- Restricts router access to explicitly defined endpoint actions

This commit is contained in:
Vlad
2016-08-24 11:23:12 -04:00
parent a8f4779bfe
commit ae6269eb63
5 changed files with 18 additions and 4 deletions

View File

@@ -31,7 +31,7 @@ class Front {
if(!$this->api_request) return;
if(!$this->endpoint || !class_exists($class)) {
self::terminateRequest(self::RESPONSE_ERROR, __('Invalid Router endpoint.'));
self::terminateRequest(self::RESPONSE_ERROR, __('Invalid router endpoint.'));
}
$this->callEndpoint(
$class,
@@ -41,10 +41,10 @@ class Front {
}
function callEndpoint($endpoint, $action, $data) {
if(!method_exists($endpoint, $action)) {
self::terminateRequest(self::RESPONSE_ERROR, __('Invalid Router action.'));
}
$endpoint = new $endpoint();
if(!method_exists($endpoint, $action) || !in_array($action, $endpoint->allowed_actions)) {
self::terminateRequest(self::RESPONSE_ERROR, __('Invalid router action.'));
}
call_user_func(
array(
$endpoint,