Modifies JSON API to use AccessControl
This commit is contained in:
Vlad
@ -1,6 +1,7 @@
|
||||
<?php
|
||||
namespace MailPoet\API\JSON;
|
||||
|
||||
use MailPoet\Config\AccessControl;
|
||||
use MailPoet\Config\Env;
|
||||
use MailPoet\Util\Helpers;
|
||||
use MailPoet\Util\Security;
|
||||
@ -130,17 +131,11 @@ class API {
|
||||
|
||||
// check the accessibility of the requested endpoint's action
|
||||
// by default, an endpoint's action is considered "private"
|
||||
$permissions = $endpoint->permissions;
|
||||
if(array_key_exists($this->_request_method, $permissions) === false ||
|
||||
$permissions[$this->_request_method] !== Access::ALL
|
||||
) {
|
||||
if($this->checkPermissions() === false) {
|
||||
if(!$this->validatePermissions($this->_request_method, $endpoint->permissions)) {
|
||||
$error_message = __('You do not have the required permissions.', 'mailpoet');
|
||||
$error_response = $this->createErrorResponse(Error::FORBIDDEN, $error_message, Response::STATUS_FORBIDDEN);
|
||||
return $error_response;
|
||||
}
|
||||
}
|
||||
|
||||
$response = $endpoint->{$this->_request_method}($this->_request_data);
|
||||
return $response;
|
||||
} catch(\Exception $e) {
|
||||
@ -150,8 +145,15 @@ class API {
|
||||
}
|
||||
}
|
||||
|
||||
function checkPermissions() {
|
||||
return current_user_can(Env::$required_permission);
|
||||
function validatePermissions($request_method, $permissions) {
|
||||
// if method permission is defined, validate it
|
||||
if (!empty($permissions['methods'][$request_method])) {
|
||||
return ($permissions['methods'][$request_method] === Access::ALL) ?
|
||||
true :
|
||||
AccessControl::validatePermission($permissions['methods'][$request_method]);
|
||||
}
|
||||
// use global permission
|
||||
return AccessControl::validatePermission($permissions['global']);
|
||||
}
|
||||
|
||||
function checkToken() {
|
||||
|
||||
@ -1,11 +1,16 @@
|
||||
<?php
|
||||
|
||||
namespace MailPoet\API\JSON;
|
||||
|
||||
use MailPoet\Config\AccessControl;
|
||||
|
||||
if(!defined('ABSPATH')) exit;
|
||||
|
||||
abstract class Endpoint {
|
||||
|
||||
public $permissions = array();
|
||||
public $permissions = array(
|
||||
'global' => array(AccessControl::PERMISSION_MANAGE_SETTINGS),
|
||||
'methods' => array()
|
||||
);
|
||||
|
||||
function successResponse(
|
||||
$data = array(), $meta = array(), $status = Response::STATUS_OK
|
||||
|
||||
@ -1,12 +1,18 @@
|
||||
<?php
|
||||
|
||||
namespace MailPoet\API\JSON\v1;
|
||||
|
||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||
use MailPoet\Config\AccessControl;
|
||||
use MailPoet\WP\Posts as WPPosts;
|
||||
|
||||
if(!defined('ABSPATH')) exit;
|
||||
|
||||
class AutomatedLatestContent extends APIEndpoint {
|
||||
public $ALC;
|
||||
public $permissions = array(
|
||||
'global' => AccessControl::PERMISSION_MANAGE_EMAILS
|
||||
);
|
||||
|
||||
function __construct() {
|
||||
$this->ALC = new \MailPoet\Newsletter\AutomatedLatestContent();
|
||||
|
||||
@ -1,12 +1,19 @@
|
||||
<?php
|
||||
|
||||
namespace MailPoet\API\JSON\v1;
|
||||
|
||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||
use MailPoet\API\JSON\Error as APIError;
|
||||
use MailPoet\Config\AccessControl;
|
||||
use MailPoet\Models\CustomField;
|
||||
|
||||
if(!defined('ABSPATH')) exit;
|
||||
|
||||
