2019-05-09 01:36:18 +00:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
namespace MediaWiki\Rest;
|
|
|
|
|
|
2022-07-01 13:21:34 +00:00
|
|
|
use DateTime;
|
Hooks::run() call site migration
Migrate all callers of Hooks::run() to use the new
HookContainer/HookRunner system.
General principles:
* Use DI if it is already used. We're not changing the way state is
managed in this patch.
* HookContainer is always injected, not HookRunner. HookContainer
is a service, it's a more generic interface, it is the only
thing that provides isRegistered() which is needed in some cases,
and a HookRunner can be efficiently constructed from it
(confirmed by benchmark). Because HookContainer is needed
for object construction, it is also needed by all factories.
* "Ask your friendly local base class". Big hierarchies like
SpecialPage and ApiBase have getHookContainer() and getHookRunner()
methods in the base class, and classes that extend that base class
are not expected to know or care where the base class gets its
HookContainer from.
* ProtectedHookAccessorTrait provides protected getHookContainer() and
getHookRunner() methods, getting them from the global service
container. The point of this is to ease migration to DI by ensuring
that call sites ask their local friendly base class rather than
getting a HookRunner from the service container directly.
* Private $this->hookRunner. In some smaller classes where accessor
methods did not seem warranted, there is a private HookRunner property
which is accessed directly. Very rarely (two cases), there is a
protected property, for consistency with code that conventionally
assumes protected=private, but in cases where the class might actually
be overridden, a protected accessor is preferred over a protected
property.
* The last resort: Hooks::runner(). Mostly for static, file-scope and
global code. In a few cases it was used for objects with broken
construction schemes, out of horror or laziness.
Constructors with new required arguments:
* AuthManager
* BadFileLookup
* BlockManager
* ClassicInterwikiLookup
* ContentHandlerFactory
* ContentSecurityPolicy
* DefaultOptionsManager
* DerivedPageDataUpdater
* FullSearchResultWidget
* HtmlCacheUpdater
* LanguageFactory
* LanguageNameUtils
* LinkRenderer
* LinkRendererFactory
* LocalisationCache
* MagicWordFactory
* MessageCache
* NamespaceInfo
* PageEditStash
* PageHandlerFactory
* PageUpdater
* ParserFactory
* PermissionManager
* RevisionStore
* RevisionStoreFactory
* SearchEngineConfig
* SearchEngineFactory
* SearchFormWidget
* SearchNearMatcher
* SessionBackend
* SpecialPageFactory
* UserNameUtils
* UserOptionsManager
* WatchedItemQueryService
* WatchedItemStore
Constructors with new optional arguments:
* DefaultPreferencesFactory
* Language
* LinkHolderArray
* MovePage
* Parser
* ParserCache
* PasswordReset
* Router
setHookContainer() now required after construction:
* AuthenticationProvider
* ResourceLoaderModule
* SearchEngine
Change-Id: Id442b0dbe43aba84bd5cf801d86dedc768b082c7
2020-03-19 02:42:09 +00:00
|
|
|
use MediaWiki\HookContainer\HookContainer;
|
|
|
|
|
use MediaWiki\HookContainer\HookRunner;
|
2021-01-06 18:10:15 +00:00
|
|
|
use MediaWiki\Permissions\Authority;
|
2023-10-30 16:04:41 +00:00
|
|
|
use MediaWiki\Rest\Module\Module;
|
2019-06-12 19:51:59 +00:00
|
|
|
use MediaWiki\Rest\Validator\BodyValidator;
|
|
|
|
|
use MediaWiki\Rest\Validator\NullBodyValidator;
|
|
|
|
|
use MediaWiki\Rest\Validator\Validator;
|
2022-05-04 16:29:51 +00:00
|
|
|
use MediaWiki\Session\Session;
|
2024-07-11 07:06:13 +00:00
|
|
|
use MWDebug;
|
2024-07-01 09:20:48 +00:00
|
|
|
use UtfNormal\Validator as UtfNormalValidator;
|
2023-10-30 16:04:41 +00:00
|
|
|
use Wikimedia\Assert\Assert;
|
2022-05-04 16:29:51 +00:00
|
|
|
use Wikimedia\Message\MessageValue;
|
2024-04-05 18:45:21 +00:00
|
|
|
use Wikimedia\ParamValidator\ParamValidator;
|
2019-06-12 19:51:59 +00:00
|
|
|
|
2020-03-12 11:13:22 +00:00
|
|
|
/**
|
|
|
|
|
* Base class for REST route handlers.
|
|
|
|
|
*
|
2020-07-13 09:00:30 +00:00
|
|
|
* @stable to extend.
|
2020-03-12 11:13:22 +00:00
|
|
|
*/
|
2019-05-09 01:36:18 +00:00
|
|
|
abstract class Handler {
|
2019-06-12 19:51:59 +00:00
|
|
|
|
2024-03-27 10:40:13 +00:00
|
|
|
/**
|
|
|
|
|
* @see Validator::KNOWN_PARAM_SOURCES
|
|
|
|
|
*/
|
|
|
|
|
public const KNOWN_PARAM_SOURCES = Validator::KNOWN_PARAM_SOURCES;
|
|
|
|
|
|
2019-06-12 19:51:59 +00:00
|
|
|
/**
|
2023-12-05 18:00:26 +00:00
|
|
|
* @see Validator::PARAM_SOURCE
|
2019-06-12 19:51:59 +00:00
|
|
|
*/
|
2023-12-05 18:00:26 +00:00
|
|
|
public const PARAM_SOURCE = Validator::PARAM_SOURCE;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @see Validator::PARAM_DESCRIPTION
|
|
|
|
|
*/
|
|
|
|
|
public const PARAM_DESCRIPTION = Validator::PARAM_DESCRIPTION;
|
2019-06-12 19:51:59 +00:00
|
|
|
|
2023-10-30 16:04:41 +00:00
|
|
|
/** @var Module */
|
|
|
|
|
private $module;
|
2019-06-22 23:08:07 +00:00
|
|
|
|
2019-05-09 01:36:18 +00:00
|
|
|
/** @var RequestInterface */
|
|
|
|
|
private $request;
|
|
|
|
|
|
2021-01-06 18:10:15 +00:00
|
|
|
/** @var Authority */
|
|
|
|
|
private $authority;
|
|
|
|
|
|
2024-02-21 20:51:29 +00:00
|
|
|
/** @var string */
|
|
|
|
|
private $path;
|
|
|
|
|
|
2019-05-09 01:36:18 +00:00
|
|
|
/** @var array */
|
|
|
|
|
private $config;
|
|
|
|
|
|
|
|
|
|
/** @var ResponseFactory */
|
|
|
|
|
private $responseFactory;
|
|
|
|
|
|
2019-06-12 19:51:59 +00:00
|
|
|
/** @var array|null */
|
|
|
|
|
private $validatedParams;
|
|
|
|
|
|
2023-07-03 14:20:00 +00:00
|
|
|
/** @var mixed|null */
|
2019-06-12 19:51:59 +00:00
|
|
|
private $validatedBody;
|
|
|
|
|
|
2019-09-30 06:15:30 +00:00
|
|
|
/** @var ConditionalHeaderUtil */
|
|
|
|
|
private $conditionalHeaderUtil;
|
|
|
|
|
|
Hooks::run() call site migration
Migrate all callers of Hooks::run() to use the new
HookContainer/HookRunner system.
General principles:
* Use DI if it is already used. We're not changing the way state is
managed in this patch.
* HookContainer is always injected, not HookRunner. HookContainer
is a service, it's a more generic interface, it is the only
thing that provides isRegistered() which is needed in some cases,
and a HookRunner can be efficiently constructed from it
(confirmed by benchmark). Because HookContainer is needed
for object construction, it is also needed by all factories.
* "Ask your friendly local base class". Big hierarchies like
SpecialPage and ApiBase have getHookContainer() and getHookRunner()
methods in the base class, and classes that extend that base class
are not expected to know or care where the base class gets its
HookContainer from.
* ProtectedHookAccessorTrait provides protected getHookContainer() and
getHookRunner() methods, getting them from the global service
container. The point of this is to ease migration to DI by ensuring
that call sites ask their local friendly base class rather than
getting a HookRunner from the service container directly.
* Private $this->hookRunner. In some smaller classes where accessor
methods did not seem warranted, there is a private HookRunner property
which is accessed directly. Very rarely (two cases), there is a
protected property, for consistency with code that conventionally
assumes protected=private, but in cases where the class might actually
be overridden, a protected accessor is preferred over a protected
property.
* The last resort: Hooks::runner(). Mostly for static, file-scope and
global code. In a few cases it was used for objects with broken
construction schemes, out of horror or laziness.
Constructors with new required arguments:
* AuthManager
* BadFileLookup
* BlockManager
* ClassicInterwikiLookup
* ContentHandlerFactory
* ContentSecurityPolicy
* DefaultOptionsManager
* DerivedPageDataUpdater
* FullSearchResultWidget
* HtmlCacheUpdater
* LanguageFactory
* LanguageNameUtils
* LinkRenderer
* LinkRendererFactory
* LocalisationCache
* MagicWordFactory
* MessageCache
* NamespaceInfo
* PageEditStash
* PageHandlerFactory
* PageUpdater
* ParserFactory
* PermissionManager
* RevisionStore
* RevisionStoreFactory
* SearchEngineConfig
* SearchEngineFactory
* SearchFormWidget
* SearchNearMatcher
* SessionBackend
* SpecialPageFactory
* UserNameUtils
* UserOptionsManager
* WatchedItemQueryService
* WatchedItemStore
Constructors with new optional arguments:
* DefaultPreferencesFactory
* Language
* LinkHolderArray
* MovePage
* Parser
* ParserCache
* PasswordReset
* Router
setHookContainer() now required after construction:
* AuthenticationProvider
* ResourceLoaderModule
* SearchEngine
Change-Id: Id442b0dbe43aba84bd5cf801d86dedc768b082c7
2020-03-19 02:42:09 +00:00
|
|
|
/** @var HookContainer */
|
|
|
|
|
private $hookContainer;
|
|
|
|
|
|
2022-05-04 16:29:51 +00:00
|
|
|
/** @var Session */
|
|
|
|
|
private $session;
|
|
|
|
|
|
Hooks::run() call site migration
Migrate all callers of Hooks::run() to use the new
HookContainer/HookRunner system.
General principles:
* Use DI if it is already used. We're not changing the way state is
managed in this patch.
* HookContainer is always injected, not HookRunner. HookContainer
is a service, it's a more generic interface, it is the only
thing that provides isRegistered() which is needed in some cases,
and a HookRunner can be efficiently constructed from it
(confirmed by benchmark). Because HookContainer is needed
for object construction, it is also needed by all factories.
* "Ask your friendly local base class". Big hierarchies like
SpecialPage and ApiBase have getHookContainer() and getHookRunner()
methods in the base class, and classes that extend that base class
are not expected to know or care where the base class gets its
HookContainer from.
* ProtectedHookAccessorTrait provides protected getHookContainer() and
getHookRunner() methods, getting them from the global service
container. The point of this is to ease migration to DI by ensuring
that call sites ask their local friendly base class rather than
getting a HookRunner from the service container directly.
