); $mailChimp = new MailChimp($data['api_key']);

22
lib/API/JSON/v1/MP2Migrator.php
View File

@ -1,18 +1,24 @@
<?php <?php
namespace MailPoet\API\JSON\v1; namespace MailPoet\API\JSON\v1;
use MailPoet\API\JSON\Endpoint as APIEndpoint; use MailPoet\API\JSON\Endpoint as APIEndpoint;
use MailPoet\Config\AccessControl;
if(!defined('ABSPATH')) exit; if(!defined('ABSPATH')) exit;
class MP2Migrator extends APIEndpoint { class MP2Migrator extends APIEndpoint {
public $permissions = array(
'global' => AccessControl::PERMISSION_MANAGE_SETTINGS
);
public function __construct() { public function __construct() {
$this->MP2Migrator = new \MailPoet\Config\MP2Migrator(); $this->MP2Migrator = new \MailPoet\Config\MP2Migrator();
} }
/** /**
* Import end point * Import end point
* *
* @param object $data * @param object $data
* @return object * @return object
*/ */
@ -26,10 +32,10 @@ class MP2Migrator extends APIEndpoint {
)); ));
} }
} }
/** /**
* Stop import end point * Stop import end point
* *
* @param object $data * @param object $data
* @return object * @return object
*/ */
@ -43,10 +49,10 @@ class MP2Migrator extends APIEndpoint {
)); ));
} }
} }
/** /**
* Skip import end point * Skip import end point
* *
* @param object $data * @param object $data
* @return object * @return object
*/ */
@ -60,5 +66,5 @@ class MP2Migrator extends APIEndpoint {
)); ));
} }
} }
} }

7
lib/API/JSON/v1/Mailer.php
View File

@ -1,12 +1,19 @@
<?php <?php
namespace MailPoet\API\JSON\v1; namespace MailPoet\API\JSON\v1;
use MailPoet\API\JSON\Endpoint as APIEndpoint; use MailPoet\API\JSON\Endpoint as APIEndpoint;
use MailPoet\API\JSON\Error as APIError; use MailPoet\API\JSON\Error as APIError;
use MailPoet\Config\AccessControl;
use MailPoet\Mailer\MailerLog; use MailPoet\Mailer\MailerLog;
if(!defined('ABSPATH')) exit; if(!defined('ABSPATH')) exit;
class Mailer extends APIEndpoint { class Mailer extends APIEndpoint {
public $permissions = array(
'global' => AccessControl::PERMISSION_MANAGE_EMAILS
);
function send($data = array()) { function send($data = array()) {
try { try {
$mailer = new \MailPoet\Mailer\Mailer( $mailer = new \MailPoet\Mailer\Mailer(

8
lib/API/JSON/v1/NewsletterTemplates.php
View File

@ -1,13 +1,19 @@
<?php <?php
namespace MailPoet\API\JSON\v1; namespace MailPoet\API\JSON\v1;
use MailPoet\API\JSON\Endpoint as APIEndpoint; use MailPoet\API\JSON\Endpoint as APIEndpoint;
use MailPoet\API\JSON\Error as APIError; use MailPoet\API\JSON\Error as APIError;
use MailPoet\Config\AccessControl;
use MailPoet\Models\NewsletterTemplate; use MailPoet\Models\NewsletterTemplate;
if(!defined('ABSPATH')) exit; if(!defined('ABSPATH')) exit;
class NewsletterTemplates extends APIEndpoint { class NewsletterTemplates extends APIEndpoint {
public $permissions = array(
'global' => AccessControl::PERMISSION_MANAGE_EMAILS
);
function get($data = array()) { function get($data = array()) {
$id = (isset($data['id']) ? (int)$data['id'] : false); $id = (isset($data['id']) ? (int)$data['id'] : false);
$template = NewsletterTemplate::findOne($id); $template = NewsletterTemplate::findOne($id);

