Rest.php

<?php
/**
 * Rest controller class.
 *
 * @since 5.25
 */

namespace CiviCRM_WP_REST\Controller;

class Rest extends Base {

  /**
   * @var string
   * The base route.
   * @since 5.25
   */
  protected $rest_base = 'rest';

  /**
   * Registers routes.
   *
   * @since 5.25
   */
  public function register_routes() {

    register_rest_route($this->get_namespace(), $this->get_rest_base(), [
      [
        'methods' => \WP_REST_Server::ALLMETHODS,
        'callback' => [$this, 'get_items'],
        'permission_callback' => [$this, 'permissions_check'],
        'args' => $this->get_item_args(),
      ],
      'schema' => [$this, 'get_item_schema'],
    ]);

  }

  /**
   * Check get permission.
   *
   * @since 5.25
   *
   * @param WP_REST_Request $request
   * @return bool
   */
  public function permissions_check($request) {

    /**
     * Opportunity to bypass CiviCRM's authentication ('api_key' and 'site_key').
     *
     * Return 'true' or 'false' to grant or deny access to this endpoint.
     *
     * To deny and throw an error, return either a string, an array, or a \WP_Error.
     *
     * NOTE: if you use your own authentication, you still must log in the user
     * in order to respect/apply CiviCRM ACLs.
     *
     * @since 5.25
     *
     * @param null|bool|string|array|\WP_Error $grant_auth Grant, deny, or error
     * @param \WP_REST_Request $request The request
     */
    $grant_auth = apply_filters('civi_wp_rest/controller/rest/permissions_check', NULL, $request);

    if (is_bool($grant_auth)) {

      return $grant_auth;

    }

    elseif (is_string($grant_auth)) {

      return $this->civi_rest_error($grant_auth);

    }

    elseif (is_array($grant_auth)) {

      return $this->civi_rest_error(__('CiviCRM WP REST permission check error.', 'civicrm'), $grant_auth);

    }

    elseif ($grant_auth instanceof \WP_Error) {

      return $grant_auth;

    }

    else {

      if (!$this->is_valid_api_key($request)) {
        return $this->civi_rest_error(__('Param api_key is not valid.', 'civicrm'));
      }

      if (!$this->is_valid_site_key()) {
        return $this->civi_rest_error(__('Param key is not valid.', 'civicrm'));
      }

      return TRUE;

    }

  }

  /**
   * Get items.
   *
   * @since 5.25
   *
   * @param WP_REST_Request $request
   */
  public function get_items($request) {

    /**
     * Filter formatted API params.
     *
     * @since 5.25
     *
     * @param array $params
     * @param WP_REST_Request $request
     */
    $params = apply_filters('civi_wp_rest/controller/rest/api_params', $this->get_formatted_api_params($request), $request);

    try {
      $items = civicrm_api3(...$params);
    }
    catch (\CRM_Core_Exception $e) {
      $items = $this->civi_rest_error($e);
    }

    if (!isset($items) || empty($items)) {
      return rest_ensure_response([]);
    }

    /**
     * Filter CiviCRM API result.
     *
     * @since 5.25
     *
     * @param array $items
     * @param WP_REST_Request $request
     */
    $data = apply_filters('civi_wp_rest/controller/rest/api_result', $items, $params, $request);

    // Only collections of items, ie any action but 'getsingle'.
    if (isset($data['values'])) {

      $data['values'] = array_reduce($items['values'] ?? $items, function($items, $item) use ($request) {

        $response = $this->prepare_item_for_response($item, $request);

        $items[] = $this->prepare_response_for_collection($response);

        return $items;

      }, []);

    }

    $response = rest_ensure_response($data);

    // Check whether we need to serve xml or json.
    if (!in_array('json', array_keys($request->get_params()))) {

      /**
       * Adds our response holding CiviCRM data before dispatching.
       *
       * @since 5.25
       *
       * @param WP_HTTP_Response $result Result to send to client
       * @param WP_REST_Server $server The REST server
       * @param WP_REST_Request $request The request
       * @return WP_HTTP_Response $result Result to send to client
       */
      add_filter('rest_post_dispatch', function($result, $server, $request) use ($response) {

        return $response;

      }, 10, 3);

      // serve xml
      add_filter('rest_pre_serve_request', [$this, 'serve_xml_response'], 10, 4);

    }

    else {

      // return json
      return $response;

    }

  }

  /**
   * Get formatted API params.
   *
   * @since 5.25
   *
   * @param WP_REST_Resquest $request
   * @return array $params
   */
  public function get_formatted_api_params($request) {

    $args = $request->get_params();

    $entity = $args['entity'];
    $action = $args['action'];

    // unset unnecessary args
    unset($args['entity'], $args['action'], $args['key'], $args['api_key']);

    if (!isset($args['json']) || is_numeric($args['json'])) {

      $params = $args;

    }

    else {

      $params = is_string($args['json']) ? json_decode($args['json'], TRUE) : [];

    }

    // Ensure check permissions is enabled.
    $params['check_permissions'] = TRUE;

    return [$entity, $action, $params];

  }

  /**
   * Matches the item data to the schema.
   *
   * @since 5.25
   *
   * @param object $item
   * @param WP_REST_Request $request
   */
  public function prepare_item_for_response($item, $request) {

    return rest_ensure_response($item);

  }

  /**
   * Serves XML response.
   *
   * @since 5.25
   *
   * @param bool $served Whether the request has already been served
   * @param WP_REST_Response $result
   * @param WP_REST_Request $request
   * @param WP_REST_Server $server
   */
  public function serve_xml_response($served, $result, $request, $server) {