* Private $this->hookRunner. In some smaller classes where accessor
methods did not seem warranted, there is a private HookRunner property
which is accessed directly. Very rarely (two cases), there is a
protected property, for consistency with code that conventionally
assumes protected=private, but in cases where the class might actually
be overridden, a protected accessor is preferred over a protected
property.
* The last resort: Hooks::runner(). Mostly for static, file-scope and
global code. In a few cases it was used for objects with broken
construction schemes, out of horror or laziness.
Constructors with new required arguments:
* AuthManager
* BadFileLookup
* BlockManager
* ClassicInterwikiLookup
* ContentHandlerFactory
* ContentSecurityPolicy
* DefaultOptionsManager
* DerivedPageDataUpdater
* FullSearchResultWidget
* HtmlCacheUpdater
* LanguageFactory
* LanguageNameUtils
* LinkRenderer
* LinkRendererFactory
* LocalisationCache
* MagicWordFactory
* MessageCache
* NamespaceInfo
* PageEditStash
* PageHandlerFactory
* PageUpdater
* ParserFactory
* PermissionManager
* RevisionStore
* RevisionStoreFactory
* SearchEngineConfig
* SearchEngineFactory
* SearchFormWidget
* SearchNearMatcher
* SessionBackend
* SpecialPageFactory
* UserNameUtils
* UserOptionsManager
* WatchedItemQueryService
* WatchedItemStore
Constructors with new optional arguments:
* DefaultPreferencesFactory
* Language
* LinkHolderArray
* MovePage
* Parser
* ParserCache
* PasswordReset
* Router
setHookContainer() now required after construction:
* AuthenticationProvider
* ResourceLoaderModule
* SearchEngine
Change-Id: Id442b0dbe43aba84bd5cf801d86dedc768b082c7
2020-03-19 02:42:09 +00:00
|
|
|
/** @var HookRunner */
|
|
|
|
|
private $hookRunner;
|
|
|
|
|
|
2019-05-09 01:36:18 +00:00
|
|
|
/**
|
2023-10-30 16:04:41 +00:00
|
|
|
* Injects information about the handler's context in the Module.
|
|
|
|
|
* The framework should call this right after the object was constructed.
|
|
|
|
|
*
|
|
|
|
|
* First function of the initialization function, must be called before
|
|
|
|
|
* initServices().
|
|
|
|
|
*
|
|
|
|
|
* @param Module $module
|
2024-02-21 20:51:29 +00:00
|
|
|
* @param string $path
|
2023-10-30 16:04:41 +00:00
|
|
|
* @param array $routeConfig information about the route declaration.
|
|
|
|
|
*
|
|
|
|
|
* @internal
|
|
|
|
|
*/
|
2024-02-21 20:51:29 +00:00
|
|
|
final public function initContext( Module $module, string $path, array $routeConfig ) {
|
2023-10-30 16:04:41 +00:00
|
|
|
Assert::precondition(
|
|
|
|
|
$this->authority === null,
|
|
|
|
|
'initContext() must be called before initServices()'
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
$this->module = $module;
|
2024-02-21 20:51:29 +00:00
|
|
|
$this->path = $path;
|
2023-10-30 16:04:41 +00:00
|
|
|
$this->config = $routeConfig;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Inject service objects.
|
|
|
|
|
*
|
|
|
|
|
* Second function of the initialization function, must be called after
|
|
|
|
|
* initContext() and before initSession().
|
|
|
|
|
*
|
2021-01-06 18:10:15 +00:00
|
|
|
* @param Authority $authority
|
2019-11-08 19:58:41 +00:00
|
|
|
* @param ResponseFactory $responseFactory
|
Hooks::run() call site migration
Migrate all callers of Hooks::run() to use the new
HookContainer/HookRunner system.
General principles:
* Use DI if it is already used. We're not changing the way state is
managed in this patch.
* HookContainer is always injected, not HookRunner. HookContainer
is a service, it's a more generic interface, it is the only
thing that provides isRegistered() which is needed in some cases,
and a HookRunner can be efficiently constructed from it
(confirmed by benchmark). Because HookContainer is needed
for object construction, it is also needed by all factories.
* "Ask your friendly local base class". Big hierarchies like
SpecialPage and ApiBase have getHookContainer() and getHookRunner()
methods in the base class, and classes that extend that base class
are not expected to know or care where the base class gets its
HookContainer from.
* ProtectedHookAccessorTrait provides protected getHookContainer() and
getHookRunner() methods, getting them from the global service
container. The point of this is to ease migration to DI by ensuring
that call sites ask their local friendly base class rather than
getting a HookRunner from the service container directly.
* Private $this->hookRunner. In some smaller classes where accessor
methods did not seem warranted, there is a private HookRunner property
which is accessed directly. Very rarely (two cases), there is a
protected property, for consistency with code that conventionally
assumes protected=private, but in cases where the class might actually
be overridden, a protected accessor is preferred over a protected
property.
* The last resort: Hooks::runner(). Mostly for static, file-scope and
global code. In a few cases it was used for objects with broken
construction schemes, out of horror or laziness.
Constructors with new required arguments:
* AuthManager
* BadFileLookup
* BlockManager
* ClassicInterwikiLookup
* ContentHandlerFactory
* ContentSecurityPolicy
* DefaultOptionsManager
* DerivedPageDataUpdater
* FullSearchResultWidget
* HtmlCacheUpdater
* LanguageFactory
* LanguageNameUtils
* LinkRenderer
* LinkRendererFactory
* LocalisationCache
* MagicWordFactory
* MessageCache
* NamespaceInfo
* PageEditStash
* PageHandlerFactory
* PageUpdater
* ParserFactory
* PermissionManager
* RevisionStore
* RevisionStoreFactory
* SearchEngineConfig
* SearchEngineFactory
* SearchFormWidget
* SearchNearMatcher
* SessionBackend
* SpecialPageFactory
* UserNameUtils
* UserOptionsManager
* WatchedItemQueryService
* WatchedItemStore
Constructors with new optional arguments:
* DefaultPreferencesFactory
* Language
* LinkHolderArray
* MovePage
* Parser
* ParserCache
* PasswordReset
* Router
setHookContainer() now required after construction:
* AuthenticationProvider
* ResourceLoaderModule
* SearchEngine
Change-Id: Id442b0dbe43aba84bd5cf801d86dedc768b082c7
2020-03-19 02:42:09 +00:00
|
|
|
* @param HookContainer $hookContainer
|
2023-10-30 16:04:41 +00:00
|
|
|
*
|
2021-01-06 18:10:15 +00:00
|
|
|
* @internal
|
2019-05-09 01:36:18 +00:00
|
|
|
*/
|
2023-10-30 16:04:41 +00:00
|
|
|
final public function initServices(
|
|
|
|
|
Authority $authority, ResponseFactory $responseFactory, HookContainer $hookContainer
|
2019-05-09 01:36:18 +00:00
|
|
|
) {
|
2024-07-11 07:06:13 +00:00
|
|
|
// Warn if a subclass overrides getBodyValidator()
|
|
|
|
|
MWDebug::detectDeprecatedOverride(
|
|
|
|
|
$this,
|
|
|
|
|
__CLASS__,
|
|
|
|
|
'getBodyValidator',
|
|
|
|
|
'1.43'
|
|
|
|
|
);
|
|
|
|
|
|
2023-10-30 16:04:41 +00:00
|
|
|
Assert::precondition(
|
|
|
|
|
$this->module !== null,
|
|
|
|
|
'initServices() must not be called before initContext()'
|
|
|
|
|
);
|
|
|
|
|
Assert::precondition(
|
|
|
|
|
$this->session === null,
|
|
|
|
|
'initServices() must be called before initSession()'
|
|
|
|
|
);
|
|
|
|
|
|
2021-01-06 18:10:15 +00:00
|
|
|
$this->authority = $authority;
|
2019-05-09 01:36:18 +00:00
|
|
|
$this->responseFactory = $responseFactory;
|
Hooks::run() call site migration
Migrate all callers of Hooks::run() to use the new
HookContainer/HookRunner system.
General principles:
* Use DI if it is already used. We're not changing the way state is
managed in this patch.
* HookContainer is always injected, not HookRunner. HookContainer
is a service, it's a more generic interface, it is the only
thing that provides isRegistered() which is needed in some cases,
and a HookRunner can be efficiently constructed from it
(confirmed by benchmark). Because HookContainer is needed
for object construction, it is also needed by all factories.
* "Ask your friendly local base class". Big hierarchies like
SpecialPage and ApiBase have getHookContainer() and getHookRunner()
methods in the base class, and classes that extend that base class
are not expected to know or care where the base class gets its
HookContainer from.
* ProtectedHookAccessorTrait provides protected getHookContainer() and
getHookRunner() methods, getting them from the global service
container. The point of this is to ease migration to DI by ensuring
that call sites ask their local friendly base class rather than
getting a HookRunner from the service container directly.
* Private $this->hookRunner. In some smaller classes where accessor
methods did not seem warranted, there is a private HookRunner property
which is accessed directly. Very rarely (two cases), there is a
protected property, for consistency with code that conventionally
assumes protected=private, but in cases where the class might actually
be overridden, a protected accessor is preferred over a protected
property.
* The last resort: Hooks::runner(). Mostly for static, file-scope and
global code. In a few cases it was used for objects with broken
construction schemes, out of horror or laziness.
Constructors with new required arguments:
* AuthManager
* BadFileLookup
* BlockManager
* ClassicInterwikiLookup
* ContentHandlerFactory
* ContentSecurityPolicy
* DefaultOptionsManager
* DerivedPageDataUpdater
* FullSearchResultWidget
* HtmlCacheUpdater
* LanguageFactory
* LanguageNameUtils
* LinkRenderer
* LinkRendererFactory
* LocalisationCache
* MagicWordFactory
* MessageCache
* NamespaceInfo
* PageEditStash
* PageHandlerFactory
* PageUpdater
* ParserFactory
* PermissionManager
* RevisionStore
* RevisionStoreFactory
* SearchEngineConfig
* SearchEngineFactory
* SearchFormWidget
* SearchNearMatcher
* SessionBackend
* SpecialPageFactory
* UserNameUtils
* UserOptionsManager
* WatchedItemQueryService
* WatchedItemStore
Constructors with new optional arguments:
* DefaultPreferencesFactory
* Language
* LinkHolderArray
* MovePage
* Parser
* ParserCache
* PasswordReset
* Router
setHookContainer() now required after construction:
* AuthenticationProvider
* ResourceLoaderModule
* SearchEngine
Change-Id: Id442b0dbe43aba84bd5cf801d86dedc768b082c7
2020-03-19 02:42:09 +00:00
|
|
|
$this->hookContainer = $hookContainer;
|
|
|
|
|
$this->hookRunner = new HookRunner( $hookContainer );
|
2023-10-30 16:04:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Inject session information.
|
|
|
|
|
*
|
|
|
|
|
* Third function of the initialization function, must be called after
|
|
|
|
|
* initServices() and before initForExecute().