16
lib/API/JSON/v1/Newsletters.php
View File

@ -1,16 +1,18 @@
<?php <?php
namespace MailPoet\API\JSON\v1; namespace MailPoet\API\JSON\v1;
use MailPoet\API\JSON\Endpoint as APIEndpoint; use MailPoet\API\JSON\Endpoint as APIEndpoint;
use MailPoet\API\JSON\Error as APIError; use MailPoet\API\JSON\Error as APIError;
use MailPoet\Config\AccessControl;
use MailPoet\Listing; use MailPoet\Listing;
use MailPoet\Models\Newsletter;
use MailPoet\Models\NewsletterOption;
use MailPoet\Models\NewsletterOptionField;
use MailPoet\Models\NewsletterSegment;
use MailPoet\Models\NewsletterTemplate;
use MailPoet\Models\SendingQueue; use MailPoet\Models\SendingQueue;
use MailPoet\Models\Setting; use MailPoet\Models\Setting;
use MailPoet\Models\Newsletter;
use MailPoet\Models\NewsletterTemplate;
use MailPoet\Models\NewsletterSegment;
use MailPoet\Models\NewsletterOptionField;
use MailPoet\Models\NewsletterOption;
use MailPoet\Models\Subscriber; use MailPoet\Models\Subscriber;
use MailPoet\Newsletter\Renderer\Renderer; use MailPoet\Newsletter\Renderer\Renderer;
use MailPoet\Newsletter\Scheduler\Scheduler; use MailPoet\Newsletter\Scheduler\Scheduler;
@ -22,6 +24,10 @@ if(!defined('ABSPATH')) exit;
require_once(ABSPATH . 'wp-includes/pluggable.php'); require_once(ABSPATH . 'wp-includes/pluggable.php');
class Newsletters extends APIEndpoint { class Newsletters extends APIEndpoint {
public $permissions = array(
'global' => AccessControl::PERMISSION_MANAGE_EMAILS
);
function get($data = array()) { function get($data = array()) {
$id = (isset($data['id']) ? (int)$data['id'] : false); $id = (isset($data['id']) ? (int)$data['id'] : false);
$newsletter = Newsletter::findOne($id); $newsletter = Newsletter::findOne($id);

10
lib/API/JSON/v1/Segments.php
View File

@ -1,15 +1,21 @@
<?php <?php
namespace MailPoet\API\JSON\v1; namespace MailPoet\API\JSON\v1;
use MailPoet\API\JSON\Endpoint as APIEndpoint; use MailPoet\API\JSON\Endpoint as APIEndpoint;
use MailPoet\API\JSON\Error as APIError; use MailPoet\API\JSON\Error as APIError;
use MailPoet\Config\AccessControl;
use MailPoet\Models\Segment;
use MailPoet\Listing; use MailPoet\Listing;
use MailPoet\Models\Segment;
use MailPoet\Segments\WP; use MailPoet\Segments\WP;
if(!defined('ABSPATH')) exit; if(!defined('ABSPATH')) exit;
class Segments extends APIEndpoint { class Segments extends APIEndpoint {
public $permissions = array(
'global' => AccessControl::PERMISSION_MANAGE_SEGMENTS
);
function get($data = array()) { function get($data = array()) {
$id = (isset($data['id']) ? (int)$data['id'] : false); $id = (isset($data['id']) ? (int)$data['id'] : false);
$segment = Segment::findOne($id); $segment = Segment::findOne($id);

10
lib/API/JSON/v1/SendingQueue.php
View File

@ -1,18 +1,24 @@
<?php <?php
namespace MailPoet\API\JSON\v1; namespace MailPoet\API\JSON\v1;
use MailPoet\API\JSON\Endpoint as APIEndpoint; use MailPoet\API\JSON\Endpoint as APIEndpoint;
use MailPoet\API\JSON\Error as APIError; use MailPoet\API\JSON\Error as APIError;
use MailPoet\Config\AccessControl;
use MailPoet\Mailer\Mailer; use MailPoet\Mailer\Mailer;
use MailPoet\Models\Newsletter; use MailPoet\Models\Newsletter;
use MailPoet\Models\SendingQueue as SendingQueueModel;
use MailPoet\Models\Subscriber; use MailPoet\Models\Subscriber;
use MailPoet\Newsletter\Scheduler\Scheduler; use MailPoet\Newsletter\Scheduler\Scheduler;
use MailPoet\Models\SendingQueue as SendingQueueModel;
use MailPoet\Util\Helpers; use MailPoet\Util\Helpers;
if(!defined('ABSPATH')) exit; if(!defined('ABSPATH')) exit;
class SendingQueue extends APIEndpoint { class SendingQueue extends APIEndpoint {
public $permissions = array(
'global' => AccessControl::PERMISSION_MANAGE_EMAILS
);
function add($data = array()) { function add($data = array()) {
$newsletter_id = (isset($data['newsletter_id']) $newsletter_id = (isset($data['newsletter_id'])
? (int)$data['newsletter_id'] ? (int)$data['newsletter_id']

