ability to specify action for generateToken() method
This commit is contained in:
Jonathan Labreuille
132
lib/API/API.php
132
lib/API/API.php
@ -5,6 +5,13 @@ use \MailPoet\Util\Security;
|
||||
if(!defined('ABSPATH')) exit;
|
||||
|
||||
class API {
|
||||
private $_endpoint;
|
||||
private $_method;
|
||||
private $_token;
|
||||
|
||||
private $_endpoint_class;
|
||||
private $_data = array();
|
||||
|
||||
function init() {
|
||||
// security token
|
||||
add_action(
|
||||
@ -26,18 +33,80 @@ class API {
|
||||
}
|
||||
|
||||
function setupAdmin() {
|
||||
if($this->checkToken() === false) {
|
||||
$this->getRequestData();
|
||||
$this->checkToken();
|
||||
$this->checkPermissions();
|
||||
$this->processRoute();
|
||||
}
|
||||
|
||||
function setupPublic() {
|
||||
$this->getRequestData();
|
||||
$this->checkToken();
|
||||
$this->processRoute();
|
||||
}
|
||||
|
||||
function getRequestData() {
|
||||
$this->_endpoint = isset($_POST['endpoint']) ? trim($_POST['endpoint']) : null;
|
||||
$this->_method = (isset($_POST['method']))
|
||||
? trim($_POST['method'])
|
||||
: null;
|
||||
$this->_token = (isset($_POST['token']))
|
||||
? trim($_POST['token'])
|
||||
: null;
|
||||
|
||||
if(!$this->_endpoint || !$this->_method || !$this->_token) {
|
||||
// throw exception bad request
|
||||
$error_response = new ErrorResponse(
|
||||
array(
|
||||
Error::UNAUTHORIZED => __('You need to specify a valid API token.', 'mailpoet')
|
||||
Error::BAD_REQUEST => __('Invalid request.', 'mailpoet')
|
||||
),
|
||||
array(),
|
||||
Response::STATUS_UNAUTHORIZED
|
||||
Response::STATUS_BAD_REQUEST
|
||||
);
|
||||
$error_response->send();
|
||||
} else {
|
||||
$this->_endpoint_class = (
|
||||
__NAMESPACE__."\\Endpoints\\".ucfirst($this->_endpoint)
|
||||
);
|
||||
|
||||
$this->_data = isset($_POST['data'])
|
||||
? stripslashes_deep($_POST['data'])
|
||||
: array();
|
||||
|
||||
// remove reserved keywords from data
|
||||
if(is_array($this->_data) && !empty($this->_data)) {
|
||||
// filter out reserved keywords from data
|
||||
$reserved_keywords = array(
|
||||
'token',
|
||||
'endpoint',
|
||||
'method',
|
||||
'mailpoet_redirect'
|
||||
);
|
||||
$this->_data = array_diff_key(
|
||||
$this->_data,
|
||||
array_flip($reserved_keywords)
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function processRoute() {
|
||||
try {
|
||||
$endpoint = new $this->_endpoint_class();
|
||||
$response = $endpoint->{$this->_method}($this->_data);
|
||||
$response->send();
|
||||
} catch(\Exception $e) {
|
||||
$error_response = new ErrorResponse(
|
||||
array($e->getCode() => $e->getMessage())
|
||||
);
|
||||
$error_response->send();
|
||||
}
|
||||
}
|
||||
|
||||
if($this->checkPermissions() === false) {
|
||||
function checkPermissions() {
|
||||
$has_permission = current_user_can('manage_options');
|
||||
|
||||
if($has_permission === false) {
|
||||
$error_response = new ErrorResponse(
|
||||
array(
|
||||
Error::FORBIDDEN => __('You do not have the required permissions.', 'mailpoet')
|
||||
@ -47,52 +116,23 @@ class API {
|
||||
);
|
||||
$error_response->send();
|
||||
}
|
||||
|
||||
$this->processRoute();
|
||||
}
|
||||
|
||||
function setupPublic() {
|
||||
if($this->checkToken() === false) {
|
||||
function checkToken() {
|
||||
$action = $this->_endpoint.'_'.$this->_method;
|
||||
|
||||
$is_valid_token = wp_verify_nonce($this->_token, $action);
|
||||
|
||||
if($is_valid_token === false) {
|
||||
$error_response = new ErrorResponse(
|
||||
array(
|
||||
Error::UNAUTHORIZED => __('You need to specify a valid API token.', 'mailpoet')
|
||||
Error::UNAUTHORIZED => __('Invalid request.', 'mailpoet')
|
||||
),
|
||||
array(),
|
||||
Response::STATUS_UNAUTHORIZED
|
||||
);
|
||||
$error_response->send();
|
||||
}
|
||||
|
||||
$this->processRoute();
|
||||
}
|
||||
|
||||
function processRoute() {
|
||||
$class = ucfirst($_POST['endpoint']);
|
||||
$endpoint = __NAMESPACE__ . "\\Endpoints\\" . $class;
|
||||
$method = $_POST['method'];
|
||||
$data = isset($_POST['data']) ? stripslashes_deep($_POST['data']) : array();
|
||||
|
||||
if(is_array($data) && !empty($data)) {
|
||||
// filter out reserved keywords from data
|
||||
$reserved_keywords = array(
|
||||
'token',
|
||||
'endpoint',
|
||||
'method',
|
||||
'mailpoet_redirect'
|
||||
);
|
||||
$data = array_diff_key($data, array_flip($reserved_keywords));
|
||||
}
|
||||
|
||||
try {
|
||||
$endpoint = new $endpoint();
|
||||
$response = $endpoint->$method($data);
|
||||
$response->send();
|
||||
} catch(\Exception $e) {
|
||||
$error_response = new ErrorResponse(
|
||||
array($e->getCode() => $e->getMessage())
|
||||
);
|
||||
$error_response->send();
|
||||
}
|
||||
}
|
||||
|
||||
function setToken() {
|
||||
@ -101,16 +141,4 @@ class API {
|
||||
$global .= '</script>';
|
||||
echo $global;
|
||||
}
|
||||
|
||||
function checkPermissions() {
|
||||
return current_user_can('manage_options');
|
||||
}
|
||||
|
||||
function checkToken() {
|
||||
return (
|
||||
isset($_POST['token'])
|
||||
&&
|
||||
wp_verify_nonce($_POST['token'], 'mailpoet_token')
|
||||
);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user