|
|
|
|
|
*
|
|
|
|
|
* @param Session $session
|
|
|
|
|
*
|
|
|
|
|
* @internal
|
|
|
|
|
*/
|
|
|
|
|
final public function initSession( Session $session ) {
|
|
|
|
|
Assert::precondition(
|
|
|
|
|
$this->authority !== null,
|
|
|
|
|
'initSession() must not be called before initContext()'
|
|
|
|
|
);
|
|
|
|
|
Assert::precondition(
|
|
|
|
|
$this->request === null,
|
|
|
|
|
'initSession() must be called before initForExecute()'
|
|
|
|
|
);
|
|
|
|
|
|
2022-05-04 16:29:51 +00:00
|
|
|
$this->session = $session;
|
2019-05-09 01:36:18 +00:00
|
|
|
}
|
|
|
|
|
|
2024-04-24 17:54:55 +00:00
|
|
|
/**
|
2023-10-30 16:04:41 +00:00
|
|
|
* Initialise for execution based on the given request.
|
2024-04-24 17:54:55 +00:00
|
|
|
*
|
2023-10-30 16:04:41 +00:00
|
|
|
* Last function of the initialization function, must be called after
|
|
|
|
|
* initSession() and before validate() and checkPreconditions().
|
2024-04-24 17:54:55 +00:00
|
|
|
*
|
2023-10-30 16:04:41 +00:00
|
|
|
* This function will call postInitSetup() to allow subclasses to
|
|
|
|
|
* perform their own initialization.
|
|
|
|
|
*
|
|
|
|
|
* The request object is updated with parsed body data if needed.
|
2024-04-24 17:54:55 +00:00
|
|
|
*
|
|
|
|
|
* @internal
|
2023-10-30 16:04:41 +00:00
|
|
|
*
|
|
|
|
|
* @param RequestInterface $request
|
|
|
|
|
*
|
|
|
|
|
* @throws HttpException if the handler does not accept the request for
|
|
|
|
|
* some reason.
|
2024-04-24 17:54:55 +00:00
|
|
|
*/
|
2023-10-30 16:04:41 +00:00
|
|
|
final public function initForExecute( RequestInterface $request ) {
|
|
|
|
|
Assert::precondition(
|
|
|
|
|
$this->session !== null,
|
|
|
|
|
'initForExecute() must not be called before initSession()'
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if ( $request->getParsedBody() === null ) {
|
|
|
|
|
$this->processRequestBody( $request );
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$this->request = $request;
|
|
|
|
|
|
|
|
|
|
$this->postInitSetup();
|
2024-04-24 17:54:55 +00:00
|
|
|
}
|
|
|
|
|
|
2022-12-13 21:00:59 +00:00
|
|
|
/**
|
2023-10-30 16:04:41 +00:00
|
|
|
* Process the request's request body and set the parsed body data
|
|
|
|
|
* if appropriate.
|
|
|
|
|
*
|
|
|
|
|
* @see parseBodyData()
|
|
|
|
|
*
|
|
|
|
|
* @throws HttpException if the request body is not acceptable.
|
|
|
|
|
*/
|
|
|
|
|
private function processRequestBody( RequestInterface $request ) {
|
|
|
|
|
// fail if the request method is in NO_BODY_METHODS but has body
|
|
|
|
|
$requestMethod = $request->getMethod();
|
|
|
|
|
if ( in_array( $requestMethod, RequestInterface::NO_BODY_METHODS ) ) {
|
|
|
|
|
// check if the request has a body
|
|
|
|
|
if ( $request->hasBody() ) {
|
|
|
|
|
// NOTE: Don't throw, see T359509.
|
|
|
|
|
// TODO: Ignore only empty bodies, log a warning or fail if
|
|
|
|
|
// there is actual content.
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// fail if the request method expects a body but has no body
|
|
|
|
|
if ( in_array( $requestMethod, RequestInterface::BODY_METHODS ) ) {
|
|
|
|
|
// check if it has no body
|
|
|
|
|
if ( !$request->hasBody() ) {
|
|
|
|
|
throw new LocalizedHttpException(
|
|
|
|
|
new MessageValue(
|
|
|
|
|
"rest-request-body-expected",
|
|
|
|
|
[ $requestMethod ]
|
|
|
|
|
),
|
|
|
|
|
411
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// call parsedbody
|
|
|
|
|
if ( $request->hasBody() ) {
|
|
|
|
|
$parsedBody = $this->parseBodyData( $request );
|
|
|
|
|
// Set the parsed body data on the request object
|
|
|
|
|
$request->setParsedBody( $parsedBody );
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Returns the path this handler is bound to relative to the module prefix.
|
|
|
|
|
* Includes path variables.
|
2022-12-13 21:00:59 +00:00
|
|
|
*
|
|
|
|
|
* @return string
|
|
|
|
|
*/
|
|
|
|
|
public function getPath(): string {
|
2024-02-21 20:51:29 +00:00
|
|
|
return $this->path;
|
2022-12-13 21:00:59 +00:00
|
|
|
}
|
|
|
|
|
|
2024-04-24 17:54:55 +00:00
|
|
|
/**
|
2024-04-24 21:03:10 +00:00
|
|
|
* Get a list of parameter placeholders present in the route's path
|
|
|
|
|
* as returned by getPath(). Note that this is independent of the parameters
|
2024-04-24 17:54:55 +00:00
|
|
|
* defined by getParamSettings(): required path parameters defined in
|
|
|
|
|
* getParamSettings() should be present in the path, but there is no
|
|
|
|
|
* mechanism to ensure that they are.
|
|
|
|
|
*
|
|
|
|
|
* @return string[]
|
|
|
|
|
*/
|
|
|
|
|
public function getSupportedPathParams(): array {
|
|
|
|
|
$path = $this->getPath();
|
|
|
|
|
|
|
|
|
|
preg_match_all( '/\{(.*?)\}/', $path, $matches, PREG_PATTERN_ORDER );
|
|
|
|
|
|
|
|
|
|
return $matches[1] ?? [];
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-22 23:08:07 +00:00
|
|
|
/**
|
2024-05-22 21:04:09 +00:00
|
|
|
* Get the Router.
|
2023-10-30 16:04:41 +00:00
|
|
|
*
|
2019-11-08 19:58:41 +00:00
|
|
|
* @return Router
|
2019-06-22 23:08:07 +00:00
|
|
|
*/
|
|
|
|
|
protected function getRouter(): Router {
|
2023-10-30 16:04:41 +00:00
|
|
|
return $this->module->getRouter();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Get the Module this handler belongs to.
|
|
|
|
|
* Will fail hard if called before initContext().
|
|
|
|
|
*
|
|
|
|
|
* @return Module
|
|
|
|
|
*/
|
|
|
|
|
protected function getModule(): Module {
|
|
|
|
|
return $this->module;
|
2019-06-22 23:08:07 +00:00
|
|
|
}
|
|
|
|
|
|
2020-05-25 18:12:33 +00:00
|
|
|
/**
|
|
|
|
|
* Get the URL of this handler's endpoint.
|
|
|
|
|
* Supports the substitution of path parameters, and additions of query parameters.
|
|
|
|
|
*
|
|
|
|
|
* @see Router::getRouteUrl()
|
|
|
|
|
*
|
|
|
|
|
* @param string[] $pathParams Path parameters to be injected into the path
|
|
|
|
|
* @param string[] $queryParams Query parameters to be attached to the URL
|
|
|
|
|
*
|
|
|
|
|
* @return string
|
|
|
|
|
*/
|
|
|
|
|
protected function getRouteUrl( $pathParams = [], $queryParams = [] ): string {
|
2024-02-21 20:51:29 +00:00
|
|
|
$path = $this->getPath();
|
2023-10-30 16:04:41 +00:00
|
|
|
return $this->getRouter()->getRouteUrl( $path, $pathParams, $queryParams );
|
2020-05-25 18:12:33 +00:00
|
|
|
}
|
|
|
|
|
|
2020-07-22 19:12:00 +00:00
|
|
|
/**
|
|
|
|
|
* URL-encode titles in a "pretty" way.
|
|
|
|
|
*
|
|
|
|
|
* Keeps intact ;@$!*(),~: (urlencode does not, but wfUrlencode does).
|
|
|
|
|
* Encodes spaces as underscores (wfUrlencode does not).
|
2022-05-09 09:09:00 +00:00
|
|
|
* Encodes slashes (wfUrlencode does not, but keeping them messes with REST paths).
|
2020-07-22 19:12:00 +00:00
|
|
|
* Encodes pluses (this is not necessary, and may change).
|
|
|
|
|
*
|
|
|
|
|
* @see wfUrlencode
|
|
|
|
|
*
|
|
|
|
|
* @param string $title
|
|
|
|
|
*
|
|
|
|
|
* @return string
|
|
|
|
|
*/
|
|
|
|
|
protected function urlEncodeTitle( $title ) {
|
|
|
|
|
$title = str_replace( ' ', '_', $title );
|
|
|
|
|
$title = urlencode( $title );
|
|
|
|
|
|
|
|
|
|
// %3B_a_%40_b_%24_c_%21_d_%2A_e_%28_f_%29_g_%2C_h_~_i_%3A
|
|
|
|
|
$replace = [ '%3B', '%40', '%24', '%21', '%2A', '%28', '%29', '%2C', '%7E', '%3A' ];
|
|
|
|
|
$with = [ ';', '@', '$', '!', '*', '(', ')', ',', '~', ':' ];
|
|
|
|
|
|
2021-04-02 01:51:00 +00:00
|
|
|
return str_replace( $replace, $with, $title );
|
2020-07-22 19:12:00 +00:00
|
|
|
}
|
|
|
|
|
|
2019-05-09 01:36:18 +00:00
|
|
|
/**
|
|
|
|
|
* Get the current request. The return type declaration causes it to raise
|
2024-05-22 21:04:09 +00:00
|
|
|
* a fatal error if initForExecute() has not yet been called.
|
2019-05-09 01:36:18 +00:00
|
|
|
*
|
|
|
|
|
* @return RequestInterface
|
|
|
|
|
*/
|
|
|
|
|
public function getRequest(): RequestInterface {
|
|
|
|
|
return $this->request;
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-06 18:10:15 +00:00
|
|
|
/**
|
|
|
|
|
* Get the current acting authority. The return type declaration causes it to raise
|
2024-05-22 21:04:09 +00:00
|
|
|
* a fatal error if initServices() has not yet been called.
|
2021-01-06 18:10:15 +00:00
|
|
|
*
|
|
|
|
|
* @since 1.36
|
|
|
|
|
* @return Authority
|
|
|
|
|
*/
|
|
|
|
|
public function getAuthority(): Authority {
|
|
|
|
|
return $this->authority;
|
|
|
|
|
}
|
|
|
|
|
|
2019-05-09 01:36:18 +00:00
|
|
|
/**
|
|
|
|
|
* Get the configuration array for the current route. The return type
|
2024-05-22 21:04:09 +00:00
|
|
|
* declaration causes it to raise a fatal error if initContext() has not
|
2019-05-09 01:36:18 +00:00
|
|
|
* been called.
