|
@@ -142,7 +142,7 @@ These features are new and were not included in v1.
|
142
|
142
|
You can enable the following middleware using the "middlewares" config parameter:
|
143
|
143
|
|
144
|
144
|
- "cors": Support for CORS requests (enabled by default)
|
145
|
|
-- "authorization": Hide or restrict access to certain tables or columns
|
|
145
|
+- "authorization": Restrict access to certain tables or columns
|
146
|
146
|
- "basicAuth": Support for "Basic Authentication"
|
147
|
147
|
- "firewall": Limit access to specific IP addresses
|
148
|
148
|
- "validation": Return input validation errors for custom rules
|
|
@@ -554,23 +554,25 @@ These filters are based on OGC standards and so is the WKT specification in whic
|
554
|
554
|
|
555
|
555
|
### Authorizing tables and columns
|
556
|
556
|
|
557
|
|
-By default all tables are reflected. If you want to hide some tables you may add the 'authorization' middleware and define a 'authorization.tableHandler' function that returns 'false' for hidden tables.
|
|
557
|
+By default all tables are reflected. If you want to restrict access to some tables you may add the 'authorization' middleware
|
|
558
|
+and define a 'authorization.tableHandler' function that returns 'false' for these tables.
|
558
|
559
|
|
559
|
560
|
'authorization.tableHandler' => function ($method, $path, $databaseName, $tableName) {
|
560
|
561
|
return $tableName != 'license_keys';
|
561
|
562
|
},
|
562
|
563
|
|
563
|
|
-The above example will hide the table 'license_keys' in all API input and output.
|
|
564
|
+The above example will restrict access to the table 'license_keys' in all API calls.
|
564
|
565
|
|
565
|
566
|
'authorization.columnHandler' => function ($method, $path, $databaseName, $tableName, $columnName) {
|
566
|
567
|
return !($tableName == 'users' && $columnName == 'password');
|
567
|
568
|
},
|
568
|
569
|
|
569
|
|
-The above example will hide the 'password' field from the 'users' table in all API input and output.
|
|
570
|
+The above example will restrict access to the 'password' field from the 'users' table in all API calls.
|
570
|
571
|
|
571
|
572
|
### Sanitizing input
|
572
|
573
|
|
573
|
|
-By default all input is accepted and sent to the database. If you want to strip (certain) HTML tags before storing you may add the 'sanitation' middleware and define a 'sanitation.handler' function that returns the adjusted value.
|
|
574
|
+By default all input is accepted and sent to the database. If you want to strip (certain) HTML tags before storing you may add
|
|
575
|
+the 'sanitation' middleware and define a 'sanitation.handler' function that returns the adjusted value.
|
574
|
576
|
|
575
|
577
|
'sanitation.handler' => function ($method, $tableName, $column, $value) {
|
576
|
578
|
return is_string($value) ? strip_tags($value) : $value;
|
|
@@ -580,7 +582,8 @@ The above example will strip all HTML tags from strings in the input.
|
580
|
582
|
|
581
|
583
|
### Validating input
|
582
|
584
|
|
583
|
|
-By default all input is accepted. If you want to validate the input, you may add the 'validation' middleware and define a 'validation.handler' function that returns a boolean indicating whether or not the value is valid.
|
|
585
|
+By default all input is accepted. If you want to validate the input, you may add the 'validation' middleware and define a
|
|
586
|
+'validation.handler' function that returns a boolean indicating whether or not the value is valid.
|
584
|
587
|
|
585
|
588
|
'validation.handler' => function ($method, $tableName, $column, $value, $context) {
|
586
|
589
|
return ($column['name'] == 'post_id' && !is_numeric($value)) ? 'must be numeric' : true;
|