|
|
@@ -12,6 +12,7 @@ use Opentalent\OtCore\Exception\NoSuchRecordException;
|
|
|
use Opentalent\OtCore\Exception\NoSuchWebsiteException;
|
|
|
use Psr\Log\LoggerAwareInterface;
|
|
|
use Psr\Log\LoggerAwareTrait;
|
|
|
+use Psr\Log\LoggerInterface;
|
|
|
use TYPO3\CMS\Core\Http\JsonResponse;
|
|
|
use TYPO3\CMS\Core\Http\ServerRequest;
|
|
|
use TYPO3\CMS\Core\Utility\GeneralUtility;
|
|
|
@@ -100,6 +101,24 @@ class ApiController implements LoggerAwareInterface
|
|
|
}
|
|
|
}
|
|
|
|
|
|
+ /**
|
|
|
+ * Lève une erreur si le token de confirmation n'a pas était ajouté, ou si sa valeur est invalide.
|
|
|
+ *
|
|
|
+ * Permet de sécuriser certaines opérations destructives, comme la suppression d'organisation.
|
|
|
+ *
|
|
|
+ * @param int $organizationId
|
|
|
+ * @return void
|
|
|
+ */
|
|
|
+ private function preventOnMissingConfirmationToken(int $organizationId): void
|
|
|
+ {
|
|
|
+ $headers = getallheaders();
|
|
|
+ if (
|
|
|
+ !isset($headers['Confirmation-Token']) ||
|
|
|
+ $headers['Confirmation-Token'] !== 'DEL-'.$organizationId.'-'.date('Ymd')
|
|
|
+ ) {
|
|
|
+ throw new \RuntimeException("Missing or invalid confirmation token");
|
|
|
+ }
|
|
|
+ }
|
|
|
|
|
|
/**
|
|
|
* Retrieve the organization's id from the given request parameters
|
|
|
@@ -245,6 +264,10 @@ class ApiController implements LoggerAwareInterface
|
|
|
*
|
|
|
* Proceeds to a soft-deletion of the organization's website
|
|
|
*
|
|
|
+ * In the case of a hard deletion, a special header is requested as a confirmation token. The header
|
|
|
+ * shall be named 'CONFIRMATION_TOKEN' and its value shall be DEL-XXXX-YYYYMMDD, where XXXX is the id of
|
|
|
+ * the organization owning the website, and YYYYMMDD is the date of the current day.
|
|
|
+ *
|
|
|
* @param ServerRequest $request
|
|
|
* @return JsonResponse
|
|
|
* @throws \Exception
|
|
|
@@ -260,6 +283,7 @@ class ApiController implements LoggerAwareInterface
|
|
|
|
|
|
if ($hard) {
|
|
|
$this->preventIfIsDubious();
|
|
|
+ $this->preventOnMissingConfirmationToken($organizationId);
|
|
|
}
|
|
|
|
|
|
$rootUid = $this->siteController->deleteSiteAction($organizationId, $hard, true, true);
|
|
|
@@ -268,10 +292,14 @@ class ApiController implements LoggerAwareInterface
|
|
|
"OtAdmin API: The website with root uid " . $rootUid . " has been soft-deleted " .
|
|
|
" (organization: " . $organizationId . ")"));
|
|
|
|
|
|
+ $msg = $hard ?
|
|
|
+ "The website with root uid " . $rootUid . " has been soft-deleted. Use the /site/undelete route to restore it." :
|
|
|
+ "The website with root uid " . $rootUid . " has been hard-deleted.";
|
|
|
+
|
|
|
return new JsonResponse(
|
|
|
[
|
|
|
'organization_id' => $organizationId,
|
|
|
- 'msg' => "The website with root uid " . $rootUid . " has been soft-deleted. Use the /site/undelete route to restore it.",
|
|
|
+ 'msg' => $msg,
|
|
|
'root_uid' => $rootUid
|
|
|
]
|
|
|
);
|
Olivier Massot