|
|
|
|
|
*
|
|
|
|
|
* @return array
|
|
|
|
|
*/
|
|
|
|
|
public function getConfig(): array {
|
|
|
|
|
return $this->config;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Get the ResponseFactory which can be used to generate Response objects.
|
2024-05-22 21:04:09 +00:00
|
|
|
* This will raise a fatal error if initServices() has not been
|
2019-05-09 01:36:18 +00:00
|
|
|
* called.
|
|
|
|
|
*
|
|
|
|
|
* @return ResponseFactory
|
|
|
|
|
*/
|
|
|
|
|
public function getResponseFactory(): ResponseFactory {
|
|
|
|
|
return $this->responseFactory;
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-04 16:29:51 +00:00
|
|
|
/**
|
|
|
|
|
* Get the Session.
|
2024-05-22 21:04:09 +00:00
|
|
|
* This will raise a fatal error if initSession() has not been
|
2022-05-04 16:29:51 +00:00
|
|
|
* called.
|
|
|
|
|
*
|
|
|
|
|
* @return Session
|
|
|
|
|
*/
|
|
|
|
|
public function getSession(): Session {
|
|
|
|
|
return $this->session;
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-12 19:51:59 +00:00
|
|
|
/**
|
|
|
|
|
* Validate the request parameters/attributes and body. If there is a validation
|
|
|
|
|
* failure, a response with an error message should be returned or an
|
|
|
|
|
* HttpException should be thrown.
|
|
|
|
|
*
|
2020-07-13 08:57:12 +00:00
|
|
|
* @stable to override
|
2019-06-12 19:51:59 +00:00
|
|
|
* @param Validator $restValidator
|
|
|
|
|
* @throws HttpException On validation failure.
|
|
|
|
|
*/
|
|
|
|
|
public function validate( Validator $restValidator ) {
|
2024-04-25 17:39:25 +00:00
|
|
|
$this->validatedParams = $restValidator->validateParams(
|
|
|
|
|
$this->getParamSettings()
|
|
|
|
|
);
|
2024-03-12 12:19:08 +00:00
|
|
|
|
2024-07-11 07:06:13 +00:00
|
|
|
$bodyType = $this->request->getBodyType();
|
|
|
|
|
$legacyBodyValidator = $bodyType === null ? null
|
|
|
|
|
: $this->getBodyValidator( $bodyType );
|
|
|
|
|
|
|
|
|
|
if ( $legacyBodyValidator && !$legacyBodyValidator instanceof NullBodyValidator ) {
|
|
|
|
|
$this->validatedBody = $restValidator->validateBody( $this->request, $this );
|
2024-03-12 12:19:08 +00:00
|
|
|
} else {
|
2024-06-26 18:25:16 +00:00
|
|
|
// Allow type coercion if the request body is form data.
|
|
|
|
|
// For JSON requests, insist on proper types.
|
|
|
|
|
$enforceTypes = !in_array(
|
|
|
|
|
$this->request->getBodyType(),
|
|
|
|
|
RequestInterface::FORM_DATA_CONTENT_TYPES
|
|
|
|
|
);
|
|
|
|
|
|
2024-04-25 17:39:25 +00:00
|
|
|
$this->validatedBody = $restValidator->validateBodyParams(
|
2024-06-26 18:25:16 +00:00
|
|
|
$this->getBodyParamSettings(),
|
|
|
|
|
$enforceTypes
|
2024-04-25 17:39:25 +00:00
|
|
|
);
|
2024-03-19 14:56:20 +00:00
|
|
|
|
|
|
|
|
// If there is a body, check if it contains extra fields.
|
|
|
|
|
if ( $this->getRequest()->hasBody() ) {
|
|
|
|
|
$this->detectExtraneousBodyFields( $restValidator );
|
|
|
|
|
}
|
2024-03-06 11:27:26 +00:00
|
|
|
}
|
2024-03-12 12:19:08 +00:00
|
|
|
|
2020-12-03 17:53:55 +00:00
|
|
|
$this->postValidationSetup();
|
2019-06-12 19:51:59 +00:00
|
|
|
}
|
|
|
|
|
|
2024-03-19 14:56:20 +00:00
|
|
|
/**
|
|
|
|
|
* Subclasses may override this to disable or modify checks for extraneous
|
|
|
|
|
* body fields.
|
|
|
|
|
*
|
|
|
|
|
* @since 1.42
|
|
|
|
|
* @stable to override
|
|
|
|
|
* @param Validator $restValidator
|
|
|
|
|
* @throws HttpException On validation failure.
|
|
|
|
|
*/
|
|
|
|
|
protected function detectExtraneousBodyFields( Validator $restValidator ) {
|
|
|
|
|
$parsedBody = $this->getRequest()->getParsedBody();
|
|
|
|
|
|
|
|
|
|
if ( !$parsedBody ) {
|
|
|
|
|
// nothing to do
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$restValidator->detectExtraneousBodyFields(
|
2024-04-25 17:39:25 +00:00
|
|
|
$this->getBodyParamSettings(),
|
2024-03-19 14:56:20 +00:00
|
|
|
$parsedBody
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-04 16:29:51 +00:00
|
|
|
/**
|
|
|
|
|
* Check the session (and session provider)
|
|
|
|
|
* @throws HttpException on failed check
|
|
|
|
|
* @internal
|
|
|
|
|
*/
|
|
|
|
|
public function checkSession() {
|
|
|
|
|
if ( !$this->session->getProvider()->safeAgainstCsrf() ) {
|
|
|
|
|
if ( $this->requireSafeAgainstCsrf() ) {
|
|
|
|
|
throw new LocalizedHttpException(
|
|
|
|
|
new MessageValue( 'rest-requires-safe-against-csrf' ),
|
|
|
|
|
400
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
} elseif ( !empty( $this->validatedBody['token'] ) ) {
|
|
|
|
|
throw new LocalizedHttpException(
|
|
|
|
|
new MessageValue( 'rest-extraneous-csrf-token' ),
|
|
|
|
|
400
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-21 23:35:05 +00:00
|
|
|
/**
|
|
|
|
|
* Get a ConditionalHeaderUtil object.
|
|
|
|
|
*
|
|
|
|
|
* On the first call to this method, the object will be initialized with
|
|
|
|
|
* validator values by calling getETag(), getLastModified() and
|
|
|
|
|
* hasRepresentation().
|
|
|
|
|
*
|
|
|
|
|
* @return ConditionalHeaderUtil
|
|
|
|
|
*/
|
|
|
|
|
protected function getConditionalHeaderUtil() {
|
|
|
|
|
if ( $this->conditionalHeaderUtil === null ) {
|
|
|
|
|
$this->conditionalHeaderUtil = new ConditionalHeaderUtil;
|
|
|
|
|
$this->conditionalHeaderUtil->setValidators(
|
|
|
|
|
$this->getETag(),
|
|
|
|
|
$this->getLastModified(),
|
2021-04-02 01:51:00 +00:00
|
|
|
$this->hasRepresentation()
|
|
|
|
|
);
|
2019-11-21 23:35:05 +00:00
|
|
|
}
|
|
|
|
|
return $this->conditionalHeaderUtil;
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-30 06:15:30 +00:00
|
|
|
/**
|
|
|
|
|
* Check the conditional request headers and generate a response if appropriate.
|
|
|
|
|
* This is called by the Router before execute() and may be overridden.
|
|
|
|
|
*
|
2020-07-13 08:57:12 +00:00
|
|
|
* @stable to override
|
2020-03-12 11:13:22 +00:00
|
|
|
*
|
2019-09-30 06:15:30 +00:00
|
|
|
* @return ResponseInterface|null
|
|
|
|
|
*/
|
|
|
|
|
public function checkPreconditions() {
|
2019-11-21 23:35:05 +00:00
|
|
|
$status = $this->getConditionalHeaderUtil()->checkPreconditions( $this->getRequest() );
|
2019-09-30 06:15:30 +00:00
|
|
|
if ( $status ) {
|
|
|
|
|
$response = $this->getResponseFactory()->create();
|
|
|
|
|
$response->setStatus( $status );
|
|
|
|
|
return $response;
|
|
|
|
|
}
|
2021-04-02 01:51:00 +00:00
|
|
|
|
|
|
|
|
return null;
|
2019-09-30 06:15:30 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2022-07-01 13:21:34 +00:00
|
|
|
* Apply verifier headers to the response, per RFC 7231 §7.2.
|
|
|
|
|
* This is called after execute() returns.
|
|
|
|
|
*
|
|
|
|
|
* For GET and HEAD requests, the default behavior is to set the ETag and
|
|
|
|
|
* Last-Modified headers based on the values returned by getETag() and
|
|
|
|
|
* getLastModified() when they were called before execute() was run.
|
|
|
|
|
*
|
|
|
|
|
* Other request methods are assumed to be state-changing, so no headers
|
Replace all instances of "per default" with "by default"
According to the dictionary, "per" (or more conventionally "as per")
means "according to". Refer OED "per" sense II.3.a. For example:
"No value was passed, so return null, as per default".
In this sentence, we are not specifying the default, we are referring
to the default. This correct usage of "per default" was used nowhere
in MediaWiki core as far as I can see.
Instead we have "per default" being used to mean "by default", that is,
giving the value to use when no explicit value was specified.
In OED, the phrase "by default" is blessed with its own section just
for computing usage:
"P.1.e. Computing. As an option or setting adopted automatically by a
computer program whenever an alternative is not specified by the user
or programmer. Cf. sense I.7a."
There are highly similar pre-computing usages of the same phrase,
whereas the phrase "per default" is not mentioned.
As a matter of style, I think "per default" should not be used even
when it is strictly correct, since the common incorrect usage makes it
ambiguous and misleading.
Change-Id: Ibcccc65ead864d082677b472b34ff32ff41c60ae
2024-04-29 00:13:28 +00:00
|
|
|
* will be set by default.
|
2022-07-01 13:21:34 +00:00
|
|
|
*
|
|
|
|
|
* This may be overridden to modify the verifier headers sent in the response.
|
|
|
|
|
* However, handlers that modify the resource's state would typically just
|
|
|
|
|
* set the ETag and Last-Modified headers in the execute() method.
|
2019-09-30 06:15:30 +00:00
|
|
|
*
|
2020-07-13 08:57:12 +00:00
|
|
|
* @stable to override
|
2020-03-12 11:13:22 +00:00
|
|
|
*
|
2019-09-30 06:15:30 +00:00
|
|
|
* @param ResponseInterface $response
|
|
|
|
|
*/
|
|
|
|
|
public function applyConditionalResponseHeaders( ResponseInterface $response ) {
|
2022-07-01 13:21:34 +00:00
|
|
|
$method = $this->getRequest()->getMethod();
|
|
|
|
|
if ( $method === 'GET' || $method === 'HEAD' ) {
|
|
|
|
|
$this->getConditionalHeaderUtil()->applyResponseHeaders( $response );
|
|
|
|
|
}
|
2019-09-30 06:15:30 +00:00
|
|
|
}
|
|
|
|
|
|
2022-11-15 22:24:11 +00:00
|
|
|
/**
|
|
|
|
|
* Apply cache control to enforce privacy.
|
|
|
|
|
*
|
|
|
|
|
* @param ResponseInterface $response
|
|
|
|
|
*/
|
|
|
|
|
public function applyCacheControl( ResponseInterface $response ) {
|
|
|
|
|
// NOTE: keep this consistent with the logic in OutputPage::sendCacheControl
|
|
|
|
|
|
2022-11-28 14:22:40 +00:00
|
|
|
// If the response sets cookies, it must not be cached in proxies.
|
|
|
|
|
// If there's an active cookie-based session (logged-in user or anonymous user with
|
|
|
|
|
// session-scoped cookies), it is not safe to cache either, as the session manager may set
|
|
|
|
|
// cookies in the response, or the response itself may vary on user-specific variables,
|
|
|
|
|
// for example on private wikis where the 'read' permission is restricted. (T264631)
|
|
|
|
|
if ( $response->getHeaderLine( 'Set-Cookie' ) || $this->getSession()->isPersistent() ) {
|
2023-05-19 01:12:51 +00:00
|
|
|
$response->setHeader( 'Cache-Control', 'private,must-revalidate,s-maxage=0' );
|
2022-11-15 22:24:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ( !$response->getHeaderLine( 'Cache-Control' ) ) {
|
|
|
|
|
$rqMethod = $this->getRequest()->getMethod();
|
|
|
|
|
if ( $rqMethod !== 'GET' && $rqMethod !== 'HEAD' ) {
|
Replace all instances of "per default" with "by default"
According to the dictionary, "per" (or more conventionally "as per")
means "according to". Refer OED "per" sense II.3.a. For example:
"No value was passed, so return null, as per default".
In this sentence, we are not specifying the default, we are referring
to the default. This correct usage of "per default" was used nowhere
in MediaWiki core as far as I can see.
Instead we have "per default" being used to mean "by default", that is,
giving the value to use when no explicit value was specified.
In OED, the phrase "by default" is blessed with its own section just
for computing usage:
"P.1.e. Computing. As an option or setting adopted automatically by a
computer program whenever an alternative is not specified by the user
or programmer. Cf. sense I.7a."
There are highly similar pre-computing usages of the same phrase,
whereas the phrase "per default" is not mentioned.
As a matter of style, I think "per default" should not be used even
when it is strictly correct, since the common incorrect usage makes it
ambiguous and misleading.
Change-Id: Ibcccc65ead864d082677b472b34ff32ff41c60ae
2024-04-29 00:13:28 +00:00
|
|
|
// Responses to requests other than GET or HEAD should not be cacheable by default.
|
2022-11-15 22:24:11 +00:00
|
|
|
$response->setHeader( 'Cache-Control', 'private,no-cache,s-maxage=0' );
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-12 19:51:59 +00:00
|
|
|
/**
|
|
|
|
|
* Fetch ParamValidator settings for parameters
|
|
|
|
|
*
|
|
|
|
|
* Every setting must include self::PARAM_SOURCE to specify which part of
|
|
|
|
|
* the request is to contain the parameter.
|
|
|
|
|
*
|
2024-04-25 17:39:25 +00:00
|
|
|
* Can be used for the request body as well, by setting self::PARAM_SOURCE
|
2024-06-20 13:33:35 +00:00
|
|
|
* to "post". Note that the values of "post" parameters will be accessible
|
|
|
|
|
* through getValidatedParams(). "post" parameters are used with
|
|
|
|
|
* form data (application/x-www-form-urlencoded or multipart/form-data).
|
2020-12-26 21:29:45 +00:00
|
|
|
*
|
2024-06-20 13:33:35 +00:00
|
|
|
* For "query" parameters, a PARAM_REQUIRED setting of "false" means the caller
|
2024-04-03 03:05:07 +00:00
|
|
|
* does not have to supply the parameter. For "path" parameters, the path matcher will always
|
|
|
|
|
* require the caller to supply all path parameters for a route, regardless of the
|
|
|
|
|
* PARAM_REQUIRED setting. However, "path" parameters may be specified in getParamSettings()
|
|
|
|
|
* as non-required to indicate that the handler services multiple routes, some of which may
|
|
|
|
|
* not supply the parameter.
|
|
|
|
|
*
|
2020-07-13 08:57:12 +00:00
|
|
|
* @stable to override
|
2020-03-12 11:13:22 +00:00
|
|
|
*
|
2019-06-12 19:51:59 +00:00
|
|
|
* @return array[] Associative array mapping parameter names to
|
|
|
|
|
* ParamValidator settings arrays
|
|
|
|
|
*/
|
|
|
|
|
public function getParamSettings() {
|
|
|
|
|
return [];
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-25 17:39:25 +00:00
|
|
|
/**
|
|
|
|
|
* Fetch ParamValidator settings for body fields. Parameters defined
|
|
|
|
|
* by this method are used to validate the request body. The parameter
|
|
|
|
|
* values will become available through getValidatedBody().
|
|
|
|
|
*
|
|
|
|
|
* Subclasses may override this method to specify what fields they support
|
|
|
|
|
* in the request body. All parameter settings returned by this method must
|
|
|
|
|
* have self::PARAM_SOURCE set to 'body'.
|
|
|
|
|
*
|
|
|
|
|
* @return array[]
|
|
|
|
|
*/
|
|
|
|
|
public function getBodyParamSettings(): array {
|
2024-06-20 13:33:35 +00:00
|
|
|
return [];
|
2024-04-25 17:39:25 +00:00
|
|
|
}
|
|
|
|
|
|
2023-12-05 18:00:26 +00:00
|
|
|
/**
|
|
|
|
|
* Returns an OpenAPI Operation Object specification structure as an associative array.
|
|
|
|
|
*
|
|
|
|
|
* @see https://swagger.io/specification/#operation-object
|
|
|
|
|
*
|
Replace all instances of "per default" with "by default"
According to the dictionary, "per" (or more conventionally "as per")
means "according to". Refer OED "per" sense II.3.a. For example:
"No value was passed, so return null, as per default".
In this sentence, we are not specifying the default, we are referring
to the default. This correct usage of "per default" was used nowhere
in MediaWiki core as far as I can see.
Instead we have "per default" being used to mean "by default", that is,
giving the value to use when no explicit value was specified.
In OED, the phrase "by default" is blessed with its own section just
for computing usage:
"P.1.e. Computing. As an option or setting adopted automatically by a
computer program whenever an alternative is not specified by the user
or programmer. Cf. sense I.7a."
There are highly similar pre-computing usages of the same phrase,
whereas the phrase "per default" is not mentioned.
As a matter of style, I think "per default" should not be used even
when it is strictly correct, since the common incorrect usage makes it
ambiguous and misleading.
Change-Id: Ibcccc65ead864d082677b472b34ff32ff41c60ae
2024-04-29 00:13:28 +00:00
|
|
|
* By default, this will contain information about the supported parameters, as well as
|
2023-12-05 18:00:26 +00:00
|
|
|
* the response for status 200.
|
|
|
|
|
*
|
|
|
|
|
* Subclasses may override this to provide additional information.
|
|
|
|
|
*
|
|
|
|
|
* @since 1.42
|
|
|
|
|
* @stable to override
|
|
|
|
|
*
|
|
|
|
|
* @param string $method The HTTP method to produce a spec for ("get", "post", etc).
|
|
|
|
|
* Useful for handlers that behave differently depending on the
|
|
|
|
|
* request method.
|
|
|
|
|
*
|
|
|
|
|
* @return array
|
|
|
|
|
*/
|
|
|
|
|
public function getOpenApiSpec( string $method ): array {
|
|
|
|
|
$parameters = [];
|
|
|
|
|
|
2024-04-24 17:54:55 +00:00
|
|
|
$supportedPathParams = array_flip( $this->getSupportedPathParams() );
|
|
|
|
|
|
2023-12-05 18:00:26 +00:00
|
|
|
foreach ( $this->getParamSettings() as $name => $paramSetting ) {
|
2024-04-05 18:45:21 +00:00
|
|
|
$source = $paramSetting[ Validator::PARAM_SOURCE ] ?? '';
|
2023-12-05 18:00:26 +00:00
|
|
|
|
2024-04-05 18:45:21 +00:00
|
|
|
if ( $source !== 'query' && $source !== 'path' ) {
|
2024-04-24 17:54:55 +00:00
|
|
|
continue;
|
2023-12-05 18:00:26 +00:00
|
|
|
}
|
2024-04-24 17:54:55 +00:00
|
|
|
|
2024-04-05 18:45:21 +00:00
|
|
|
if ( $source === 'path' && !isset( $supportedPathParams[$name] ) ) {
|
2024-04-24 17:54:55 +00:00
|
|
|
// Skip optional path param not used in the current path
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-05 18:45:21 +00:00
|
|
|
$param = Validator::getParameterSpec(
|
|
|
|
|
$name,
|
|
|
|
|
$paramSetting
|
|
|
|
|
);
|
|
|
|
|
|
2024-04-24 17:54:55 +00:00
|
|
|
$parameters[] = $param;
|
2023-12-05 18:00:26 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$spec = [
|
|
|
|
|
'parameters' => $parameters,
|
2024-02-21 20:51:29 +00:00
|
|
|
'responses' => $this->generateResponseSpec(),
|
2023-12-05 18:00:26 +00:00
|
|
|
];
|
|
|
|
|
|
2024-04-05 18:45:21 +00:00
|
|
|
if ( !in_array( $method, RequestInterface::NO_BODY_METHODS ) ) {
|
|
|
|
|
$requestBody = $this->getRequestSpec( $method );
|
|
|
|
|
if ( $requestBody ) {
|
|
|
|
|
$spec['requestBody'] = $requestBody;
|
|
|
|
|
}
|
2023-12-05 18:00:26 +00:00
|
|
|
}
|
|
|
|
|
|
2023-10-30 16:04:41 +00:00
|
|
|
// TODO: Allow additional information about parameters and responses to
|
|
|
|
|
// be provided in the route definition.
|
2024-02-21 20:51:29 +00:00
|
|
|
$oas = $this->getConfig()['OAS'] ?? [];
|
|
|
|
|
$spec += $oas;
|
2023-10-30 16:04:41 +00:00
|
|
|
|
2023-12-05 18:00:26 +00:00
|
|
|
return $spec;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Returns an OpenAPI Request Body Object specification structure as an associative array.
|
2024-04-05 18:45:21 +00:00
|
|
|
*
|
2023-12-05 18:00:26 +00:00
|
|
|
* @see https://swagger.io/specification/#request-body-object
|
|
|
|
|
*
|
2024-04-05 18:45:21 +00:00
|
|
|
* This is based on the getBodyParamSettings() and getSupportedRequestTypes().
|
2023-12-05 18:00:26 +00:00
|
|
|
*
|
2024-04-05 18:45:21 +00:00
|
|
|
* Subclasses may override this to provide additional information about the
|
|
|
|
|
* structure of responses, or to add support for additional mediaTypes.
|
|
|
|
|
*
|
|
|
|
|
* @stable to override getBodySchema() to generate a schema for each
|
|
|
|
|
* supported media type as returned by getSupportedBodyTypes().
|
|
|
|
|
*
|
|
|
|
|
* @param string $method
|
2023-12-05 18:00:26 +00:00
|
|
|
*
|
|
|
|
|
* @return ?array
|
|
|
|
|
*/
|
2024-04-05 18:45:21 +00:00
|
|
|
protected function getRequestSpec( string $method ): ?array {
|
|
|
|
|
$mediaTypes = [];
|
2023-12-05 18:00:26 +00:00
|
|
|
|
2024-05-07 18:48:54 +00:00
|
|
|
foreach ( $this->getSupportedRequestTypes() as $type ) {
|
2024-04-05 18:45:21 +00:00
|
|
|
$schema = $this->getRequestBodySchema( $type );
|
|
|
|
|
|
|
|
|
|
if ( $schema ) {
|
|
|
|
|
$mediaTypes[$type] = [ 'schema' => $schema ];
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ( !$mediaTypes ) {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return [
|
|
|
|
|
// TODO: some DELETE handlers may require a body that contains a token
|
|
|
|
|
// FIXME: check if there are required body params!
|
|
|
|
|
'required' => in_array( $method, RequestInterface::BODY_METHODS ),
|
|
|
|
|
'content' => $mediaTypes
|
|
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Returns a content schema per the OpenAPI spec.
|
|
|
|
|
* @see https://swagger.io/specification/#schema-object
|
|
|
|
|
*
|
|
|
|
|
* Per default, this provides schemas for JSON requests and form data, based
|
|
|
|
|
* on the parameter declarations returned by getParamSettings().
|
|
|
|
|
*
|
|
|
|
|
* Subclasses may override this to provide additional information about the
|
|
|
|
|
* structure of responses, or to add support for additional mediaTypes.
|
|
|
|
|
*
|
|
|
|
|
* @stable to override
|
|
|
|
|
* @return array
|
|
|
|
|
*/
|
|
|
|
|
protected function getRequestBodySchema( string $mediaType ): array {
|
|
|
|
|
if ( $mediaType === RequestInterface::FORM_URLENCODED_CONTENT_TYPE ) {
|
|
|
|
|
$allowedSources = [ 'body', 'post' ];
|
|
|
|
|
} elseif ( $mediaType === RequestInterface::MULTIPART_FORM_DATA_CONTENT_TYPE ) {
|
|
|
|
|
$allowedSources = [ 'body', 'post' ];
|
|
|
|
|
} else {
|
|
|
|
|
$allowedSources = [ 'body' ];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$paramSettings = $this->getBodyParamSettings();
|
|
|
|
|
|
|
|
|
|
$properties = [];
|
|
|
|
|
$required = [];
|
|
|
|
|
|
|
|
|
|
foreach ( $paramSettings as $name => $settings ) {
|
|
|
|
|
$source = $settings[ Validator::PARAM_SOURCE ] ?? '';
|
|
|
|
|
$isRequired = $settings[ ParamValidator::PARAM_REQUIRED ] ?? false;
|
|
|
|
|
|
|
|
|
|
if ( !in_array( $source, $allowedSources ) ) {
|
|
|
|
|
// TODO: post parameters also work as body parameters...
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$properties[$name] = Validator::getParameterSchema( $settings );
|
|
|
|
|
|
|
|
|
|
if ( $isRequired ) {
|
|
|
|
|
$required[] = $name;
|
2023-12-05 18:00:26 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-05 18:45:21 +00:00
|
|
|
if ( !$properties ) {
|
|
|
|
|
return [];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$schema = [
|
|
|
|
|
'type' => 'object',
|
|
|
|
|
'properties' => $properties,
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
if ( $required ) {
|
|
|
|
|
$schema['required'] = $required;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $schema;
|
2023-12-05 18:00:26 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Returns an OpenAPI Schema Object specification structure as an associative array.
|
|
|
|
|
* @see https://swagger.io/specification/#schema-object
|
|
|
|
|
*
|
Replace all instances of "per default" with "by default"
According to the dictionary, "per" (or more conventionally "as per")
means "according to". Refer OED "per" sense II.3.a. For example:
"No value was passed, so return null, as per default".
In this sentence, we are not specifying the default, we are referring
to the default. This correct usage of "per default" was used nowhere
in MediaWiki core as far as I can see.
Instead we have "per default" being used to mean "by default", that is,
giving the value to use when no explicit value was specified.
In OED, the phrase "by default" is blessed with its own section just
for computing usage:
"P.1.e. Computing. As an option or setting adopted automatically by a
computer program whenever an alternative is not specified by the user
or programmer. Cf. sense I.7a."
There are highly similar pre-computing usages of the same phrase,
whereas the phrase "per default" is not mentioned.
As a matter of style, I think "per default" should not be used even
when it is strictly correct, since the common incorrect usage makes it
ambiguous and misleading.
Change-Id: Ibcccc65ead864d082677b472b34ff32ff41c60ae
2024-04-29 00:13:28 +00:00
|
|
|
* Returns null by default. Subclasses that return a JSON response should
|
2023-12-05 18:00:26 +00:00
|
|
|
* implement this method to return a schema of the response body.
|
|
|
|
|
*
|
|
|
|
|
* @stable to override
|
|
|
|
|
* @return ?array
|
|
|
|
|
*/
|
|
|
|
|
protected function getResponseBodySchema(): ?array {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Returns an OpenAPI Responses Object specification structure as an associative array.
|
|
|
|
|
* @see https://swagger.io/specification/#responses-object
|
|
|
|
|
*
|
Replace all instances of "per default" with "by default"
According to the dictionary, "per" (or more conventionally "as per")
means "according to". Refer OED "per" sense II.3.a. For example:
"No value was passed, so return null, as per default".
In this sentence, we are not specifying the default, we are referring
to the default. This correct usage of "per default" was used nowhere
in MediaWiki core as far as I can see.
Instead we have "per default" being used to mean "by default", that is,
giving the value to use when no explicit value was specified.
In OED, the phrase "by default" is blessed with its own section just
for computing usage:
"P.1.e. Computing. As an option or setting adopted automatically by a
computer program whenever an alternative is not specified by the user
or programmer. Cf. sense I.7a."
There are highly similar pre-computing usages of the same phrase,
whereas the phrase "per default" is not mentioned.
As a matter of style, I think "per default" should not be used even
when it is strictly correct, since the common incorrect usage makes it
ambiguous and misleading.
Change-Id: Ibcccc65ead864d082677b472b34ff32ff41c60ae
2024-04-29 00:13:28 +00:00
|
|
|
* By default, this will contain basic information response for status 200, 400, and 500.
|
2023-12-05 18:00:26 +00:00
|
|
|
* The getResponseBodySchema() method is used to determine the structure of the response for status 200.
|
|
|
|
|
*
|
|
|
|
|
* Subclasses may override this to provide additional information about the structure of responses.
|
|
|
|
|
*
|
|
|
|
|
* @stable to override
|
|
|
|
|
* @return array
|
|
|
|
|
*/
|
2024-02-21 20:51:29 +00:00
|
|
|
protected function generateResponseSpec(): array {
|
2023-12-05 18:00:26 +00:00
|
|
|
$ok = [ 'description' => 'OK' ];
|
|
|
|
|
|
|
|
|
|
$bodySchema = $this->getResponseBodySchema();
|
|
|
|
|
|
|
|
|
|
if ( $bodySchema ) {
|
|
|
|
|
$ok['content']['application/json']['schema'] = $bodySchema;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// XXX: we should add info about redirects, and maybe a default for errors?
|
|
|
|
|
return [
|
|
|
|
|
'200' => $ok,
|
|
|
|
|
'400' => [ '$ref' => '#/components/responses/GenericErrorResponse' ],
|
|
|
|
|
'500' => [ '$ref' => '#/components/responses/GenericErrorResponse' ],
|
|
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-12 19:51:59 +00:00
|
|
|
/**
|
|
|
|
|
* Fetch the BodyValidator
|
2020-03-12 11:13:22 +00:00
|
|
|
*
|
2024-07-11 07:06:13 +00:00
|
|
|
* @deprecated since 1.43, return body properties from getBodyParamSettings().
|
|
|
|
|
* Subclasses that need full control over body data parsing should override
|
|
|
|
|
* parseBodyData() or implement validation in the execute() method based on
|
|
|
|
|
* the unparsed body data returned by getRequest()->getBody().
|
2020-03-12 11:13:22 +00:00
|
|
|
*
|
2019-06-12 19:51:59 +00:00
|
|
|
* @param string $contentType Content type of the request.
|
2023-07-03 14:20:00 +00:00
|
|
|
* @return BodyValidator A {@see NullBodyValidator} in this default implementation
|
|
|
|
|
* @throws HttpException It's possible to fail early here when e.g. $contentType is unsupported,
|
|
|
|
|
* or later when {@see BodyValidator::validateBody} is called
|
2019-06-12 19:51:59 +00:00
|
|
|
*/
|
|
|
|
|
public function getBodyValidator( $contentType ) {
|
2024-07-11 07:06:13 +00:00
|
|
|
// NOTE: When removing this method, also remove the BodyValidator interface and
|
|
|
|
|
// all classes implementing it!
|
2019-06-12 19:51:59 +00:00
|
|
|
return new NullBodyValidator();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2019-11-15 01:26:32 +00:00
|
|
|
* Fetch the validated parameters. This must be called after validate() is
|
|
|
|
|
* called. During execute() is fine.
|
2019-06-12 19:51:59 +00:00
|
|
|
*
|
2019-11-15 01:26:32 +00:00
|
|
|
* @return array Array mapping parameter names to validated values
|
|
|
|
|
* @throws \RuntimeException If validate() has not been called
|
2019-06-12 19:51:59 +00:00
|
|
|
*/
|
|
|
|
|
public function getValidatedParams() {
|
2019-11-15 01:26:32 +00:00
|
|
|
if ( $this->validatedParams === null ) {
|
|
|
|
|
throw new \RuntimeException( 'getValidatedParams() called before validate()' );
|
|
|
|
|
}
|
2019-06-12 19:51:59 +00:00
|
|
|
return $this->validatedParams;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Fetch the validated body
|
2023-07-03 14:20:00 +00:00
|
|
|
* @return mixed|null Value returned by the body validator, or null if validate() was
|
2019-06-12 19:51:59 +00:00
|
|
|
* not called yet, validation failed, there was no body, or the body was form data.
|
|
|
|
|
*/
|
|
|
|
|
public function getValidatedBody() {
|
|
|
|
|
return $this->validatedBody;
|
|
|
|
|
}
|
|
|
|
|
|
2024-02-14 13:02:30 +00:00
|
|
|
/**
|
2024-03-05 09:59:29 +00:00
|
|
|
* Returns the parsed body of the request.
|
|
|
|
|
* Should only be called if $request->hasBody() returns true.
|
|
|
|
|
*
|
|
|
|
|
* The default implementation handles application/x-www-form-urlencoded
|
2024-05-07 18:48:54 +00:00
|
|
|
* and multipart/form-data by calling $request->getPostParams(),
|
|
|
|
|
* if the list returned by getSupportedRequestTypes() includes these types.