    // Get XML from response.
    $xml = $this->get_xml_formatted_data($result->get_data());

    // Set content type header.
    $server->send_header('Content-Type', 'text/xml');

    echo $xml;

    return TRUE;

  }

  /**
   * Formats CiviCRM API result to XML.
   *
   * @since 5.25
   *
   * @param array $data The CiviCRM API result.
   * @return string $xml The formatted XML.
   */
  protected function get_xml_formatted_data(array $data) {

    // XML document.
    $xml = new \DOMDocument();

    // Result set element <ResultSet>.
    $result_set = $xml->createElement('ResultSet');

    // The xmlns:xsi attribute.
    $result_set->setAttribute('xmlns:xsi', 'http://www.w3.org/2001/XMLSchema-instance');

    // Count attributes.
    if (isset($data['count'])) {
      $result_set->setAttribute('count', $data['count']);
    }

    // Build result from result => values.
    if (isset($data['values'])) {

      array_map(function($item) use ($result_set, $xml) {

        // Result element <Result>.
        $result = $xml->createElement('Result');

        // Format item.
        $result = $this->get_xml_formatted_item($item, $result, $xml);

        // Append result to result set.
        $result_set->appendChild($result);

      }, $data['values']);

    }
    else {

      // Result element <Result>.
      $result = $xml->createElement('Result');

      // Format item.
      $result = $this->get_xml_formatted_item($data, $result, $xml);

      // Append result to result set.
      $result_set->appendChild($result);

    }

    // Append result set.
    $xml->appendChild($result_set);

    return $xml->saveXML();

  }

  /**
   * Formats a single API result to XML.
   *
   * @since 5.25
   *
   * @param array $item The single API result.
   * @param \DOMElement $parent The parent element to append to.
   * @param \DOMDocument $doc The document.
   * @return \DOMElement $parent The parent element.
   */
  public function get_xml_formatted_item(array $item, \DOMElement $parent, \DOMDocument $doc) {

    // Build field => values.
    array_map(function($field, $value) use ($parent, $doc) {

      // Entity field element.
      $element = $doc->createElement($field);

      // Handle array values.
      if (is_array($value)) {

        array_map(function($key, $val) use ($element, $doc) {

          /*
           * Child element - append underscore '_' otherwise createElement will
           * throw an Invalid character exception as elements cannot start with
           * a number.
           */
          $child = $doc->createElement('_' . $key, $val);

          // Append child.
          $element->appendChild($child);

        }, array_keys($value), $value);

      }
      else {

        // Assign value.
        $element->nodeValue = $value;

      }

      // Append element.
      $parent->appendChild($element);

    }, array_keys($item), $item);

    return $parent;

  }

  /**
   * Item schema.
   *
   * @since 5.25
   *
   * @return array $schema
   */
  public function get_item_schema() {

    return [
      '$schema' => 'http://json-schema.org/draft-04/schema#',
      'title' => 'civicrm/v3/rest',
      'description' => __('CiviCRM API3 WP rest endpoint wrapper', 'civicrm'),
      'type' => 'object',
      'required' => ['entity', 'action', 'params'],
      'properties' => [
        'is_error' => [
          'type' => 'integer',
        ],
        'version' => [
          'type' => 'integer',
        ],
        'count' => [
          'type' => 'integer',
        ],
        'values' => [
          'type' => 'array',
        ],
      ],
    ];

  }

  /**
   * Item arguments.
   *
   * @since 5.25
   *
   * @return array $arguments
   */
  public function get_item_args() {

    return [
      'key' => [
        'type' => 'string',
        'required' => FALSE,
        'validate_callback' => function($value, $request, $key) {
          return $this->is_valid_site_key();
        },
      ],
      'api_key' => [
        'type' => 'string',
        'required' => FALSE,
        'validate_callback' => function($value, $request, $key) {
          return $this->is_valid_api_key($request);
        },
      ],
      'entity' => [
        'type' => 'string',
        'required' => TRUE,
        'validate_callback' => function($value, $request, $key) {
          return is_string($value);
        },
      ],
      'action' => [
        'type' => 'string',
        'required' => TRUE,
        'validate_callback' => function($value, $request, $key) {
          return is_string($value);
        },
      ],
      'json' => [
        'type' => ['integer', 'string', 'array'],
        'required' => FALSE,
        'validate_callback' => function($value, $request, $key) {
          return is_numeric($value) || is_array($value) || $this->is_valid_json($value);
        },
      ],
    ];

  }

  /**
   * Checks if string is a valid json.
   *
   * @since 5.25
   *
   * @param string $param
   * @return bool
   */
  public function is_valid_json($param) {

    $param = json_decode($param, TRUE);

    if (!is_array($param)) {
      return FALSE;
    }

    return (json_last_error() == JSON_ERROR_NONE);

  }

  /**
   * Validates the site key.
   *
   * @since 5.25
   *
   * @return bool $is_valid_site_key
   */
  public function is_valid_site_key() {

    return \CRM_Utils_System::authenticateKey(FALSE);

  }

  /**
   * Validates the api key.
   *
   * @since 5.25
   *
   * @param WP_REST_Resquest $request
   * @return bool $is_valid_api_key
   */
  public function is_valid_api_key($request) {

    $api_key = $request->get_param('api_key');

    if (!$api_key) {
      return FALSE;
    }

    $contact_id = \CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact', $api_key, 'id', 'api_key');

    if (!$contact_id) {
      return FALSE;
    }

    return TRUE;

  }

}