Commit 2c98c16e authored by catch's avatar catch

Issue #1847862 by klausi: Use Routing permission checks in REST module.

parent 214f2e6b
......@@ -56,8 +56,9 @@ public function routes() {
$methods = $this->requestMethods();
foreach ($methods as $method) {
$lower_method = strtolower($method);
// Only expose routes where the HTTP request method exists on the plugin.
if (method_exists($this, strtolower($method))) {
if (method_exists($this, $lower_method)) {
$prefix = strtr($this->plugin_id, ':', '/');
$route = new Route("/$prefix/{id}", array(
'_controller' => 'Drupal\rest\RequestHandler::handle',
......@@ -69,6 +70,7 @@ public function routes() {
), array(
// The HTTP method is a requirement for this route.
'_method' => $method,
'_permission' => "restful $lower_method $this->plugin_id",
));
$name = strtr($this->plugin_id, ':', '.');
......
......@@ -34,31 +34,28 @@ class RequestHandler extends ContainerAware {
*/
public function handle($plugin, Request $request, $id = NULL) {
$method = strtolower($request->getMethod());
if (user_access("restful $method $plugin")) {
$resource = $this->container
->get('plugin.manager.rest')
->getInstance(array('id' => $plugin));
$received = $request->getContent();
// @todo De-serialization should happen here if the request is supposed
// to carry incoming data.
try {
$response = $resource->{$method}($id, $received);
}
catch (HttpException $e) {
return new Response($e->getMessage(), $e->getStatusCode(), $e->getHeaders());
}
$data = $response->getResponseData();
if ($data != NULL) {
// Serialize the response data.
$serializer = $this->container->get('serializer');
// @todo Replace the format here with something we get from the HTTP
// Accept headers. See http://drupal.org/node/1833440
$output = $serializer->serialize($data, 'drupal_jsonld');
$response->setContent($output);
$response->headers->set('Content-Type', 'application/vnd.drupal.ld+json');
}
return $response;
$resource = $this->container
->get('plugin.manager.rest')
->getInstance(array('id' => $plugin));
$received = $request->getContent();
// @todo De-serialization should happen here if the request is supposed
// to carry incoming data.
try {
$response = $resource->{$method}($id, $received);
}
return new Response('Access Denied', 403);
catch (HttpException $e) {
return new Response($e->getMessage(), $e->getStatusCode(), $e->getHeaders());
}
$data = $response->getResponseData();
if ($data != NULL) {
// Serialize the response data.
$serializer = $this->container->get('serializer');
// @todo Replace the format here with something we get from the HTTP
// Accept headers. See http://drupal.org/node/1833440
$output = $serializer->serialize($data, 'drupal_jsonld');
$response->setContent($output);
$response->headers->set('Content-Type', 'application/vnd.drupal.ld+json');
}
return $response;
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment