如何解决Woocommerce 限制 API
我在使用 Wocommerce API 时遇到了一些问题。我知道这并不理想,但我使用它和一个唯一的键来读取/写入我网站上的一些资源。为了防止有人使用密钥获取其他用户的数据,我编写了一个函数,在登录时生成一个唯一的令牌,这是每个请求所需的,然后使用 rest_pre_dispatch 过滤器对其进行验证。它起作用了,但不幸的是,该过滤器没有关于请求的详细信息,所以我试图找到一种更实用的方法来做到这一点。我在 GitHub issue 上找到了以下代码:
class App_API_Validation {
public function __construct(){
add_filter( 'woocommerce_api_create_order_data',array( $this,'validate_customer_on_resource_creation' ),999999 );
add_filter( 'woocommerce_api_dispatch_args','validate_request' ),999999 );
}
/**
* Validate REST API's request
*
* It is hooked on 'woocommerce_api_dispatch_args' filter.
* With our custom validation we ensure that user has access
* only to his resources,which means:
* #1 - User doesn't have access ability to make CRUD operations to other users profiles
* #2 - User doesn't have access to others users resources (we are validating ownership)
* #3 - User doesn't have access to any resource list - for example to get all customers or orders.
*
* @param array $args Data sent by REST API client
* @param array $callback Function to process REST API's request
*
* @return WP_Error|array
*/
public function validate_request( $args,$callback ) {
echo 1;die;
$class_name = get_class( $callback[0] );
$method_name = $callback[1];
$id = ( isset( $args['id'] ) ? $args['id'] : false );
$are_resources_valid = true;
if ( $id ) {
if ( $this->has_to_trigger_resources_user_validation( $class_name,$method_name ) ) {
// Does user access his own profile ?
$are_resources_valid = $this->validate_resources_user( $id );
} else {
// Does user has ownership of the requested resource ?
$are_resources_valid = $this->validate_resources_ownership( $id,$class_name );
}
} else {
// Does user try to get a list of resources,// for example - all customers or orders
$are_resources_valid = $this->validate_resources_list( $class_name,$method_name );
}
// If requested resources validation fails trigger error
if ( ! $are_resources_valid ) {
$args = $this->get_error();
}
return $args;
}
/**
* Filter resource data on create
*
* We ensure whether a customer creates resource for himself
*/
public function validate_resource_creation() {
}
/**
* Validate customer on resource creation
*
* Do not allow one customer to create resource of another customer
*
* @param array $data Resource data
*
* @return array $data
* @throws WC_API_Exception
*/
public function validate_customer_on_resource_creation( $data ) {
$customer_id = $data['customer_id'];
$does_user_create_resource_for_himself = $this->validate_resources_user( $customer_id );
if ( ! $does_user_create_resource_for_himself ) {
$this->get_error( true );
}
return $data;
}
/**
* Get or throw an error message if validation fails
*
* @param bool|false $throw Whether to throw new error or not
*
* @return WP_Error
* @throws WC_API_Exception
*/
public function get_error( $throw = false ) {
$code = 'woocommerce_app_api_insufficient_permissions';
$message = __( 'You don\'t have sufficient permissions','app-translations' );
$status = 401;
if ( $throw ) {
throw new WC_API_Exception( $code,$message,$status );
}
return new WP_Error( $code,array( 'status' => $status ) );
}
/**
* Check whether or not to trigger user validation
*
* User validation is triggered when one of listed method is called
*
* @param string $class_name
* @param string $method_name
*
* @return bool
*/
public function has_to_trigger_resources_user_validation( $class_name,$method_name ) {
$resources_user = array(
'WC_API_Customers' => array(
'get_customer',),'WC_API_Customers_Extended' => array(
'get_customer_addresses'
),);
return $this->is_method_exists( $resources_user,$class_name,$method_name );
}
/**
* Check if a method exists in array of classes (resources)
*
* @param $resources
* @param $class_name
* @param $method_name
*
* @return bool
*/
private function is_method_exists( $resources,$method_name ) {
$is_class_exist = array_key_exists( $class_name,$resources );
$is_method_exist = ( $is_class_exist && in_array( $method_name,$resources[ $class_name ] ) );
return $is_method_exist;
}
/**
* Validate resource list
*
* If the customer tries to access list of resource,* we are restrict his access.
*
* @param $class_name
* @param $method_name
*
* @return bool
*/
public function validate_resources_list( $class_name,$method_name ) {
$resources_list = array(
'WC_API_Customers' => array(
'get_customers'
),'WC_API_Addresses' => array(
'get_addresses'
)
);
// If the method exist,then it is forbidden for access
$condition = ( ! $this->is_method_exists( $resources_list,$method_name ) );
return $condition;
}
/**
* Does user access his own profile
*
* We are checking whether current user (by his customer key)
* has the same id according requested $id
*
* @param int $id ID of the requested customer
*
* @return bool
*/
public function validate_resources_user( $id ) {
$current_user = wp_get_current_user();
// Check if the user tries to access his own resources
$does_user_access_his_resource = ( $id == $current_user->ID );
return $does_user_access_his_resource;
}
/**
* Check whether requested resource id is owned by current user
*
* At $resources_ownership array we describe all resources these require
* user to has ownership of them.
*
* @param int $id ID of requested resource
* @param string $class_name Class that represent requested resource
*
* @return bool
*/
public function validate_resources_ownership( $id,$class_name ) {
// Classes that require user to have ownership of requested resource
$resources_ownership = array(
'WC_API_Addresses','WC_API_Orders',);
$is_class_exist = in_array( $class_name,$resources_ownership );
if ( ! $is_class_exist ) {
return true;
}
$current_user = wp_get_current_user();
$model_user = new User( $current_user->ID );
switch ( $class_name ) {
case 'WC_API_Addresses':
$has_user_ownership_of_object = $model_user->has_user_address( $id );
break;
case 'WC_API_Orders':
$has_user_ownership_of_object = $model_user->has_user_order( $id );
break;
}
return $has_user_ownership_of_object;
}
}
问题是过滤器 woocommerce_api_dispatch_args 没有被调用,所以没有任何东西可以工作了。你有什么想法让这项工作再次发挥作用吗?谢谢!
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。