Cavemanon/piratepoet
7
Fork 0
Code Pull Requests Actions Releases 16 Activity

- Restricts router access to explicitly defined endpoint actions

Browse Source
This commit is contained in:
Vlad
2016-08-24 11:23:12 -04:00
parent a8f4779bfe
commit ae6269eb63
5 changed files with 18 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/Router/Endpoints/Queue.php
View File

@ -8,6 +8,7 @@ if(!defined('ABSPATH')) exit;
class Queue { class Queue {
const ENDPOINT = 'queue'; const ENDPOINT = 'queue';
const ACTION_RUN = 'run'; const ACTION_RUN = 'run';
public $allowed_actions = array(self::ACTION_RUN);
function run($data) { function run($data) {
$queue = new Daemon($data); $queue = new Daemon($data);

8
lib/Router/Endpoints/Subscription.php
View File

@ -7,6 +7,14 @@ if(!defined('ABSPATH')) exit;
class Subscription { class Subscription {
const ENDPOINT = 'subscription'; const ENDPOINT = 'subscription';
const ACTION_CONFIRM = 'confirm';
const ACTION_MANAGE = 'manage';
const ACTION_UNSUBSCRIBE = 'unsubscribe';
public $allowed_actions = array(
self::ACTION_CONFIRM,
self::ACTION_MANAGE,
self::ACTION_UNSUBSCRIBE
);
function confirm($data) { function confirm($data) {
$subscription = new UserSubscription\Pages('confirm', $data); $subscription = new UserSubscription\Pages('confirm', $data);

4
lib/Router/Endpoints/Track.php
View File

@ -14,6 +14,10 @@ class Track {
const ENDPOINT = 'track'; const ENDPOINT = 'track';
const ACTION_CLICK = 'click'; const ACTION_CLICK = 'click';
const ACTION_OPEN = 'open'; const ACTION_OPEN = 'open';
public $allowed_actions = array(
self::ACTION_CLICK,
self::ACTION_OPEN
);
function click($data) { function click($data) {
$click_event = new Clicks(); $click_event = new Clicks();

1
lib/Router/Endpoints/ViewInBrowser.php
View File

@ -11,6 +11,7 @@ if(!defined('ABSPATH')) exit;
class ViewInBrowser { class ViewInBrowser {
const ENDPOINT = 'view_in_browser'; const ENDPOINT = 'view_in_browser';
const ACTION_VIEW = 'view'; const ACTION_VIEW = 'view';
public $allowed_actions = array(self::ACTION_VIEW);
function view($data) { function view($data) {
$data = $this->_processBrowserPreviewData($data); $data = $this->_processBrowserPreviewData($data);

8
lib/Router/Front.php
View File

@ -31,7 +31,7 @@ class Front {
if(!$this->api_request) return; if(!$this->api_request) return;
if(!$this->endpoint || !class_exists($class)) { if(!$this->endpoint || !class_exists($class)) {
self::terminateRequest(self::RESPONSE_ERROR, __('Invalid Router endpoint.')); self::terminateRequest(self::RESPONSE_ERROR, __('Invalid router endpoint.'));
} }
$this->callEndpoint( $this->callEndpoint(
$class, $class,
@ -41,10 +41,10 @@ class Front {
} }
function callEndpoint($endpoint, $action, $data) { function callEndpoint($endpoint, $action, $data) {
if(!method_exists($endpoint, $action)) {
self::terminateRequest(self::RESPONSE_ERROR, __('Invalid Router action.'));
}
$endpoint = new $endpoint(); $endpoint = new $endpoint();
if(!method_exists($endpoint, $action) || !in_array($action, $endpoint->allowed_actions)) {
self::terminateRequest(self::RESPONSE_ERROR, __('Invalid router action.'));
}
call_user_func( call_user_func(
array( array(
$endpoint, $endpoint,