6
lib/API/JSON/v1/Services.php
View File

@ -1,11 +1,12 @@
<?php <?php
namespace MailPoet\API\JSON\v1; namespace MailPoet\API\JSON\v1;
use MailPoet\API\JSON\Endpoint as APIEndpoint; use MailPoet\API\JSON\Endpoint as APIEndpoint;
use MailPoet\API\JSON\Error as APIError; use MailPoet\API\JSON\Error as APIError;
use MailPoet\Config\AccessControl;
use MailPoet\Config\Installer; use MailPoet\Config\Installer;
use MailPoet\Services\Bridge; use MailPoet\Services\Bridge;
use MailPoet\Util\License\License;
use MailPoet\WP\DateTime; use MailPoet\WP\DateTime;
if(!defined('ABSPATH')) exit; if(!defined('ABSPATH')) exit;
@ -13,6 +14,9 @@ if(!defined('ABSPATH')) exit;
class Services extends APIEndpoint { class Services extends APIEndpoint {
public $bridge; public $bridge;
public $date_time; public $date_time;
public $permissions = array(
'global' => AccessControl::PERMISSION_MANAGE_SETTINGS
);
function __construct() { function __construct() {
$this->bridge = new Bridge(); $this->bridge = new Bridge();

15
lib/API/JSON/v1/Settings.php
View File

@ -1,24 +1,31 @@
<?php <?php
namespace MailPoet\API\JSON\v1; namespace MailPoet\API\JSON\v1;
use MailPoet\API\JSON\Endpoint as APIEndpoint; use MailPoet\API\JSON\Endpoint as APIEndpoint;
use MailPoet\API\JSON\Error as APIError; use MailPoet\API\JSON\Error as APIError;
use MailPoet\Config\AccessControl;
use MailPoet\Models\Setting; use MailPoet\Models\Setting;
use MailPoet\Services\Bridge; use MailPoet\Services\Bridge;
if(!defined('ABSPATH')) exit; if(!defined('ABSPATH')) exit;
class Settings extends APIEndpoint { class Settings extends APIEndpoint {
public $permissions = array(
'global' => AccessControl::PERMISSION_MANAGE_SETTINGS
);
function get() { function get() {
return $this->successResponse(Setting::getAll()); return $this->successResponse(Setting::getAll());
} }
function set($settings = array()) { function set($settings = array()) {
if(empty($settings)) { if(empty($settings)) {
return $this->badRequest(array( return $this->badRequest(
APIError::BAD_REQUEST => array(
__('You have not specified any settings to be saved.', 'mailpoet') APIError::BAD_REQUEST =>
)); __('You have not specified any settings to be saved.', 'mailpoet')
));
} else { } else {
foreach($settings as $name => $value) { foreach($settings as $name => $value) {
Setting::setValue($name, $value); Setting::setValue($name, $value);

6
lib/API/JSON/v1/Setup.php
View File

@ -1,13 +1,19 @@
<?php <?php
namespace MailPoet\API\JSON\v1; namespace MailPoet\API\JSON\v1;
use MailPoet\API\JSON\Endpoint as APIEndpoint; use MailPoet\API\JSON\Endpoint as APIEndpoint;
use MailPoet\Config\AccessControl;
use MailPoet\Config\Activator; use MailPoet\Config\Activator;
use MailPoet\WP\Hooks; use MailPoet\WP\Hooks;
if(!defined('ABSPATH')) exit; if(!defined('ABSPATH')) exit;
class Setup extends APIEndpoint { class Setup extends APIEndpoint {
public $permissions = array(
'global' => AccessControl::PERMISSION_MANAGE_SETTINGS
);
function reset() { function reset() {
try { try {
$activator = new Activator(); $activator = new Activator();

14
lib/API/JSON/v1/Subscribers.php
View File

@ -1,21 +1,23 @@
<?php <?php
namespace MailPoet\API\JSON\v1; namespace MailPoet\API\JSON\v1;
use MailPoet\API\JSON\Access as APIAccess;
use MailPoet\API\JSON\Endpoint as APIEndpoint; use MailPoet\API\JSON\Endpoint as APIEndpoint;
use MailPoet\API\JSON\Error as APIError; use MailPoet\API\JSON\Error as APIError;
use MailPoet\API\JSON\Access as APIAccess; use MailPoet\Config\AccessControl;
use MailPoet\Form\Util\FieldNameObfuscator;
use MailPoet\Listing; use MailPoet\Listing;
use MailPoet\Models\Subscriber; use MailPoet\Form\Util\FieldNameObfuscator;
use MailPoet\Models\Form; use MailPoet\Models\Form;
use MailPoet\Models\StatisticsForms; use MailPoet\Models\StatisticsForms;
use MailPoet\Models\Subscriber;
if(!defined('ABSPATH')) exit; if(!defined('ABSPATH')) exit;
class Subscribers extends APIEndpoint { class Subscribers extends APIEndpoint {
public $permissions = array( public $permissions = array(
'subscribe' => APIAccess::ALL 'global' => AccessControl::PERMISSION_MANAGE_SUBSCRIBERS,
'methods' => array('subscribe' => APIAccess::ALL)
); );
function get($data = array()) { function get($data = array()) {