jsonapi.services.yml | 6 ++-- ...hp => CustomQueryParameterNamesAccessCheck.php} | 32 ++++++++++++++++------ src/Routing/Routes.php | 8 +++--- ...> CustomQueryParameterNamesAccessCheckTest.php} | 12 ++++---- 4 files changed, 38 insertions(+), 20 deletions(-) diff --git a/jsonapi.services.yml b/jsonapi.services.yml index 18c9bc5..b7bc7c6 100644 --- a/jsonapi.services.yml +++ b/jsonapi.services.yml @@ -80,10 +80,10 @@ services: jsonapi.field_resolver: class: Drupal\jsonapi\Context\FieldResolver arguments: ['@jsonapi.current_context', '@entity_field.manager'] - access_check.jsonapi.custom_parameter_names: - class: Drupal\jsonapi\Access\CustomParameterNames + access_check.jsonapi.custom_query_parameter_names: + class: Drupal\jsonapi\Access\CustomQueryParameterNamesAccessCheck tags: - - { name: access_check, applies_to: _custom_parameter_names } + - { name: access_check, applies_to: _json_api_custom_parameter_names } paramconverteruuid.entity: class: Drupal\jsonapi\ParamConverter\EntityConverterField tags: diff --git a/src/Access/CustomParameterNames.php b/src/Access/CustomQueryParameterNamesAccessCheck.php similarity index 40% rename from src/Access/CustomParameterNames.php rename to src/Access/CustomQueryParameterNamesAccessCheck.php index 8f2dfe9..ed5ceca 100644 --- a/src/Access/CustomParameterNames.php +++ b/src/Access/CustomQueryParameterNamesAccessCheck.php @@ -5,22 +5,30 @@ namespace Drupal\jsonapi\Access; use Drupal\Core\Access\AccessResult; use Drupal\Core\Routing\Access\AccessInterface; use Symfony\Component\HttpFoundation\Request; +use Symfony\Component\Routing\Route; /** - * Validates custom parameter names. + * Validates custom (implementation-specific) query parameter names. + * + * @see @see http://jsonapi.org/format/#query-parameters */ -class CustomParameterNames implements AccessInterface { +class CustomQueryParameterNamesAccessCheck implements AccessInterface { /** - * Validates the JSONAPI parameter names. + * Validates the JSON API parameter names. * + * @param \Symfony\Component\Routing\Route $route + * The route to check against. * @param \Symfony\Component\HttpFoundation\Request $request - * The request. + * The current request. * * @return \Drupal\Core\Access\AccessResult * The access result. */ - public function access(Request $request) { + public function access(Route $route, Request $request) { + assert('$route->getRequirement("_json_api_custom_parameter_names") === "TRUE"'); + + // @todo rename the '_json_api_params' request attribute to '_json_api_query_paramaters'? $json_api_params = $request->attributes->get('_json_api_params', []); if (!$this->validate($json_api_params)) { return AccessResult::forbidden(); @@ -29,10 +37,10 @@ class CustomParameterNames implements AccessInterface { } /** - * Validates the JSONAPI parameters. + * Validates JSON API query parameters. * * @param string[] $json_api_params - * The JSONAPI parameters. + * The JSON API query parameters. * * @return bool */ @@ -40,15 +48,23 @@ class CustomParameterNames implements AccessInterface { $valid = TRUE; foreach (array_keys($json_api_params) as $name) { + // First, validate the general member names requirement that JSON API + // query parameters must comply with: + // http://jsonapi.org/format/#document-member-names if (strpbrk($name, '+,.[]!”#$%&’()*/:;<=>?@^`{}~|')) { $valid = FALSE; break; } - if (strpbrk($name[0], '-_ ') || strpbrk($name[strlen($name) - 1], '-_ ')) { $valid = FALSE; break; } + // @todo this should validate that it contains only a-z, A-Z, 0-9, hyphen or underscore (per http://jsonapi.org/format/#document-member-names, excluding the non-recommended yet allowed sequences) + // @todo this is not validating that the following disallowed characters are absent: U+007F DELETE, U+0000 to U+001F (C0 Controls). + + // Then, validate the specific requirements that JSON API query parameters + // must comply with: http://jsonapi.org/format/#query-parameters. + // @todo