|
2024-03-05 09:59:29 +00:00
|
|
|
*
|
|
|
|
|
* The default implementation handles application/json by parsing
|
|
|
|
|
* the body content as JSON. Only object structures (maps) are supported,
|
|
|
|
|
* other types will trigger an HttpException with status 400.
|
|
|
|
|
*
|
|
|
|
|
* Other content types will trigger a HttpException with status 415 per
|
|
|
|
|
* default.
|
|
|
|
|
*
|
|
|
|
|
* Subclasses may override this method to support parsing additional
|
|
|
|
|
* content types or to disallow content types by throwing an HttpException
|
|
|
|
|
* with status 415. Subclasses may also return null to indicate that they
|
2024-04-23 19:21:03 +00:00
|
|
|
* support reading the content, but intend to handle it as an unparsed
|
2024-03-05 09:59:29 +00:00
|
|
|
* stream in their implementation of the execute() method.
|
|
|
|
|
*
|
2024-05-07 18:48:54 +00:00
|
|
|
* Subclasses that override this method to support additional request types
|
|
|
|
|
* should also override getSupportedRequestTypes() to allow that support
|
|
|
|
|
* to be documented in the OpenAPI spec.
|
|
|
|
|
*
|
2024-03-05 09:59:29 +00:00
|
|
|
* @since 1.42
|
|
|
|
|
*
|
|
|
|
|
* @throws HttpException If the content type is not supported or the content
|
|
|
|
|
* is malformed.
|
|
|
|
|
*
|
|
|
|
|
* @return array|null The body content represented as an associative array,
|
|
|
|
|
* or null if the request body is accepted unparsed.
|
2024-02-14 13:02:30 +00:00
|
|
|
*/
|
|
|
|
|
public function parseBodyData( RequestInterface $request ): ?array {
|
|
|
|
|
// Parse the body based on its content type
|
|
|
|
|
$contentType = $request->getBodyType();
|
2024-03-04 11:39:19 +00:00
|
|
|
|
|
|
|
|
// HACK: If the Handler uses a custom BodyValidator, the
|
|
|
|
|
// getBodyValidator() is also responsible for checking whether
|
|
|
|
|
// the content type is valid, and for parsing the body.
|
|
|
|
|
// See T359149.
|
2024-07-11 07:06:13 +00:00
|
|
|
// TODO: remove once no subclasses override getBodyValidator() anymore
|
2024-03-04 11:39:19 +00:00
|
|
|
$bodyValidator = $this->getBodyValidator( $contentType ?? 'unknown/unknown' );
|
|
|
|
|
if ( !$bodyValidator instanceof NullBodyValidator ) {
|
|
|
|
|
// TODO: Trigger a deprecation warning.
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-07 18:48:54 +00:00
|
|
|
$supportedTypes = $this->getSupportedRequestTypes();
|
|
|
|
|
if ( $contentType !== null && !in_array( $contentType, $supportedTypes ) ) {
|
|
|
|
|
throw new LocalizedHttpException(
|
|
|
|
|
new MessageValue( 'rest-unsupported-content-type', [ $contentType ] ),
|
|
|
|
|
415
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-26 12:09:19 +00:00
|
|
|
// if it's supported and ends with "+json", we can probably parse it like a normal application/json request
|
|
|
|
|
$contentType = str_ends_with( $contentType ?? '', '+json' )
|
|
|
|
|
? RequestInterface::JSON_CONTENT_TYPE
|
|
|
|
|
: $contentType;
|
|
|
|
|
|
2024-02-14 13:02:30 +00:00
|
|
|
switch ( $contentType ) {
|
2024-05-07 19:00:54 +00:00
|
|
|
case RequestInterface::FORM_URLENCODED_CONTENT_TYPE:
|
|
|
|
|
case RequestInterface::MULTIPART_FORM_DATA_CONTENT_TYPE:
|
2024-07-01 09:20:48 +00:00
|
|
|
$params = $request->getPostParams();
|
|
|
|
|
foreach ( $params as $key => $value ) {
|
|
|
|
|
$params[ $key ] = UtfNormalValidator::cleanUp( $value );
|
|
|
|
|
// TODO: Warn if normalization was applied
|
|
|
|
|
}
|
|
|
|
|
return $params;
|
2024-05-07 19:00:54 +00:00
|
|
|
case RequestInterface::JSON_CONTENT_TYPE:
|
2024-02-27 11:42:55 +00:00
|
|
|
$jsonStream = $request->getBody();
|
2024-07-01 09:20:48 +00:00
|
|
|
$jsonString = (string)$jsonStream;
|
|
|
|
|
$normalizedJsonString = UtfNormalValidator::cleanUp( $jsonString );
|
|
|
|
|
$parsedBody = json_decode( $normalizedJsonString, true );
|
2024-02-14 13:02:30 +00:00
|
|
|
if ( !is_array( $parsedBody ) ) {
|
|
|
|
|
throw new LocalizedHttpException(
|
2024-03-05 09:59:29 +00:00
|
|
|
new MessageValue(
|
|
|
|
|
'rest-json-body-parse-error',
|
|
|
|
|
[ 'not a valid JSON object' ]
|
|
|
|
|
),
|
2024-02-14 13:02:30 +00:00
|
|
|
400
|
|
|
|
|
);
|
|
|
|
|
}
|
2024-07-01 09:20:48 +00:00
|
|
|
// TODO: Warn if normalization was applied
|
2024-02-14 13:02:30 +00:00
|
|
|
return $parsedBody;
|
2024-03-14 13:56:05 +00:00
|
|
|
case null:
|
|
|
|
|
// Specifying no Content-Type is fine if the body is empty
|
|
|
|
|
if ( $request->getBody()->getSize() === 0 ) {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
2024-07-01 09:20:48 +00:00
|
|
|
// no break, else fall through to the error below.
|
2024-02-14 13:02:30 +00:00
|
|
|
default:
|
2024-02-28 15:49:20 +00:00
|
|
|
throw new LocalizedHttpException(
|
|
|
|
|
new MessageValue( 'rest-unsupported-content-type', [ $contentType ?? '(null)' ] ),
|
|
|
|
|
415
|
|
|
|
|
);
|
2024-02-14 13:02:30 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-07 18:48:54 +00:00
|
|
|
/**
|
|
|
|
|
* Returns the content types that should be accepted by parseBodyData().
|
|
|
|
|
*
|
|
|
|
|
* Subclasses that support request types other than application/json
|
|
|
|
|
* should override this method.
|
|
|
|
|
*
|
|
|
|
|
* If "application/x-www-form-urlencoded" or "multipart/form-data" are
|
|
|
|
|
* returned, parseBodyData() will use $request->getPostParams() to determine
|
|
|
|
|
* the body data.
|
|
|
|
|
*
|
|
|
|
|
* @note The return value of this method is ignored for requests
|
|
|
|
|
* using a method listed in Validator::NO_BODY_METHODS,
|
|
|
|
|
* in particular for the GET method.
|
|
|
|
|
*
|
|
|
|
|
* @note for backwards compatibility, the default implementation of this
|
|
|
|
|
* method will examine the parameter definitions returned by getParamSettings()
|
|
|
|
|
* to see if any of the parameters are declared as "post" parameters. If this
|
|
|
|
|
* is the case, support for "application/x-www-form-urlencoded" and
|
|
|
|
|
* "multipart/form-data" is added. This may change in future releases.
|
|
|
|
|
* It is preferred to use "body" parameters and override this method explicitly
|
|
|
|
|
* when support for form data is desired.
|
|
|
|
|
*
|
|
|
|
|
* @stable to override
|
|
|
|
|
*
|
|
|
|
|
* @return string[] A list of content-types
|
|
|
|
|
*/
|
|
|
|
|
public function getSupportedRequestTypes(): array {
|
|
|
|
|
$types = [
|
2024-05-07 19:00:54 +00:00
|
|
|
RequestInterface::JSON_CONTENT_TYPE
|
2024-05-07 18:48:54 +00:00
|
|
|
];
|
|
|
|
|
|
2024-05-07 19:00:54 +00:00
|
|
|
// TODO: remove this once "post" parameters are no longer supported! T362850
|
2024-05-07 18:48:54 +00:00
|
|
|
foreach ( $this->getParamSettings() as $settings ) {
|
|
|
|
|
if ( ( $settings[self::PARAM_SOURCE] ?? null ) === 'post' ) {
|
2024-05-07 19:00:54 +00:00
|
|
|
$types[] = RequestInterface::FORM_URLENCODED_CONTENT_TYPE;
|
|
|
|
|
$types[] = RequestInterface::MULTIPART_FORM_DATA_CONTENT_TYPE;
|
2024-05-07 18:48:54 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $types;
|
|
|
|
|
}
|
|
|
|
|
|
Hooks::run() call site migration
Migrate all callers of Hooks::run() to use the new
HookContainer/HookRunner system.
General principles:
* Use DI if it is already used. We're not changing the way state is
managed in this patch.
* HookContainer is always injected, not HookRunner. HookContainer
is a service, it's a more generic interface, it is the only
thing that provides isRegistered() which is needed in some cases,
and a HookRunner can be efficiently constructed from it
(confirmed by benchmark). Because HookContainer is needed
for object construction, it is also needed by all factories.
* "Ask your friendly local base class". Big hierarchies like
SpecialPage and ApiBase have getHookContainer() and getHookRunner()
methods in the base class, and classes that extend that base class
are not expected to know or care where the base class gets its
HookContainer from.
* ProtectedHookAccessorTrait provides protected getHookContainer() and
getHookRunner() methods, getting them from the global service
container. The point of this is to ease migration to DI by ensuring
that call sites ask their local friendly base class rather than
getting a HookRunner from the service container directly.
* Private $this->hookRunner. In some smaller classes where accessor
methods did not seem warranted, there is a private HookRunner property
which is accessed directly. Very rarely (two cases), there is a
protected property, for consistency with code that conventionally
assumes protected=private, but in cases where the class might actually
be overridden, a protected accessor is preferred over a protected
property.
* The last resort: Hooks::runner(). Mostly for static, file-scope and
global code. In a few cases it was used for objects with broken
construction schemes, out of horror or laziness.
