Skip to content

Commit

Permalink
(REF) CRM_Utils_REST - Extract method isWebServiceRequest()
Browse files Browse the repository at this point in the history
  • Loading branch information
@totten
totten committed Dec 11, 2021
1 parent 5e29f07 commit 69af731
Showing 1 changed file with 14 additions and 12 deletions.
26 changes: 14 additions & 12 deletions CRM/Utils/REST.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -399,9 +399,7 @@ public static function loadTemplate() {
unset($param['q']);
$smarty->assign_by_ref("request", $param);

if (!array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) ||
$_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest"
) {
if (!self::isWebServiceRequest()) {

$smarty->assign('tplFile', $tpl);
$config = CRM_Core_Config::singleton();
Expand Down Expand Up @@ -434,10 +432,7 @@ public static function ajaxJson() {

require_once 'api/v3/utils.php';
$config = CRM_Core_Config::singleton();
if (!$config->debug && (!array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) ||
$_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest"
)
) {
if (!$config->debug && !self::isWebServiceRequest()) {
$error = civicrm_api3_create_error("SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api3().",
[
'IP' => $_SERVER['REMOTE_ADDR'],
Expand Down Expand Up @@ -499,11 +494,7 @@ public static function ajax() {
// restrict calls to this etc
// the request has to be sent by an ajax call. First line of protection against csrf
$config = CRM_Core_Config::singleton();
if (!$config->debug &&
(!array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) ||
$_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest"
)
) {
if (!$config->debug && !self::isWebServiceRequest()) {
require_once 'api/v3/utils.php';
$error = civicrm_api3_create_error("SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api3().",
[
Expand Down Expand Up @@ -636,4 +627,15 @@ public function loadCMSBootstrap() {
}
}

/**
* Does this request appear to be a web-service request?
*
* @return bool
* TRUE if the current request appears to be web-service request (ie AJAX).
* FALSE if the current request appears to be a standalone browser page-view.
*/
protected static function isWebServiceRequest(): bool {
return array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) && $_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest';
}

}

0 comments on commit 69af731

Please sign in to comment.