Cavemanon/piratepoet
7
Fork 0
Code Pull Requests Actions Releases 16 Activity

ability to specify action for generateToken() method

Browse Source
This commit is contained in:
Jonathan Labreuille
2016-10-10 18:22:10 +02:00
parent 2787998d32
commit cc523a3c0b
5 changed files with 86 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
assets/js/src/public.js
View File

@ -40,7 +40,7 @@ function(
// ajax request // ajax request
MailPoet.Ajax.post({ MailPoet.Ajax.post({
url: MailPoetForm.ajax_url, url: MailPoetForm.ajax_url,
token: MailPoetForm.token, token: data.token,
endpoint: 'subscribers', endpoint: 'subscribers',
action: 'subscribe', action: 'subscribe',
data: data data: data

132
lib/API/API.php
View File

@ -5,6 +5,13 @@ use \MailPoet\Util\Security;
if(!defined('ABSPATH')) exit; if(!defined('ABSPATH')) exit;
class API { class API {
private $_endpoint;
private $_method;
private $_token;
private $_endpoint_class;
private $_data = array();
function init() { function init() {
// security token // security token
add_action( add_action(
@ -26,18 +33,80 @@ class API {
} }
function setupAdmin() { function setupAdmin() {
if($this->checkToken() === false) { $this->getRequestData();
$this->checkToken();
$this->checkPermissions();
$this->processRoute();
}
function setupPublic() {
$this->getRequestData();
$this->checkToken();
$this->processRoute();
}
function getRequestData() {
$this->_endpoint = isset($_POST['endpoint']) ? trim($_POST['endpoint']) : null;
$this->_method = (isset($_POST['method']))
? trim($_POST['method'])
: null;
$this->_token = (isset($_POST['token']))
? trim($_POST['token'])
: null;
if(!$this->_endpoint || !$this->_method || !$this->_token) {
// throw exception bad request
$error_response = new ErrorResponse( $error_response = new ErrorResponse(
array( array(
Error::UNAUTHORIZED => __('You need to specify a valid API token.', 'mailpoet') Error::BAD_REQUEST => __('Invalid request.', 'mailpoet')
), ),
array(), array(),
Response::STATUS_UNAUTHORIZED Response::STATUS_BAD_REQUEST
);
$error_response->send();
} else {
$this->_endpoint_class = (
__NAMESPACE__."\\Endpoints\\".ucfirst($this->_endpoint)
);
$this->_data = isset($_POST['data'])
? stripslashes_deep($_POST['data'])
: array();
// remove reserved keywords from data
if(is_array($this->_data) && !empty($this->_data)) {
// filter out reserved keywords from data
$reserved_keywords = array(
'token',
'endpoint',
'method',
'mailpoet_redirect'
);
$this->_data = array_diff_key(
$this->_data,
array_flip($reserved_keywords)
);
}
}
}
function processRoute() {
try {
$endpoint = new $this->_endpoint_class();
$response = $endpoint->{$this->_method}($this->_data);
$response->send();
} catch(\Exception $e) {
$error_response = new ErrorResponse(
array($e->getCode() => $e->getMessage())
); );
$error_response->send(); $error_response->send();
} }
}
if($this->checkPermissions() === false) { function checkPermissions() {
$has_permission = current_user_can('manage_options');
if($has_permission === false) {
$error_response = new ErrorResponse( $error_response = new ErrorResponse(
array( array(
Error::FORBIDDEN => __('You do not have the required permissions.', 'mailpoet') Error::FORBIDDEN => __('You do not have the required permissions.', 'mailpoet')
@ -47,52 +116,23 @@ class API {
); );
$error_response->send(); $error_response->send();
} }
$this->processRoute();
} }
function setupPublic() { function checkToken() {
if($this->checkToken() === false) { $action = $this->_endpoint.'_'.$this->_method;
$is_valid_token = wp_verify_nonce($this->_token, $action);
if($is_valid_token === false) {
$error_response = new ErrorResponse( $error_response = new ErrorResponse(
array( array(
Error::UNAUTHORIZED => __('You need to specify a valid API token.', 'mailpoet') Error::UNAUTHORIZED => __('Invalid request.', 'mailpoet')
), ),
array(), array(),
Response::STATUS_UNAUTHORIZED Response::STATUS_UNAUTHORIZED
); );
$error_response->send(); $error_response->send();
} }
$this->processRoute();
}
function processRoute() {
$class = ucfirst($_POST['endpoint']);
$endpoint = __NAMESPACE__ . "\\Endpoints\\" . $class;
$method = $_POST['method'];
$data = isset($_POST['data']) ? stripslashes_deep($_POST['data']) : array();
if(is_array($data) && !empty($data)) {
// filter out reserved keywords from data
$reserved_keywords = array(
'token',
'endpoint',
'method',
'mailpoet_redirect'
);
$data = array_diff_key($data, array_flip($reserved_keywords));
}
try {
$endpoint = new $endpoint();
$response = $endpoint->$method($data);
$response->send();
} catch(\Exception $e) {
$error_response = new ErrorResponse(
array($e->getCode() => $e->getMessage())
);
$error_response->send();
}
} }
function setToken() { function setToken() {
@ -101,16 +141,4 @@ class API {
$global .= '</script>'; $global .= '</script>';
echo $global; echo $global;
} }
function checkPermissions() {
return current_user_can('manage_options');
}
function checkToken() {
return (
isset($_POST['token'])
&&
wp_verify_nonce($_POST['token'], 'mailpoet_token')
);
}
} }

6
lib/Config/Widget.php
View File

@ -69,8 +69,7 @@ class Widget {
'form' => $form_html, 'form' => $form_html,
'mailpoet_form' => array( 'mailpoet_form' => array(
'ajax_url' => admin_url('admin-ajax.php', 'absolute'), 'ajax_url' => admin_url('admin-ajax.php', 'absolute'),
'is_rtl' => $is_rtl, 'is_rtl' => $is_rtl
'token' => Security::generateToken()
) )
); );
@ -103,8 +102,7 @@ class Widget {
wp_localize_script('mailpoet_public', 'MailPoetForm', array( wp_localize_script('mailpoet_public', 'MailPoetForm', array(
'ajax_url' => admin_url('admin-ajax.php'), 'ajax_url' => admin_url('admin-ajax.php'),
'is_rtl' => (function_exists('is_rtl') ? (bool)is_rtl() : false), 'is_rtl' => (function_exists('is_rtl') ? (bool)is_rtl() : false)
'token' => Security::generateToken()
)); ));
} }

2
lib/Form/Widget.php
View File

@ -161,7 +161,7 @@ class Widget extends \WP_Widget {
); );
// generate security token // generate security token
$data['token'] = Security::generateToken(); $data['token'] = Security::generateToken('subscribers_subscribe');
// render form // render form
$renderer = new Renderer(); $renderer = new Renderer();

4
lib/Util/Security.php
View File

@ -5,8 +5,8 @@ if(!defined('ABSPATH')) exit;
require_once(ABSPATH . 'wp-includes/pluggable.php'); require_once(ABSPATH . 'wp-includes/pluggable.php');
class Security { class Security {
static function generateToken() { static function generateToken($action = 'mailpoet_token') {
return wp_create_nonce('mailpoet_token'); return wp_create_nonce($action);
} }
static function generateRandomString($length = 5) { static function generateRandomString($length = 5) {