Item12839: Initial start at improving rest security

This adds a %RESTHANDLERS% macro. It reports all registered REST handlers, verbs, and the requested security settings for the handler: - Is Authentication required - Is StrikeOne required - Is Is the request restricted to POST or GET? This macro should be a <nop> for non-admins, or at least only display the verb and description. git-svn-id: http://svn.foswiki.org/trunk@17481 0b4bb1d4-4e5a-0410-9cc4-b2b747904278
foswiki · Apr 4, 2014 · 3c92735 · 3c92735
1 parent 83a5a22
commit 3c92735
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 2 deletions.
diff --git a/core/data/System/InstalledPlugins.txt b/core/data/System/InstalledPlugins.txt
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" date="1394718135" format="1.1" version="1"}%
+%META:TOPICINFO{author="ProjectContributor" date="1396571990" format="1.1" version="1"}%
 %META:TOPICPARENT{name="AdminDocumentationCategory"}%
 ---+ Installed Plugins
 
@@ -33,7 +33,10 @@ See %SYSTEMWEB%.SkinBrowser for an overview of the installed Skins.
 ---++ Plugin Diagnostics
 %FAILEDPLUGINS%
 
-*Note:* The diagnostics are provided by the =%<nop>FAILEDPLUGINS%= macro
+---+++ Registered REST Handlers
+
+%RESTHANDLERS%
+
 
 ---
 *Related Topics:* [[Plugins]], %WIKIPREFSTOPIC%, AdminDocumentationCategory, AdminToolsCategory, SkinBrowser
diff --git a/core/lib/Foswiki/Plugins.pm b/core/lib/Foswiki/Plugins.pm
@@ -86,6 +86,7 @@ sub new {
         Foswiki::registerTagHandler( 'ACTIVATEDPLUGINS',
             \&_handleACTIVATEDPLUGINS );
         Foswiki::registerTagHandler( 'FAILEDPLUGINS', \&_handleFAILEDPLUGINS );
+        Foswiki::registerTagHandler( 'RESTHANDLERS',  \&_handleRESTHANDLERS );
         $inited = 1;
     }
 
@@ -393,6 +394,42 @@ sub haveHandlerFor {
     return scalar( @{ $this->{registeredHandlers}{$handlerName} } );
 }
 
+# %RESTHANDLERS% reports the registred rest handlers and a bit of information
+# about them
+#
+sub _handleRESTHANDLERS {
+    my $this = shift->{plugins};
+
+    # SMELL:  This needs some auth checking and either redaction
+    #         or just disable this macro for non-admins
+
+    require Foswiki::UI::Rest;
+    my $restHandlers = Foswiki::UI::Rest::getRegisteredHandlers();
+    my $out          = <<DONE
+||| Requested core security |||
+| Extension | REST Verb | http<br/>allow | Strikeone | require<br/>authentication |
+DONE
+      ;    #Collect output for display
+
+    foreach my $handler ( keys %$restHandlers ) {
+        $out .= "| $Foswiki::cfg{SystemWebName}.$handler | ||||\n";
+        foreach my $verb ( keys $restHandlers->{$handler} ) {
+            $out .=
+                "| | $verb | "
+              . ( $restHandlers->{$handler}{$verb}{http_allow} || 'any' )
+              . ' | '
+              . ( $restHandlers->{$handler}{$verb}{validate} || 'false' )
+              . ' | '
+              . ( $restHandlers->{$handler}{$verb}{authenticate} || 'false' )
+              . ' | '
+              . ( $restHandlers->{$handler}{$verb}{description} || '' )
+              . " |\n";
+        }
+    }
+
+    return $out;
+}
+
 # %FAILEDPLUGINS reports reasons why plugins failed to load
 # note this is invoked with the session as the first parameter
 sub _handleFAILEDPLUGINS {

diff --git a/core/lib/Foswiki/UI/Rest.pm b/core/lib/Foswiki/UI/Rest.pm
@@ -24,6 +24,11 @@ BEGIN {
 
 our %restDispatch;
 
+# Used by Plugin diagnostics to access all the registered handlers
+sub getRegisteredHandlers {
+    return \%restDispatch;
+}
+
 =begin TML
 
 ---++ StaticMethod registerRESTHandler( $subject, $verb, \&fn, %options )