Commit 3e6b8905 authored by totten's avatar totten

CRM-16173 - extern/cxn.php - Respect the "Force SSL" option

parent 0d57e900
......@@ -48,12 +48,20 @@ class CRM_Cxn_BAO_Cxn extends CRM_Cxn_DAO_Cxn {
*/
public static function getSiteCallbackUrl() {
$config = CRM_Core_Config::singleton();
if (preg_match('/^(http|https):/', $config->resourceBase)) {
$civiUrl = $config->resourceBase;
}
else {
$civiUrl = rtrim(CRM_Utils_System::baseURL(), '/') . '/' . ltrim($config->resourceBase, '/');
}
// In practice, this may not be necessary, but we want to prevent
// edge-cases that downgrade security-level below system policy.
if (CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, 'enableSSL')) {
$civiUrl = preg_replace('/^http:/', 'https:', $civiUrl);
}
return rtrim($civiUrl, '/') . '/extern/cxn.php';
}
......
......@@ -1157,6 +1157,7 @@ class CRM_Utils_System {
public static function redirectToSSL($abort = FALSE) {
$config = CRM_Core_Config::singleton();
$req_headers = self::getRequestHeaders();
// FIXME: Shouldn't the X-Forwarded-Proto check be part of CRM_Utils_System::isSSL()?
if (CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, 'enableSSL') &&
!self::isSSL() &&
strtolower(CRM_Utils_Array::value('X_FORWARDED_PROTO', $req_headers)) != 'https'
......
......@@ -37,6 +37,14 @@ $apiServer->setRouter(function ($cxn, $entity, $action, $params) {
require_once 'api/v3/utils.php';
// FIXME: Shouldn't the X-Forwarded-Proto check be part of CRM_Utils_System::isSSL()?
if (CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, 'enableSSL') &&
!CRM_Utils_System::isSSL() &&
strtolower(CRM_Utils_Array::value('X_FORWARDED_PROTO', CRM_Utils_System::getRequestHeaders())) != 'https'
) {
return civicrm_api3_create_error('System policy requires HTTPS.');
}
// Note: $cxn and cxnId are authenticated before router is called.
$dao = new CRM_Cxn_DAO_Cxn();
$dao->cxn_id = $cxn['cxnId'];
......@@ -44,7 +52,7 @@ $apiServer->setRouter(function ($cxn, $entity, $action, $params) {
return civicrm_api3_create_error('Failed to lookup connection authorizations.');
}
if (!$dao->is_active) {
return civicrm_api3_create_error('Connection is inactive');
return civicrm_api3_create_error('Connection is inactive.');
}
if (!is_string($entity) || !is_string($action) || !is_array($params)) {
return civicrm_api3_create_error('API parameters are malformed.');
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment