Reject requests without mandatory custom fields

We need to make sure subscribers cannot be created without custom fields Users require GDPR consent and we need to make sure there are no way to create a subscriber without mandatory custom fields [MAILPOET-1405]
2018-08-21 09:30:44 +02:00
parent 5cfe8e3368
commit ac33e11c60
7 changed files with 152 additions and 5 deletions
--- a/lib/API/JSON/API.php
+++ b/lib/API/JSON/API.php
@ -58,13 +58,13 @@ class API {
    $this->setRequestData($_POST);

    $ignoreToken = (
-      Setting::getValue('re_captcha.enabled') && 
-      $this->_request_endpoint === 'subscribers' && 
+      Setting::getValue('re_captcha.enabled') &&
+      $this->_request_endpoint === 'subscribers' &&
      $this->_request_method === 'subscribe'
-    ); 
+    );

    if(!$ignoreToken && $this->checkToken() === false) {
-      $error_message = __('Sorry, but we couldn\'t connect to the MailPoet server. Please refresh the web page and try again.', 'mailpoet');
+      $error_message = __("Sorry, but we couldn't connect to the MailPoet server. Please refresh the web page and try again.", 'mailpoet');
      $error_response = $this->createErrorResponse(Error::UNAUTHORIZED, $error_message, Response::STATUS_UNAUTHORIZED);
      return $error_response->send();
    }
--- a/lib/API/JSON/v1/Subscribers.php
+++ b/lib/API/JSON/v1/Subscribers.php
@ -14,6 +14,7 @@ use MailPoet\Models\Subscriber;
 use MailPoet\Newsletter\Scheduler\Scheduler;
 use MailPoet\Segments\BulkAction;
 use MailPoet\Segments\SubscribersListings;
+use MailPoet\Subscribers\RequiredCustomFieldValidator;
 use MailPoet\Subscribers\Source;
 use MailPoet\Subscription\Throttling as SubscriptionThrottling;
 use MailPoet\WP\Hooks;
@ -104,7 +105,7 @@ class Subscribers extends APIEndpoint {
        'body' => array(
          'secret' => $recaptcha['secret_token'],
          'response' => $res
-        ) 
+        )
      ));
      if(is_wp_error($res)) {
        return $this->badRequest(array(
@ -121,6 +122,13 @@ class Subscribers extends APIEndpoint {

    $data = $this->deobfuscateFormPayload($data);

+    try {
+      $validator = new RequiredCustomFieldValidator();
+      $validator->validate($data);
+    } catch (\Exception $e) {
+      return $this->badRequest([APIError::BAD_REQUEST => $e->getMessage()]);
+    }
+
    $segment_ids = (!empty($data['segments'])
      ? (array)$data['segments']
      : array()