class CustomFields extends APIEndpoint {
|
||||
public $permissions = array(
|
||||
'global' => AccessControl::PERMISSION_MANAGE_FORMS
|
||||
);
|
||||
|
||||
function getAll() {
|
||||
$collection = CustomField::orderByAsc('created_at')->findMany();
|
||||
$custom_fields = array_map(function($custom_field) {
|
||||
|
||||
@ -1,17 +1,23 @@
|
||||
<?php
|
||||
|
||||
namespace MailPoet\API\JSON\v1;
|
||||
|
||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||
use MailPoet\API\JSON\Error as APIError;
|
||||
|
||||
use MailPoet\Config\AccessControl;
|
||||
use MailPoet\Form\Renderer as FormRenderer;
|
||||
use MailPoet\Form\Util;
|
||||
use MailPoet\Listing;
|
||||
use MailPoet\Models\Form;
|
||||
use MailPoet\Models\StatisticsForms;
|
||||
use MailPoet\Form\Renderer as FormRenderer;
|
||||
use MailPoet\Listing;
|
||||
use MailPoet\Form\Util;
|
||||
|
||||
if(!defined('ABSPATH')) exit;
|
||||
|
||||
class Forms extends APIEndpoint {
|
||||
public $permissions = array(
|
||||
'global' => AccessControl::PERMISSION_MANAGE_FORMS
|
||||
);
|
||||
|
||||
function get($data = array()) {
|
||||
$id = (isset($data['id']) ? (int)$data['id'] : false);
|
||||
$form = Form::findOne($id);
|
||||
|
||||
@ -1,13 +1,19 @@
|
||||
<?php
|
||||
namespace MailPoet\API\JSON\v1;
|
||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||
|
||||
use MailPoet\Subscribers\ImportExport\Import\MailChimp;
|
||||
namespace MailPoet\API\JSON\v1;
|
||||
|
||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||
use MailPoet\Config\AccessControl;
|
||||
use MailPoet\Models\Segment;
|
||||
use MailPoet\Subscribers\ImportExport\Import\MailChimp;
|
||||
|
||||
if(!defined('ABSPATH')) exit;
|
||||
|
||||
class ImportExport extends APIEndpoint {
|
||||
public $permissions = array(
|
||||
'global' => AccessControl::PERMISSION_MANAGE_SUBSCRIBERS
|
||||
);
|
||||
|
||||
function getMailChimpLists($data) {
|
||||
try {
|
||||
$mailChimp = new MailChimp($data['api_key']);
|
||||
|
||||
@ -1,10 +1,16 @@
|
||||
<?php
|
||||
|
||||
namespace MailPoet\API\JSON\v1;
|
||||
|
||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||
use MailPoet\Config\AccessControl;
|
||||
|
||||
if(!defined('ABSPATH')) exit;
|
||||
|
||||
class MP2Migrator extends APIEndpoint {
|
||||
public $permissions = array(
|
||||
'global' => AccessControl::PERMISSION_MANAGE_SETTINGS
|
||||
);
|
||||
|
||||
public function __construct() {
|
||||
$this->MP2Migrator = new \MailPoet\Config\MP2Migrator();
|
||||
|
||||
@ -1,12 +1,19 @@
|
||||
<?php
|
||||
|
||||
namespace MailPoet\API\JSON\v1;
|
||||
|
||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||
use MailPoet\API\JSON\Error as APIError;
|
||||
use MailPoet\Config\AccessControl;
|
||||
use MailPoet\Mailer\MailerLog;
|
||||
|
||||
if(!defined('ABSPATH')) exit;
|
||||
|
||||
class Mailer extends APIEndpoint {
|
||||
public $permissions = array(
|
||||
'global' => AccessControl::PERMISSION_MANAGE_EMAILS
|
||||
);
|
||||
|
||||
function send($data = array()) {
|
||||
try {
|
||||
$mailer = new \MailPoet\Mailer\Mailer(
|
||||
|
||||
@ -1,13 +1,19 @@
|
||||
<?php
|
||||
|
||||
namespace MailPoet\API\JSON\v1;
|
||||
|
||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||
use MailPoet\API\JSON\Error as APIError;
|
||||
|
||||
use MailPoet\Config\AccessControl;
|
||||
use MailPoet\Models\NewsletterTemplate;
