Excluded callable methods cannot be called from an ajax request.

jaxon-php · Jan 25, 2025 · 693652b · 693652b
1 parent 0004e66
commit 693652b
Show file tree

Hide file tree

Showing 6 changed files with 86 additions and 2 deletions.
diff --git a/src/Plugin/Request/CallableClass/CallableClassPlugin.php b/src/Plugin/Request/CallableClass/CallableClassPlugin.php
@@ -255,7 +255,14 @@ public function processRequest()
             $xCallableObject = $this->getCallable($sClassName);
 
             $sError = 'errors.objects.call';
-            $xCallableObject->call($this->xTarget);
+            if(!$xCallableObject->excluded($sMethodName))
+            {
+                $xCallableObject->call($this->xTarget);
+                return;
+            }
+
+            // Unable to find the requested class or method
+            $this->throwException('', 'errors.objects.excluded', $aErrorParams);
         }
         catch(ReflectionException|SetupException $e)
         {

diff --git a/src/Plugin/Request/CallableClass/CallableObject.php b/src/Plugin/Request/CallableClass/CallableObject.php
@@ -175,10 +175,16 @@ public function getPublicMethods(bool $bTakeAll): array
     }
 
     /**
+     * @param string|null $sMethod
+     *
      * @return bool
      */
-    public function excluded(): bool
+    public function excluded(?string $sMethod = null): bool
     {
+        if($sMethod !== null && $this->isProtectedMethod($sMethod, false))
+        {
+            return true;
+        }
         return $this->xOptions->excluded();
     }
 

diff --git a/tests/TestRequestHandler/ClassTest.php b/tests/TestRequestHandler/ClassTest.php
@@ -218,4 +218,72 @@ public function testRequestWithIncorrectMethodName()
         $this->expectException(RequestException::class);
         jaxon()->processRequest();
     }
+
+    /**
+     * @throws SetupException
+     * @throws RequestException
+     */
+    public function testRequestToExcludedClass()
+    {
+        jaxon()->app()->setOption('', true);
+        jaxon()->register(Jaxon::CALLABLE_CLASS, 'Excluded', [
+            'include' => __DIR__ . '/../src/excluded.php',
+            'functions' => [
+                '*' => [
+                    'excluded' => true,
+                ],
+            ],
+        ]);
+        // The server request
+        jaxon()->di()->set(ServerRequestInterface::class, function($c) {
+            return $c->g(ServerRequestCreator::class)
+                ->fromGlobals()
+                ->withParsedBody([
+                    'jxncall' => json_encode([
+                        'type' => 'class',
+                        'name' => 'Excluded',
+                        'method' => 'action',
+                        'args' => [],
+                    ]),
+                ]);
+        });
+
+        $this->assertTrue(jaxon()->di()->getRequestHandler()->canProcessRequest());
+        $this->expectException(RequestException::class);
+        jaxon()->processRequest();
+    }
+
+    /**
+     * @throws SetupException
+     * @throws RequestException
+     */
+    public function testRequestToExcludedMethod()
+    {
+        jaxon()->app()->setOption('', true);
+        jaxon()->register(Jaxon::CALLABLE_CLASS, 'Excluded', [
+            'include' => __DIR__ . '/../src/excluded.php',
+            'functions' => [
+                'action' => [
+                    'excluded' => true,
+                ],
+            ],
+        ]);
+        // The server request
+        jaxon()->di()->set(ServerRequestInterface::class, function($c) {
+            return $c->g(ServerRequestCreator::class)
+                ->fromGlobals()
+                ->withParsedBody([
+                    'jxncall' => json_encode([
+                        'type' => 'class',
+                        'name' => 'Excluded',
+                        'method' => 'action',
+                        'args' => [],
+                    ]),
+                ]);
+        });
+
+        $this->assertTrue(jaxon()->di()->getRequestHandler()->canProcessRequest());
+        $this->expectException(RequestException::class);
+        jaxon()->processRequest();
+    }
 }
diff --git a/translations/en/errors.php b/translations/en/errors.php
@@ -42,6 +42,7 @@
         'objects' => [
             'call' => "An error occured during the call of method :method in of class :class.",
             'invalid' => "Invalid object request received; no object :class or method :method found.",
+            'excluded' => "Trying to call the excluded method :method of class :class.",
             'instance' => "To register a callable object, please provide an instance of the desired class.",
             'invalid-declaration' => "Invalid object declaration.",
         ],

diff --git a/translations/es/errors.php b/translations/es/errors.php
@@ -42,6 +42,7 @@
         'objects' => [
             'call' => "An error occured during the call of method :method in of class :class",
             'invalid' => "Solicitud de objeto invalida recibida; Sin objeto :class o metodo :method encontrado.",
+            'excluded' => "Trying to call the excluded method :method of class :class.",
             'instance' => "Para registrar un objeto, por favor de proveer una instancia de la clase deseada.",
             'invalid-declaration' => "Declaración de objeto invalida.",
         ],

diff --git a/translations/fr/errors.php b/translations/fr/errors.php
@@ -42,6 +42,7 @@
         'objects' => [
             'call' => "Une erreur s'est produite à l'appel de la méthode :method de la classe :class.",
             'invalid' => "La requête indique un objet invalide; il n'existe pas de classe :class ou de méthode :method.",
+            'excluded' => "La requête a essayé d'appeler la méthode :method de la classe :class, qui est exclue.",
             'instance' => "Pour enregistrer un objet, vous devez fournir une instance de la classe correspondante.",
             'invalid-declaration' => "La déclaration d'objet est invalide.",
         ],