|
|
@@ -12,6 +12,7 @@ use Opentalent\OtCore\Exception\NoSuchRecordException;
|
|
|
use Opentalent\OtCore\Exception\NoSuchWebsiteException;
|
|
|
use Psr\Log\LoggerAwareInterface;
|
|
|
use Psr\Log\LoggerAwareTrait;
|
|
|
+use Psr\Log\LoggerInterface;
|
|
|
use TYPO3\CMS\Core\Http\JsonResponse;
|
|
|
use TYPO3\CMS\Core\Http\ServerRequest;
|
|
|
use TYPO3\CMS\Core\Utility\GeneralUtility;
|
|
|
@@ -25,6 +26,11 @@ class ApiController implements LoggerAwareInterface
|
|
|
{
|
|
|
use LoggerAwareTrait;
|
|
|
|
|
|
+ const PROD_FRONT_IP = "172.16.0.68";
|
|
|
+ const PROD_V2_IP = "172.16.0.35";
|
|
|
+ const PUBLIC_PRODFRONT_IP = "141.94.117.38";
|
|
|
+ const PUBLIC_PROD_V2_IP = "141.94.117.35";
|
|
|
+
|
|
|
const array ALLOWED_IPS = [
|
|
|
'/^127\.0\.0\.[0-1]$/', // Localhost
|
|
|
'/^localhost$/', // Localhost
|
|
|
@@ -74,6 +80,46 @@ class ApiController implements LoggerAwareInterface
|
|
|
return true;
|
|
|
}
|
|
|
|
|
|
+ /**
|
|
|
+ * Lève une erreur si l'environnement est la prod et que la requête provient d'un autre environnement, car
|
|
|
+ * cette requête a probablement été envoyée à la prod par erreur.
|
|
|
+ *
|
|
|
+ * Permet de sécuriser certaines opérations destructives, comme la suppression d'organisation.
|
|
|
+ *
|
|
|
+ * @return void
|
|
|
+ */
|
|
|
+ private function preventIfIsDubious(): void
|
|
|
+ {
|
|
|
+ if (
|
|
|
+ $_SERVER &&
|
|
|
+ (
|
|
|
+ ($_SERVER['SERVER_ADDR'] === self::PROD_FRONT_IP && $_SERVER['REMOTE_ADDR'] !== self::PROD_V2_IP) ||
|
|
|
+ ($_SERVER['SERVER_ADDR'] === self::PUBLIC_PRODFRONT_IP && $_SERVER['REMOTE_ADDR'] !== self::PUBLIC_PROD_V2_IP)
|
|
|
+ )
|
|
|
+ ) {
|
|
|
+ throw new \RuntimeException("Invalid client ip");
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ /**
|
|
|
+ * Lève une erreur si le token de confirmation n'a pas était ajouté, ou si sa valeur est invalide.
|
|
|
+ *
|
|
|
+ * Permet de sécuriser certaines opérations destructives, comme la suppression d'organisation.
|
|
|
+ *
|
|
|
+ * @param int $organizationId
|
|
|
+ * @return void
|
|
|
+ */
|
|
|
+ private function preventOnMissingConfirmationToken(int $organizationId): void
|
|
|
+ {
|
|
|
+ $headers = getallheaders();
|
|
|
+ if (
|
|
|
+ !isset($headers['Confirmation-Token']) ||
|
|
|
+ $headers['Confirmation-Token'] !== 'DEL-'.$organizationId.'-'.date('Ymd')
|
|
|
+ ) {
|
|
|
+ throw new \RuntimeException("Missing or invalid confirmation token");
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
/**
|
|
|
* Retrieve the organization's id from the given request parameters
|
|
|
*
|
|
|
@@ -218,6 +264,10 @@ class ApiController implements LoggerAwareInterface
|
|
|
*
|
|
|
* Proceeds to a soft-deletion of the organization's website
|
|
|
*
|
|
|
+ * In the case of a hard deletion, a special header is requested as a confirmation token. The header
|
|
|
+ * shall be named 'Confirmation-Token' and its value shall be DEL-XXXX-YYYYMMDD, where XXXX is the id of
|
|
|
+ * the organization owning the website, and YYYYMMDD is the date of the current day.
|
|
|
+ *
|
|
|
* @param ServerRequest $request
|
|
|
* @return JsonResponse
|
|
|
* @throws \Exception
|
|
|
@@ -229,17 +279,27 @@ class ApiController implements LoggerAwareInterface
|
|
|
$organizationId = $this->getOrganizationId($request);
|
|
|
|
|
|
$params = $request->getQueryParams();
|
|
|
+ $hard = (isset($params['hard']) && $params['hard']);
|
|
|
|
|
|
- $rootUid = $this->siteController->deleteSiteAction($organizationId);
|
|
|
+ if ($hard) {
|
|
|
+ $this->preventIfIsDubious();
|
|
|
+ $this->preventOnMissingConfirmationToken($organizationId);
|
|
|
+ }
|
|
|
+
|
|
|
+ $rootUid = $this->siteController->deleteSiteAction($organizationId, $hard, true, true);
|
|
|
|
|
|
$this->logger->info(sprintf(
|
|
|
"OtAdmin API: The website with root uid " . $rootUid . " has been soft-deleted " .
|
|
|
" (organization: " . $organizationId . ")"));
|
|
|
|
|
|
+ $msg = $hard ?
|
|
|
+ "The website with root uid " . $rootUid . " has been hard-deleted." :
|
|
|
+ "The website with root uid " . $rootUid . " has been soft-deleted. Use the /site/undelete route to restore it.";
|
|
|
+
|
|
|
return new JsonResponse(
|
|
|
[
|
|
|
'organization_id' => $organizationId,
|
|
|
- 'msg' => "The website with root uid " . $rootUid . " has been soft-deleted. Use the /site/undelete route to restore it.",
|
|
|
+ 'msg' => $msg,
|
|
|
'root_uid' => $rootUid
|
|
|
]
|
|
|
);
|
Olivier Massot