Constructors with new required arguments:
* AuthManager
* BadFileLookup
* BlockManager
* ClassicInterwikiLookup
* ContentHandlerFactory
* ContentSecurityPolicy
* DefaultOptionsManager
* DerivedPageDataUpdater
* FullSearchResultWidget
* HtmlCacheUpdater
* LanguageFactory
* LanguageNameUtils
* LinkRenderer
* LinkRendererFactory
* LocalisationCache
* MagicWordFactory
* MessageCache
* NamespaceInfo
* PageEditStash
* PageHandlerFactory
* PageUpdater
* ParserFactory
* PermissionManager
* RevisionStore
* RevisionStoreFactory
* SearchEngineConfig
* SearchEngineFactory
* SearchFormWidget
* SearchNearMatcher
* SessionBackend
* SpecialPageFactory
* UserNameUtils
* UserOptionsManager
* WatchedItemQueryService
* WatchedItemStore
Constructors with new optional arguments:
* DefaultPreferencesFactory
* Language
* LinkHolderArray
* MovePage
* Parser
* ParserCache
* PasswordReset
* Router
setHookContainer() now required after construction:
* AuthenticationProvider
* ResourceLoaderModule
* SearchEngine
Change-Id: Id442b0dbe43aba84bd5cf801d86dedc768b082c7
2020-03-19 02:42:09 +00:00
|
|
|
/**
|
|
|
|
|
* Get a HookContainer, for running extension hooks or for hook metadata.
|
|
|
|
|
*
|
|
|
|
|
* @since 1.35
|
|
|
|
|
* @return HookContainer
|
|
|
|
|
*/
|
|
|
|
|
protected function getHookContainer() {
|
|
|
|
|
return $this->hookContainer;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Get a HookRunner for running core hooks.
|
|
|
|
|
*
|
|
|
|
|
* @internal This is for use by core only. Hook interfaces may be removed
|
|
|
|
|
* without notice.
|
|
|
|
|
* @since 1.35
|
|
|
|
|
* @return HookRunner
|
|
|
|
|
*/
|
|
|
|
|
protected function getHookRunner() {
|
|
|
|
|
return $this->hookRunner;
|
|
|
|
|
}
|
|
|
|
|
|
2019-05-09 01:36:18 +00:00
|
|
|
/**
|
|
|
|
|
* The subclass should override this to provide the maximum last modified
|
2022-07-01 13:21:34 +00:00
|
|
|
* timestamp of the requested resource. This is called before execute() in
|
|
|
|
|
* order to decide whether to send a 304. If the request is going to
|
|
|
|
|
* change the state of the resource, the time returned must represent
|
|
|
|
|
* the last modification date before the change. In other words, it must
|
|
|
|
|
* provide the timestamp of the entity that the change is going to be
|
|
|
|
|
* applied to.
|
|
|
|
|
*
|
|
|
|
|
* For GET and HEAD requests, this value will automatically be included
|
|
|
|
|
* in the response in the Last-Modified header.
|
2019-05-09 01:36:18 +00:00
|
|
|
*
|
2022-07-01 13:21:34 +00:00
|
|
|
* Handlers that modify the resource and want to return a Last-Modified
|
|
|
|
|
* header representing the new state in the response should set the header
|
|
|
|
|
* in the execute() method.
|
|
|
|
|
*
|
|
|
|
|
* See RFC 7231 §7.2 and RFC 7232 §2.3 for semantics.
|
2019-05-09 01:36:18 +00:00
|
|
|
*
|
2020-07-13 08:57:12 +00:00
|
|
|
* @stable to override
|
2020-03-12 11:13:22 +00:00
|
|
|
*
|
2024-05-11 18:27:00 +00:00
|
|
|
* @return string|int|float|DateTime|null
|
2019-05-09 01:36:18 +00:00
|
|
|
*/
|
|
|
|
|
protected function getLastModified() {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* The subclass should override this to provide an ETag for the current
|
2022-07-01 13:21:34 +00:00
|
|
|
* state of the requested resource. This is called before execute() in
|
|
|
|
|
* order to decide whether to send a 304. If the request is going to
|
|
|
|
|
* change the state of the resource, the ETag returned must represent
|
|
|
|
|
* the state before the change. In other words, it must identify
|
|
|
|
|
* the entity that the change is going to be applied to.
|
2019-05-09 01:36:18 +00:00
|
|
|
*
|
2022-07-01 13:21:34 +00:00
|
|
|
* For GET and HEAD requests, this ETag will also be included in the
|
|
|
|
|
* response.
|
2019-09-30 06:15:30 +00:00
|
|
|
*
|
2022-07-01 13:21:34 +00:00
|
|
|
* Handlers that modify the resource and want to return an ETag
|
|
|
|
|
* header representing the new state in the response should set the header
|
|
|
|
|
* in the execute() method. However, note that responses to PUT requests
|
|
|
|
|
* must not return an ETag unless the new content of the resource is exactly
|
|
|
|
|
* the data that was sent by the client in the request body.
|
|
|
|
|
*
|
|
|
|
|
* This must be a complete ETag, including double quotes.
|
|
|
|
|
* See RFC 7231 §7.2 and RFC 7232 §2.3 for semantics.
|
2019-05-09 01:36:18 +00:00
|
|
|
*
|
2020-07-13 08:57:12 +00:00
|
|
|
* @stable to override
|
2020-03-12 11:13:22 +00:00
|
|
|
*
|
2019-05-09 01:36:18 +00:00
|
|
|
* @return string|null
|
|
|
|
|
*/
|
|
|
|
|
protected function getETag() {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-30 06:15:30 +00:00
|
|
|
/**
|
|
|
|
|
* The subclass should override this to indicate whether the resource
|
|
|
|
|
* exists. This is used for wildcard validators, for example "If-Match: *"
|
|
|
|
|
* fails if the resource does not exist.
|
|
|
|
|
*
|
2022-07-01 13:21:34 +00:00
|
|
|
* In a state-changing request, the return value of this method should
|
|
|
|
|
* reflect the state before the requested change is applied.
|
|
|
|
|
*
|
2020-07-13 08:57:12 +00:00
|
|
|
* @stable to override
|
2020-03-12 11:13:22 +00:00
|
|
|
*
|
2019-09-30 06:15:30 +00:00
|
|
|
* @return bool|null
|
|
|
|
|
*/
|
|
|
|
|
protected function hasRepresentation() {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-26 02:33:35 +00:00
|
|
|
/**
|
|
|
|
|
* Indicates whether this route requires read rights.
|
|
|
|
|
*
|
|
|
|
|
* The handler should override this if it does not need to read from the
|
|
|
|
|
* wiki. This is uncommon, but may be useful for login and other account
|
|
|
|
|
* management APIs.
|
|
|
|
|
*
|
2020-07-13 08:57:12 +00:00
|
|
|
* @stable to override
|
2020-03-12 11:13:22 +00:00
|
|
|
*
|
2019-06-26 02:33:35 +00:00
|
|
|
* @return bool
|
|
|
|
|
*/
|
|
|
|
|
public function needsReadAccess() {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2024-07-12 14:20:17 +00:00
|
|
|
* Indicates whether this route requires write access to the wiki.
|
2019-06-26 02:33:35 +00:00
|
|
|
*
|
2024-07-12 14:20:17 +00:00
|
|
|
* Handlers may override this method to return false if and only if the operation they
|
|
|
|
|
* implement is "safe" per RFC 7231 section 4.2.1. A handler's operation is "safe" if
|
|
|
|
|
* it is essentially read-only, i.e. the client does not request nor expect any state
|
|
|
|
|
* change that would be observable in the responses to future requests.
|
2019-06-26 02:33:35 +00:00
|
|
|
*
|
2024-07-12 14:20:17 +00:00
|
|
|
* Implementations of this method must always return the same value, regardless of the
|
|
|
|
|
* parameters passed to the constructor or system state.
|
|
|
|
|
*
|
|
|
|
|
* Handlers for GET, HEAD, OPTIONS, and TRACE requests should each implement a "safe"
|
|
|
|
|
* operation. Handlers of PUT and DELETE requests should each implement a non-"safe"
|
|
|
|
|
* operation. Note that handlers of POST requests can implement a "safe" operation,
|
|
|
|
|
* particularly in the case where large input parameters are required.
|
|
|
|
|
*
|
|
|
|
|
* The information provided by this method is used to perform basic authorization checks
|
|
|
|
|
* and to determine whether cross-origin requests are safe.
|
2019-06-26 02:33:35 +00:00
|
|
|
*
|
2020-07-13 08:57:12 +00:00
|
|
|
* @stable to override
|
2020-03-12 11:13:22 +00:00
|
|
|
*
|
2019-06-26 02:33:35 +00:00
|
|
|
* @return bool
|
|
|
|
|
*/
|
|
|
|
|
public function needsWriteAccess() {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-04 16:29:51 +00:00
|
|
|
/**
|
|
|
|
|
* Indicates whether this route can be accessed only by session providers safe vs csrf
|
|
|
|
|
*
|
|
|
|
|
* The handler should override this if the route must only be accessed by session
|
|
|
|
|
* providers that are safe against csrf.
|
|
|
|
|
*
|
|
|
|
|
* A return value of false does not necessarily mean the route is vulnerable to csrf attacks.
|
|
|
|
|
* It means the route can be accessed by session providers that are not automatically safe
|
|
|
|
|
* against csrf attacks, so the possibility of csrf attacks must be considered.
|
|
|
|
|
*
|
|
|
|
|
* @stable to override
|
|
|
|
|
*
|
|
|
|
|
* @return bool
|
|
|
|
|
*/
|
|
|
|
|
public function requireSafeAgainstCsrf() {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2020-05-12 01:41:54 +00:00
|
|
|
/**
|
2024-05-22 21:04:09 +00:00
|
|
|
* The handler can override this to do any necessary setup after the init functions
|
|
|
|
|
* are called to inject dependencies.
|
2020-03-12 11:13:22 +00:00
|
|
|
*
|
2020-07-13 08:57:12 +00:00
|
|
|
* @stable to override
|
2023-10-30 16:04:41 +00:00
|
|
|
* @throws HttpException if the handler does not accept the request for
|
|
|
|
|
* some reason.
|
2020-05-12 01:41:54 +00:00
|
|
|
*/
|
|
|
|
|
protected function postInitSetup() {
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-03 17:53:55 +00:00
|
|
|
/**
|
|
|
|
|
* The handler can override this to do any necessary setup after validate()
|
|
|
|
|
* has been called. This gives the handler an opportunity to do initialization
|
|
|
|
|
* based on parameters before pre-execution calls like getLastModified() or getETag().
|
|
|
|
|
*
|
|
|
|
|
* @stable to override
|
|
|
|
|
* @since 1.36
|
|
|
|
|
*/
|
|
|
|
|
protected function postValidationSetup() {
|
|
|
|
|
}
|
|
|
|
|
|
2019-05-09 01:36:18 +00:00
|
|
|
/**
|
|
|
|
|
* Execute the handler. This is called after parameter validation. The
|
|
|
|
|
* return value can either be a Response or any type accepted by
|
|
|
|
|
* ResponseFactory::createFromReturnValue().
|
|
|
|
|
*
|
|
|
|
|
* To automatically construct an error response, execute() should throw a
|
2020-12-26 02:43:33 +00:00
|
|
|
* \MediaWiki\Rest\HttpException. Such exceptions will not be logged like
|
|
|
|
|
* a normal exception.
|
2019-05-09 01:36:18 +00:00
|
|
|
*
|
|
|
|
|
* If execute() throws any other kind of exception, the exception will be
|
|
|
|
|
* logged and a generic 500 error page will be shown.
|
|
|
|
|
*
|
2020-07-13 08:57:12 +00:00
|
|
|
* @stable to override
|
2020-03-12 11:13:22 +00:00
|
|
|
*
|
2019-05-09 01:36:18 +00:00
|
|
|
* @return mixed
|
|
|
|
|
*/
|
|
|
|
|
abstract public function execute();
|
|
|
|
|
}
|
