时间戳

首页 > 解决方案 > Woocommerce 限制 API

wordpress - Woocommerce 限制 API

问题描述

我在使用 Wocommerce API 时遇到了一些问题。我知道这并不理想,但我使用一个唯一键来读取/写入我网站上的一些资源。为了防止有人使用密钥获取其他用户的数据,我编写了一个函数,在登录时生成一个唯一令牌,每个请求都需要该令牌,然后使用rest_pre_dispatch过滤器对其进行验证。它有效,但不幸的是,该过滤器没有有关请求的详细信息,因此我正在尝试找到一种更实用的方法来做到这一点。我在GitHub 问题上找到了以下代码:

class App_API_Validation {

  public function __construct(){
        add_filter( 'woocommerce_api_create_order_data', array( $this, 'validate_customer_on_resource_creation' ), 999999 );
        add_filter( 'woocommerce_api_dispatch_args', array( $this, 'validate_request' ), 999999 );
  }
    /**
     * Validate REST API's request
     *
     * It is hooked on 'woocommerce_api_dispatch_args' filter.
     * With our custom validation we ensure that user has access
     * only to his resources, which means:
     * #1 - User doesn't have access ability to make CRUD operations to other users profiles
     * #2 - User doesn't have access to others users resources (we are validating ownership)
     * #3 - User doesn't have access to any resource list - for example to get all customers or orders.
     *
     * @param array $args Data sent by REST API client
     * @param array $callback Function to process REST API's request
     *
     * @return WP_Error|array
     */
    public function validate_request( $args, $callback ) {
    echo 1;die;
        $class_name  = get_class( $callback[0] );
        $method_name = $callback[1];
        $id          = ( isset( $args['id'] ) ? $args['id'] : false );

        $are_resources_valid = true;
        if ( $id ) {
            if ( $this->has_to_trigger_resources_user_validation( $class_name, $method_name ) ) {
                // Does user access his own profile ?
                $are_resources_valid = $this->validate_resources_user( $id );
            } else {
                // Does user has ownership of the requested resource ?
                $are_resources_valid = $this->validate_resources_ownership( $id, $class_name );
            }
        } else {
            // Does user try to get a list of resources,
            // for example - all customers or orders
            $are_resources_valid = $this->validate_resources_list( $class_name, $method_name );
        }

        // If requested resources validation fails trigger error
        if ( ! $are_resources_valid ) {
            $args = $this->get_error();
        }

        return $args;
    }

    /**
     * Filter resource data on create
     *
     * We ensure whether a customer creates resource for himself
     */
    public function validate_resource_creation() {
    }

    /**
     * Validate customer on resource creation
     *
     * Do not allow one customer to create resource of another customer
     *
     * @param array $data Resource data
     *
     * @return array $data
     * @throws WC_API_Exception
     */
    public function validate_customer_on_resource_creation( $data ) {
        $customer_id                           = $data['customer_id'];
        $does_user_create_resource_for_himself = $this->validate_resources_user( $customer_id );
        if ( ! $does_user_create_resource_for_himself ) {
            $this->get_error( true );
        }

        return $data;
    }

    /**
     * Get or throw an error message if validation fails
     *
     * @param bool|false $throw Whether to throw new error or not
     *
     * @return WP_Error
     * @throws WC_API_Exception
     */
    public function get_error( $throw = false ) {
        $code    = 'woocommerce_app_api_insufficient_permissions';
        $message = __( 'You don\'t have sufficient permissions', 'app-translations' );
        $status  = 401;

        if ( $throw ) {
            throw new WC_API_Exception( $code, $message, $status );
        }

        return new WP_Error( $code, $message, array( 'status' => $status ) );
    }

    /**
     * Check whether or not to trigger user validation
     *
     * User validation is triggered when one of listed method is called
     *
     * @param string $class_name
     * @param string $method_name
     *
     * @return bool
     */
    public function has_to_trigger_resources_user_validation( $class_name, $method_name ) {
        $resources_user = array(
            'WC_API_Customers' => array(
                'get_customer',
            ),
            'WC_API_Customers_Extended' => array(
                'get_customer_addresses'
            ),
        );

        return $this->is_method_exists( $resources_user, $class_name, $method_name );
    }

    /**
     * Check if a method exists in array of classes (resources)
     *
     * @param $resources
     * @param $class_name
     * @param $method_name
     *
     * @return bool
     */
    private function is_method_exists( $resources, $class_name, $method_name ) {
        $is_class_exist  = array_key_exists( $class_name, $resources );
        $is_method_exist = ( $is_class_exist && in_array( $method_name, $resources[ $class_name ] ) );

        return $is_method_exist;
    }

    /**
     * Validate resource list
     *
     * If the customer tries to access list of resource,
     * we are restrict his access.
     *
     * @param $class_name
     * @param $method_name
     *
     * @return bool
     */
    public function validate_resources_list( $class_name, $method_name ) {
        $resources_list = array(
            'WC_API_Customers' => array(
                'get_customers'
            ),
            'WC_API_Addresses' => array(
                'get_addresses'
            )
        );

        // If the method exist, then it is forbidden for access
        $condition = ( ! $this->is_method_exists( $resources_list, $class_name, $method_name ) );

        return $condition;
    }

    /**
     * Does user access his own profile
     *
     * We are checking whether current user (by his customer key)
     * has the same id according requested $id
     *
     * @param int $id ID of the requested customer
     *
     * @return bool
     */
    public function validate_resources_user( $id ) {
        $current_user = wp_get_current_user();
        // Check if the user tries to access his own resources
        $does_user_access_his_resource = ( $id == $current_user->ID );

        return $does_user_access_his_resource;
    }


    /**
     * Check whether requested resource id is owned by current user
     *
     * At $resources_ownership array we describe all resources these require
     * user to has ownership of them.
     *
     * @param int    $id ID of requested resource
     * @param string $class_name Class that represent requested resource
     *
     * @return bool
     */
    public function validate_resources_ownership( $id, $class_name ) {
        // Classes that require user to have ownership of requested resource
        $resources_ownership = array(
            'WC_API_Addresses',
            'WC_API_Orders',
        );

        $is_class_exist = in_array( $class_name, $resources_ownership );
        if ( ! $is_class_exist ) {
            return true;
        }

        $current_user = wp_get_current_user();
        $model_user   = new User( $current_user->ID );
        switch ( $class_name ) {
            case 'WC_API_Addresses':
                $has_user_ownership_of_object = $model_user->has_user_address( $id );
                break;
            case 'WC_API_Orders':
                $has_user_ownership_of_object = $model_user->has_user_order( $id );
                break;
        }

        return $has_user_ownership_of_object;
    }

}

问题是过滤器woocommerce_api_dispatch_args没有被调用,所以没有任何工作了。你有什么想法让这项工作再次发挥作用吗?谢谢!

标签: wordpresswoocommerce-rest-api

解决方案

推荐阅读