this should validate that it contains >=1 non-a-z character (per http://jsonapi.org/format/#query-parameters) } return $valid; diff --git a/src/Routing/Routes.php b/src/Routing/Routes.php index 2cd1413..e6038a8 100644 --- a/src/Routing/Routes.php +++ b/src/Routing/Routes.php @@ -103,7 +103,7 @@ class Routes implements ContainerInjectionInterface { ->setRequirement('_entity_type', $entity_type) ->setRequirement('_permission', $plugin_definition['permission']) ->setRequirement('_format', 'api_json') - ->setRequirement('_custom_parameter_names', 'TRUE') + ->setRequirement('_json_api_custom_parameter_names', 'TRUE') ->setOption('serialization_class', DocumentWrapperInterface::class) ->setMethods(['GET', 'POST']); if ($bundle) { @@ -119,7 +119,7 @@ class Routes implements ContainerInjectionInterface { ->setRequirement('_entity_type', $entity_type) ->setRequirement('_permission', $plugin_definition['permission']) ->setRequirement('_format', 'api_json') - ->setRequirement('_custom_parameter_names', 'TRUE') + ->setRequirement('_json_api_custom_parameter_names', 'TRUE') ->setOption('parameters', $parameters) ->setOption('_auth', $this->authProviderList()) ->setOption('serialization_class', DocumentWrapperInterface::class) @@ -136,7 +136,7 @@ class Routes implements ContainerInjectionInterface { ->setRequirement('_entity_type', $entity_type) ->setRequirement('_permission', $plugin_definition['permission']) ->setRequirement('_format', 'api_json') - ->setRequirement('_custom_parameter_names', 'TRUE') + ->setRequirement('_json_api_custom_parameter_names', 'TRUE') ->setOption('parameters', $parameters) ->setOption('_auth', $this->authProviderList()) ->setMethods(['GET']); @@ -152,7 +152,7 @@ class Routes implements ContainerInjectionInterface { ->setRequirement('_entity_type', $entity_type) ->setRequirement('_permission', $plugin_definition['permission']) ->setRequirement('_format', 'api_json') - ->setRequirement('_custom_parameter_names', 'TRUE') + ->setRequirement('_json_api_custom_parameter_names', 'TRUE') ->setOption('parameters', $parameters) ->setOption('_auth', $this->authProviderList()) ->setOption('serialization_class', EntityReferenceFieldItemList::class) diff --git a/tests/src/Unit/Access/CustomParameterNamesTest.php b/tests/src/Unit/Access/CustomQueryParameterNamesAccessCheckTest.php similarity index 79% rename from tests/src/Unit/Access/CustomParameterNamesTest.php rename to tests/src/Unit/Access/CustomQueryParameterNamesAccessCheckTest.php index 632b402..0d9d136 100644 --- a/tests/src/Unit/Access/CustomParameterNamesTest.php +++ b/tests/src/Unit/Access/CustomQueryParameterNamesAccessCheckTest.php @@ -2,14 +2,15 @@ namespace Drupal\Tests\jsonapi\Unit\Access; -use Drupal\jsonapi\Access\CustomParameterNames; +use Drupal\jsonapi\Access\CustomQueryParameterNamesAccessCheck; use Symfony\Component\HttpFoundation\Request; +use Symfony\Component\Routing\Route; /** - * @coversDefaultClass \Drupal\jsonapi\Access\CustomParameterNames + * @coversDefaultClass \Drupal\jsonapi\Access\CustomQueryParameterNamesAccessCheck * @group jsonapi */ -class CustomParameterNamesTest extends \PHPUnit_Framework_TestCase { +class CustomQueryParameterNamesAccessCheckTest extends \PHPUnit_Framework_TestCase { /** * @dataProvider providerTestJsonApiParamsValidation @@ -17,11 +18,12 @@ class CustomParameterNamesTest extends \PHPUnit_Framework_TestCase { * @covers ::validate */ public function testJsonApiParamsValidation($name, $valid) { - $access_checker = new CustomParameterNames(); + $access_checker = new CustomQueryParameterNamesAccessCheck(); + $route = new Route('/foo', [], ['_json_api_custom_parameter_names' => 'TRUE']); $request = new Request(); $request->attributes->set('_json_api_params', [$name => '123']); - $result = $access_checker->access($request); + $result = $access_checker->access($route,$request); if ($valid) { $this->assertTrue($result->isAllowed());