wordpress - Woocommerce 限制 API
问题描述
我在使用 Wocommerce API 时遇到了一些问题。我知道这并不理想,但我使用一个唯一键来读取/写入我网站上的一些资源。为了防止有人使用密钥获取其他用户的数据,我编写了一个函数,在登录时生成一个唯一令牌,每个请求都需要该令牌,然后使用rest_pre_dispatch
过滤器对其进行验证。它有效,但不幸的是,该过滤器没有有关请求的详细信息,因此我正在尝试找到一种更实用的方法来做到这一点。我在GitHub 问题上找到了以下代码:
class App_API_Validation {
public function __construct(){
add_filter( 'woocommerce_api_create_order_data', array( $this, 'validate_customer_on_resource_creation' ), 999999 );
add_filter( 'woocommerce_api_dispatch_args', array( $this, 'validate_request' ), 999999 );
}
/**
* Validate REST API's request
*
* It is hooked on 'woocommerce_api_dispatch_args' filter.
* With our custom validation we ensure that user has access
* only to his resources, which means:
* #1 - User doesn't have access ability to make CRUD operations to other users profiles
* #2 - User doesn't have access to others users resources (we are validating ownership)
* #3 - User doesn't have access to any resource list - for example to get all customers or orders.
*
* @param array $args Data sent by REST API client
* @param array $callback Function to process REST API's request
*
* @return WP_Error|array
*/
public function validate_request( $args, $callback ) {
echo 1;die;
$class_name = get_class( $callback[0] );
$method_name = $callback[1];
$id = ( isset( $args['id'] ) ? $args['id'] : false );
$are_resources_valid = true;
if ( $id ) {
if ( $this->has_to_trigger_resources_user_validation( $class_name, $method_name ) ) {
// Does user access his own profile ?
$are_resources_valid = $this->validate_resources_user( $id );
} else {
// Does user has ownership of the requested resource ?
$are_resources_valid = $this->validate_resources_ownership( $id, $class_name );
}
} else {
// Does user try to get a list of resources,
// for example - all customers or orders
$are_resources_valid = $this->validate_resources_list( $class_name, $method_name );
}
// If requested resources validation fails trigger error
if ( ! $are_resources_valid ) {
$args = $this->get_error();
}
return $args;
}
/**
* Filter resource data on create
*
* We ensure whether a customer creates resource for himself
*/
public function validate_resource_creation() {
}
/**
* Validate customer on resource creation
*
* Do not allow one customer to create resource of another customer
*
* @param array $data Resource data
*
* @return array $data
* @throws WC_API_Exception
*/
public function validate_customer_on_resource_creation( $data ) {
$customer_id = $data['customer_id'];
$does_user_create_resource_for_himself = $this->validate_resources_user( $customer_id );
if ( ! $does_user_create_resource_for_himself ) {
$this->get_error( true );
}
return $data;
}
/**
* Get or throw an error message if validation fails
*
* @param bool|false $throw Whether to throw new error or not
*
* @return WP_Error
* @throws WC_API_Exception
*/
public function get_error( $throw = false ) {
$code = 'woocommerce_app_api_insufficient_permissions';
$message = __( 'You don\'t have sufficient permissions', 'app-translations' );
$status = 401;
if ( $throw ) {
throw new WC_API_Exception( $code, $message, $status );
}
return new WP_Error( $code, $message, array( 'status' => $status ) );
}
/**
* Check whether or not to trigger user validation
*
* User validation is triggered when one of listed method is called
*
* @param string $class_name
* @param string $method_name
*
* @return bool
*/
public function has_to_trigger_resources_user_validation( $class_name, $method_name ) {
$resources_user = array(
'WC_API_Customers' => array(
'get_customer',
),
'WC_API_Customers_Extended' => array(
'get_customer_addresses'
),
);
return $this->is_method_exists( $resources_user, $class_name, $method_name );
}
/**
* Check if a method exists in array of classes (resources)
*
* @param $resources
* @param $class_name
* @param $method_name
*
* @return bool
*/
private function is_method_exists( $resources, $class_name, $method_name ) {
$is_class_exist = array_key_exists( $class_name, $resources );
$is_method_exist = ( $is_class_exist && in_array( $method_name, $resources[ $class_name ] ) );
return $is_method_exist;
}
/**
* Validate resource list
*
* If the customer tries to access list of resource,
* we are restrict his access.
*
* @param $class_name
* @param $method_name
*
* @return bool
*/
public function validate_resources_list( $class_name, $method_name ) {
$resources_list = array(
'WC_API_Customers' => array(
'get_customers'
),
'WC_API_Addresses' => array(
'get_addresses'
)
);
// If the method exist, then it is forbidden for access
$condition = ( ! $this->is_method_exists( $resources_list, $class_name, $method_name ) );
return $condition;
}
/**
* Does user access his own profile
*
* We are checking whether current user (by his customer key)
* has the same id according requested $id
*
* @param int $id ID of the requested customer
*
* @return bool
*/
public function validate_resources_user( $id ) {
$current_user = wp_get_current_user();
// Check if the user tries to access his own resources
$does_user_access_his_resource = ( $id == $current_user->ID );
return $does_user_access_his_resource;
}
/**
* Check whether requested resource id is owned by current user
*
* At $resources_ownership array we describe all resources these require
* user to has ownership of them.
*
* @param int $id ID of requested resource
* @param string $class_name Class that represent requested resource
*
* @return bool
*/
public function validate_resources_ownership( $id, $class_name ) {
// Classes that require user to have ownership of requested resource
$resources_ownership = array(
'WC_API_Addresses',
'WC_API_Orders',
);
$is_class_exist = in_array( $class_name, $resources_ownership );
if ( ! $is_class_exist ) {
return true;
}
$current_user = wp_get_current_user();
$model_user = new User( $current_user->ID );
switch ( $class_name ) {
case 'WC_API_Addresses':
$has_user_ownership_of_object = $model_user->has_user_address( $id );
break;
case 'WC_API_Orders':
$has_user_ownership_of_object = $model_user->has_user_order( $id );
break;
}
return $has_user_ownership_of_object;
}
}
问题是过滤器woocommerce_api_dispatch_args
没有被调用,所以没有任何工作了。你有什么想法让这项工作再次发挥作用吗?谢谢!
解决方案
推荐阅读
- react-native - 带有底部标签栏导航的 React-native-router-flux 导航俱乐部抽屉
- intellij-idea - 隐藏一些注释
- javascript - Safari - WebInspector 网络选项卡 - 尝试加载资源时出错
- java - Java 流映射修改未内置在类中的自定义类对象
- javascript - 如何为我的 Facebook 分享按钮添加自定义标题、图片和说明文字?
- android - mauth.signInWithEmailAndPassword 使我的 Android 应用程序崩溃
- javascript - 如何让我的用户学生查看他/她所属的所有教室?
- arrays - 如何使用多个键 Swift 4 过滤两个字典?
- java - Sonar java漏洞方法返回true
- python - 我正在尝试使用另一个由值组成的数据框创建一个新的数据框