@@ -335,6 +335,8 @@ abstract class REST_Controller extends CI_Controller {
335335 * @var bool
336336 */
337337 protected $ _enable_xssFALSE ;
338+
339+ private $ is_valid_requestTRUE ;
338340
339341 /**
340342 * HTTP status codes and their respective description
@@ -631,17 +633,19 @@ public function _remap($object_called, $arguments = [])
631633 $ this config ->item ('rest_status_field_name ' ) => FALSE ,
632634 $ this config ->item ('rest_message_field_name ' ) => $ this lang ->line ('text_rest_unsupported ' )
633635 ], self ::HTTP_FORBIDDEN );
636+
637+ $ this is_valid_request = false ;
634638 }
635639
636640 // Remove the supported format from the function name e.g. index.json => index
637641 $ object_calledpreg_replace ('/^(.*)\.(?: ' .implode ('| ' , array_keys ($ this _supported_formats )).')$/ ' , '$1 ' , $ object_called
638642
639643 $ controller_method$ object_called'_ ' .$ this request ->method ;
640- // Does this method exist? If not, try executing an index method
641- if (!method_exists ($ this $ controller_method
642- $ controller_method"index_ " . $ this request ->method ;
643- array_unshift ($ arguments$ object_called
644- }
644+ // Does this method exist? If not, try executing an index method
645+ if (!method_exists ($ this $ controller_method
646+ $ controller_method"index_ " . $ this request ->method ;
647+ array_unshift ($ arguments$ object_called
648+ }
645649
646650 // Do we want to log this method (if allowed by config)?
647651$ log_methodisset ($ this methods [$ controller_method'log ' ]) && $ this methods [$ controller_method'log ' ] === FALSE );
@@ -656,8 +660,8 @@ public function _remap($object_called, $arguments = [])
656660 {
657661 $ this _log_request ();
658662 }
659-
660- // fix cross site to option request error
663+
664+ // fix cross site to option request error
661665 if ($ this request ->method == 'options ' ) {
662666 exit ;
663667 }
@@ -666,6 +670,8 @@ public function _remap($object_called, $arguments = [])
666670 $ this config ->item ('rest_status_field_name ' ) => FALSE ,
667671 $ this config ->item ('rest_message_field_name ' ) => sprintf ($ this lang ->line ('text_rest_invalid_api_key ' ), $ this rest ->key )
668672 ], self ::HTTP_FORBIDDEN );
673+
674+ $ this is_valid_request = false ;
669675 }
670676
671677 // Check to see if this key has access to the requested controller
@@ -680,6 +686,8 @@ public function _remap($object_called, $arguments = [])
680686 $ this config ->item ('rest_status_field_name ' ) => FALSE ,
681687 $ this config ->item ('rest_message_field_name ' ) => $ this lang ->line ('text_rest_api_key_unauthorized ' )
682688 ], self ::HTTP_UNAUTHORIZED );
689+
690+ $ this is_valid_request = false ;
683691 }
684692
685693 // Sure it exists, but can they do anything with it?
@@ -689,6 +697,8 @@ public function _remap($object_called, $arguments = [])
689697 $ this config ->item ('rest_status_field_name ' ) => FALSE ,
690698 $ this config ->item ('rest_message_field_name ' ) => $ this lang ->line ('text_rest_unknown_method ' )
691699 ], self ::HTTP_METHOD_NOT_ALLOWED );
700+
701+ $ this is_valid_request = false ;
692702 }
693703
694704 // Doing key related stuff? Can only do it if they have a key right?
@@ -699,6 +709,8 @@ public function _remap($object_called, $arguments = [])
699709 {
700710 $ response$ this config ->item ('rest_status_field_name ' ) => FALSE , $ this config ->item ('rest_message_field_name ' ) => $ this lang ->line ('text_rest_api_key_time_limit ' )];
701711 $ this response ($ responseself ::HTTP_UNAUTHORIZED );
712+
713+ $ this is_valid_request = false ;
702714 }
703715
704716 // If no level is set use 0, they probably aren't using permissions
@@ -716,6 +728,8 @@ public function _remap($object_called, $arguments = [])
716728 // They don't have good enough perms
717729 $ response$ this config ->item ('rest_status_field_name ' ) => FALSE , $ this config ->item ('rest_message_field_name ' ) => $ this lang ->line ('text_rest_api_key_permissions ' )];
718730 $ this response ($ responseself ::HTTP_UNAUTHORIZED );
731+
732+ $ this is_valid_request = false ;
719733 }
720734 }
721735
@@ -724,6 +738,8 @@ public function _remap($object_called, $arguments = [])
724738 {
725739 $ response$ this config ->item ('rest_status_field_name ' ) => FALSE , $ this config ->item ('rest_message_field_name ' ) => $ this lang ->line ('text_rest_ip_address_time_limit ' )];
726740 $ this response ($ responseself ::HTTP_UNAUTHORIZED );
741+
742+ $ this is_valid_request = false ;
727743 }
728744
729745 // No key stuff, but record that stuff is happening
@@ -735,7 +751,9 @@ public function _remap($object_called, $arguments = [])
735751 // Call the controller method and passed arguments
736752 try
737753 {
738- call_user_func_array ([$ this $ controller_method$ arguments
754+ if ($ this is_valid_request ) {
755+ call_user_func_array ([$ this $ controller_method$ arguments
756+ }
739757 }
740758 catch (Exception $ ex
741759 {
@@ -744,8 +762,8 @@ public function _remap($object_called, $arguments = [])
744762 }
745763
746764 // If the method doesn't exist, then the error will be caught and an error response shown
747- $ _errorload_class ('Exceptions ' , 'core ' );
748- $ _errorshow_exception ($ ex
765+ $ _errorload_class ('Exceptions ' , 'core ' );
766+ $ _errorshow_exception ($ ex
749767 }
750768 }
751769
@@ -2136,6 +2154,10 @@ protected function _force_login($nonce = '')
21362154 .'", opaque=" ' . md5 ($ rest_realm'" ' );
21372155 }
21382156
2157+ if ($ this config ->item ('strict_api_and_auth ' ) === true ) {
2158+ $ this is_valid_request = false ;
2159+ }
2160+
21392161 // Display an error response
21402162 $ this response ([
21412163 $ this config ->item ('rest_status_field_name ' ) => FALSE ,
0 commit comments