|
||||
|
||||
if(!defined('ABSPATH')) exit;
|
||||
|
||||
class NewsletterTemplates extends APIEndpoint {
|
||||
public $permissions = array(
|
||||
'global' => AccessControl::PERMISSION_MANAGE_EMAILS
|
||||
);
|
||||
|
||||
function get($data = array()) {
|
||||
$id = (isset($data['id']) ? (int)$data['id'] : false);
|
||||
$template = NewsletterTemplate::findOne($id);
|
||||
|
||||
@ -1,16 +1,18 @@
|
||||
<?php
|
||||
|
||||
namespace MailPoet\API\JSON\v1;
|
||||
|
||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||
use MailPoet\API\JSON\Error as APIError;
|
||||
use MailPoet\Config\AccessControl;
|
||||
use MailPoet\Listing;
|
||||
use MailPoet\Models\Newsletter;
|
||||
use MailPoet\Models\NewsletterOption;
|
||||
use MailPoet\Models\NewsletterOptionField;
|
||||
use MailPoet\Models\NewsletterSegment;
|
||||
use MailPoet\Models\NewsletterTemplate;
|
||||
use MailPoet\Models\SendingQueue;
|
||||
use MailPoet\Models\Setting;
|
||||
use MailPoet\Models\Newsletter;
|
||||
use MailPoet\Models\NewsletterTemplate;
|
||||
use MailPoet\Models\NewsletterSegment;
|
||||
use MailPoet\Models\NewsletterOptionField;
|
||||
use MailPoet\Models\NewsletterOption;
|
||||
use MailPoet\Models\Subscriber;
|
||||
use MailPoet\Newsletter\Renderer\Renderer;
|
||||
use MailPoet\Newsletter\Scheduler\Scheduler;
|
||||
@ -22,6 +24,10 @@ if(!defined('ABSPATH')) exit;
|
||||
require_once(ABSPATH . 'wp-includes/pluggable.php');
|
||||
|
||||
class Newsletters extends APIEndpoint {
|
||||
public $permissions = array(
|
||||
'global' => AccessControl::PERMISSION_MANAGE_EMAILS
|
||||
);
|
||||
|
||||
function get($data = array()) {
|
||||
$id = (isset($data['id']) ? (int)$data['id'] : false);
|
||||
$newsletter = Newsletter::findOne($id);
|
||||
|
||||
@ -1,15 +1,21 @@
|
||||
<?php
|
||||
|
||||
namespace MailPoet\API\JSON\v1;
|
||||
|
||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||
use MailPoet\API\JSON\Error as APIError;
|
||||
|
||||
use MailPoet\Models\Segment;
|
||||
use MailPoet\Config\AccessControl;
|
||||
use MailPoet\Listing;
|
||||
use MailPoet\Models\Segment;
|
||||
use MailPoet\Segments\WP;
|
||||
|
||||
if(!defined('ABSPATH')) exit;
|
||||
|
||||
class Segments extends APIEndpoint {
|
||||
public $permissions = array(
|
||||
'global' => AccessControl::PERMISSION_MANAGE_SEGMENTS
|
||||
);
|
||||
|
||||
function get($data = array()) {
|
||||
$id = (isset($data['id']) ? (int)$data['id'] : false);
|
||||
$segment = Segment::findOne($id);
|
||||
|
||||
@ -1,18 +1,24 @@
|
||||
<?php
|
||||
|
||||
namespace MailPoet\API\JSON\v1;
|
||||
|
||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||
use MailPoet\API\JSON\Error as APIError;
|
||||
|
||||
use MailPoet\Config\AccessControl;
|
||||
use MailPoet\Mailer\Mailer;
|
||||
use MailPoet\Models\Newsletter;
|
||||
use MailPoet\Models\SendingQueue as SendingQueueModel;
|
||||
use MailPoet\Models\Subscriber;
|
||||
use MailPoet\Newsletter\Scheduler\Scheduler;
|
||||
use MailPoet\Models\SendingQueue as SendingQueueModel;
|
||||
use MailPoet\Util\Helpers;
|
||||
|
||||
if(!defined('ABSPATH')) exit;
|
||||
|
||||
class SendingQueue extends APIEndpoint {
|
||||
public $permissions = array(
|
||||
'global' => AccessControl::PERMISSION_MANAGE_EMAILS
|
||||
);
|
||||
|
||||
function add($data = array()) {
|
||||
