diff options
Diffstat (limited to 'services/api/rest.php')
| -rw-r--r-- | services/api/rest.php | 33 |
1 files changed, 15 insertions, 18 deletions
diff --git a/services/api/rest.php b/services/api/rest.php index dfa6cd3a5..a569e7e26 100644 --- a/services/api/rest.php +++ b/services/api/rest.php @@ -27,30 +27,27 @@ if ((isset($CONFIG->disable_api)) && ($CONFIG->disable_api == true)) { throw new SecurityException(elgg_echo('SecurityException:APIAccessDenied')); } -// Register some default PAM methods, plugins can add their own -register_pam_handler('pam_auth_session_or_hmac'); // Command must either be authenticated by a hmac or the user is already logged in -register_pam_handler('pam_auth_usertoken', 'required'); // Either token present and valid OR method doesn't require one. -register_pam_handler('pam_auth_anonymous_method'); // Support anonymous functions +// plugins should return true to control what API and user authentication handlers are registered +if (trigger_plugin_hook('rest', 'init', null, false) == false) { + // check session - this usually means a REST call from a web browser + register_pam_handler('pam_auth_session'); + // user token can also be used for user authentication + register_pam_handler('pam_auth_usertoken'); + + // for api authentication, we default to a simple API key check + register_api_auth_handler('api_auth_key'); +} // Get parameter variables $method = get_input('method'); $result = null; -// Authenticate session -if (pam_authenticate()) { - // Authenticated somehow, now execute. - $token = ""; - $params = get_parameters_for_method($method); // Use $CONFIG->input instead of $_REQUEST since this is called by the pagehandler - if (isset($params['auth_token'])) { - $token = $params['auth_token']; - } - - $result = execute_method($method, $params, $token); -} else { - throw new SecurityException(elgg_echo('SecurityException:NoAuthMethods')); -} +// this will throw an exception if authentication fails +authenticate_method($method); + +$result = execute_method($method); + -// Finally output if (!($result instanceof GenericResult)) { throw new APIException(elgg_echo('APIException:ApiResultUnknown')); } |