$newsletter_id = (isset($data['newsletter_id'])
|
||||
? (int)$data['newsletter_id']
|
||||
|
||||
@ -1,11 +1,12 @@
|
||||
<?php
|
||||
|
||||
namespace MailPoet\API\JSON\v1;
|
||||
|
||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||
use MailPoet\API\JSON\Error as APIError;
|
||||
use MailPoet\Config\AccessControl;
|
||||
use MailPoet\Config\Installer;
|
||||
use MailPoet\Services\Bridge;
|
||||
use MailPoet\Util\License\License;
|
||||
use MailPoet\WP\DateTime;
|
||||
|
||||
if(!defined('ABSPATH')) exit;
|
||||
@ -13,6 +14,9 @@ if(!defined('ABSPATH')) exit;
|
||||
class Services extends APIEndpoint {
|
||||
public $bridge;
|
||||
public $date_time;
|
||||
public $permissions = array(
|
||||
'global' => AccessControl::PERMISSION_MANAGE_SETTINGS
|
||||
);
|
||||
|
||||
function __construct() {
|
||||
$this->bridge = new Bridge();
|
||||
|
||||
@ -1,21 +1,28 @@
|
||||
<?php
|
||||
|
||||
namespace MailPoet\API\JSON\v1;
|
||||
|
||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||
use MailPoet\API\JSON\Error as APIError;
|
||||
use MailPoet\Config\AccessControl;
|
||||
use MailPoet\Models\Setting;
|
||||
use MailPoet\Services\Bridge;
|
||||
|
||||
if(!defined('ABSPATH')) exit;
|
||||
|
||||
class Settings extends APIEndpoint {
|
||||
public $permissions = array(
|
||||
'global' => AccessControl::PERMISSION_MANAGE_SETTINGS
|
||||
);
|
||||
|
||||
function get() {
|
||||
return $this->successResponse(Setting::getAll());
|
||||
}
|
||||
|
||||
function set($settings = array()) {
|
||||
if(empty($settings)) {
|
||||
return $this->badRequest(array(
|
||||
return $this->badRequest(
|
||||
array(
|
||||
APIError::BAD_REQUEST =>
|
||||
__('You have not specified any settings to be saved.', 'mailpoet')
|
||||
));
|
||||
|
||||
@ -1,13 +1,19 @@
|
||||
<?php
|
||||
|
||||
namespace MailPoet\API\JSON\v1;
|
||||
|
||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||
use MailPoet\Config\AccessControl;
|
||||
use MailPoet\Config\Activator;
|
||||
use MailPoet\WP\Hooks;
|
||||
|
||||
if(!defined('ABSPATH')) exit;
|
||||
|
||||
class Setup extends APIEndpoint {
|
||||
public $permissions = array(
|
||||
'global' => AccessControl::PERMISSION_MANAGE_SETTINGS
|
||||
);
|
||||
|
||||
function reset() {
|
||||
try {
|
||||
$activator = new Activator();
|
||||
|
||||
@ -1,21 +1,23 @@
|
||||
<?php
|
||||
|
||||
namespace MailPoet\API\JSON\v1;
|
||||
|
||||
use MailPoet\API\JSON\Access as APIAccess;
|
||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||
use MailPoet\API\JSON\Error as APIError;
|
||||
use MailPoet\API\JSON\Access as APIAccess;
|
||||
|
||||
use MailPoet\Form\Util\FieldNameObfuscator;
|
||||
use MailPoet\Config\AccessControl;
|
||||
use MailPoet\Listing;
|
||||
use MailPoet\Models\Subscriber;
|
||||
use MailPoet\Form\Util\FieldNameObfuscator;
|
||||
use MailPoet\Models\Form;
|
||||
use MailPoet\Models\StatisticsForms;
|
||||
use MailPoet\Models\Subscriber;
|
||||
|
||||
if(!defined('ABSPATH')) exit;
|
||||
|
||||
class Subscribers extends APIEndpoint {
|
||||
|
||||
public $permissions = array(
|
||||
'subscribe' => APIAccess::ALL
|
||||
'global' => AccessControl::PERMISSION_MANAGE_SUBSCRIBERS,
|
||||
'methods' => array('subscribe' => APIAccess::ALL)
|
||||
);
|
||||
|
||||
function get($data = array()) {
|
||||
|
||||
Reference in New Issue
Block a user