HumHub Documentation (unofficial)

Cors extends ActionFilter
in package

Cors filter implements [Cross Origin Resource Sharing](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing).

Make sure to read carefully what CORS does and does not. CORS do not secure your API, but allow the developer to grant access to third party code (ajax calls from external domain).

You may use CORS filter by attaching it as a behavior to a controller or module, like the following,

public function behaviors()
{
    return [
        'corsFilter' => [
            'class' => \yii\filters\Cors::class,
        ],
    ];
}

The CORS filter can be specialized to restrict parameters, like this, MDN CORS Information

public function behaviors()
{
    return [
        'corsFilter' => [
            'class' => \yii\filters\Cors::class,
            'cors' => [
                // restrict access to
                'Origin' => ['http://www.myserver.com', 'https://www.myserver.com'],
                // Allow only POST and PUT methods
                'Access-Control-Request-Method' => ['POST', 'PUT'],
                // Allow only headers 'X-Wsse'
                'Access-Control-Request-Headers' => ['X-Wsse'],
                // Allow credentials (cookies, authorization headers, etc.) to be exposed to the browser
                'Access-Control-Allow-Credentials' => true,
                // Allow OPTIONS caching
                'Access-Control-Max-Age' => 3600,
                // Allow the X-Pagination-Current-Page header to be exposed to the browser.
                'Access-Control-Expose-Headers' => ['X-Pagination-Current-Page'],
            ],

        ],
    ];
}

For more information on how to add the CORS filter to a controller, see the Guide on REST controllers.

Tags
author

Philippe Gaultier pgaultier@gmail.com

since
2.0

Table of Contents

Properties

$actions  : array<string|int, mixed>
$cors  : array<string|int, mixed>
$except  : array<string|int, mixed>
$only  : array<string|int, mixed>
$owner  : Component|null
$request  : Request|null
$response  : Response|null
$_attachedEvents  : array<string|int, mixed>

Methods

__call()  : mixed
Calls the named method which is not a class method.
__construct()  : mixed
Constructor.
__get()  : mixed
Returns the value of an object property.
__isset()  : bool
Checks if a property is set, i.e. defined and not null.
__set()  : mixed
Sets value of an object property.
__unset()  : mixed
Sets an object property to null.
addCorsHeaders()  : mixed
Adds the CORS headers to the response.
afterAction()  : mixed
This method is invoked right after an action is executed.
afterFilter()  : mixed
attach()  : mixed
Attaches the behavior object to the component.
beforeAction()  : bool
This method is invoked right before an action is to be executed (after all possible filters.) You may override this method to do last-minute preparation for the action.
beforeFilter()  : mixed
canGetProperty()  : bool
Returns a value indicating whether a property can be read.
canSetProperty()  : bool
Returns a value indicating whether a property can be set.
className()  : string
Returns the fully qualified name of this class.
detach()  : mixed
Detaches the behavior object from the component.
events()  : array<string|int, mixed>
Declares event handlers for the [[owner]]'s events.
extractHeaders()  : array<string|int, mixed>
Extract CORS headers from the request.
hasMethod()  : bool
Returns a value indicating whether a method is defined.
hasProperty()  : bool
Returns a value indicating whether a property is defined.
init()  : mixed
Initializes the object.
overrideDefaultSettings()  : mixed
Override settings for specific action.
prepareHeaders()  : array<string|int, mixed>
For each CORS headers create the specific response.
getActionId()  : string
Returns an action ID by converting [[Action::$uniqueId]] into an ID relative to the module.
headerize()  : string
Convert any string (including php headers with HTTP prefix) to header format.
headerizeToPhp()  : string
Convert any string (including php headers with HTTP prefix) to header format.
isActive()  : bool
Returns a value indicating whether the filter is active for the given action.
prepareAllowHeaders()  : mixed
Handle classic CORS request to avoid duplicate code.

Properties

$actions

public array<string|int, mixed> $actions = []

define specific CORS rules for specific actions

$cors

public array<string|int, mixed> $cors = ['Origin' => ['*'], 'Access-Control-Request-Method' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'], 'Access-Control-Request-Headers' => ['*'], 'Access-Control-Allow-Credentials' => null, 'Access-Control-Max-Age' => 86400, 'Access-Control-Expose-Headers' => []]

Basic headers handled for the CORS requests.

$except

public array<string|int, mixed> $except = []

list of action IDs that this filter should not apply to.

Tags
see
only

$only

public array<string|int, mixed> $only = []

list of action IDs that this filter should apply to. If this property is not set, then the filter applies to all actions, unless they are listed in [[except]]. If an action ID appears in both [[only]] and [[except]], this filter will NOT apply to it.

Note that if the filter is attached to a module, the action IDs should also include child module IDs (if any) and controller IDs.

Since version 2.0.9 action IDs can be specified as wildcards, e.g. site/*.

Tags
see
except

$request

public Request|null $request

the current request. If not set, the request application component will be used.

$response

public Response|null $response

the response to be sent. If not set, the response application component will be used.

$_attachedEvents

private array<string|int, mixed> $_attachedEvents = []

Attached events handlers

Methods

__call()

Calls the named method which is not a class method.

public __call(string $name, array<string|int, mixed> $params) : mixed

Do not call this method directly as it is a PHP magic method that will be implicitly called when an unknown method is being invoked.

Parameters
$name : string

the method name

$params : array<string|int, mixed>

method parameters

Tags
throws
UnknownMethodException

when calling unknown method

Return values
mixed

the method return value

__construct()

Constructor.

public __construct([array<string|int, mixed> $config = [] ]) : mixed

The default implementation does two things:

  • Initializes the object with the given configuration $config.
  • Call [[init()]].

If this method is overridden in a child class, it is recommended that

  • the last parameter of the constructor is a configuration array, like $config here.
  • call the parent implementation at the end of the constructor.
Parameters
$config : array<string|int, mixed> = []

name-value pairs that will be used to initialize the object properties

__get()

Returns the value of an object property.

public __get(string $name) : mixed

Do not call this method directly as it is a PHP magic method that will be implicitly called when executing $value = $object->property;.

Parameters
$name : string

the property name

Tags
throws
UnknownPropertyException

if the property is not defined

throws
InvalidCallException

if the property is write-only

see
__set()
Return values
mixed

the property value

__isset()

Checks if a property is set, i.e. defined and not null.

public __isset(string $name) : bool

Do not call this method directly as it is a PHP magic method that will be implicitly called when executing isset($object->property).

Note that if the property is not defined, false will be returned.

Parameters
$name : string

the property name or the event name

Tags
see
https://www.php.net/manual/en/function.isset.php
Return values
bool

whether the named property is set (not null).

__set()

Sets value of an object property.

public __set(string $name, mixed $value) : mixed

Do not call this method directly as it is a PHP magic method that will be implicitly called when executing $object->property = $value;.

Parameters
$name : string

the property name or the event name

$value : mixed

the property value

Tags
throws
UnknownPropertyException

if the property is not defined

throws
InvalidCallException

if the property is read-only

see
__get()

__unset()

Sets an object property to null.

public __unset(string $name) : mixed

Do not call this method directly as it is a PHP magic method that will be implicitly called when executing unset($object->property).

Note that if the property is not defined, this method will do nothing. If the property is read-only, it will throw an exception.

Parameters
$name : string

the property name

Tags
throws
InvalidCallException

if the property is read only.

see
https://www.php.net/manual/en/function.unset.php

addCorsHeaders()

Adds the CORS headers to the response.

public addCorsHeaders(Response $response, array<string|int, mixed> $headers) : mixed
Parameters
$response : Response
$headers : array<string|int, mixed>

CORS headers which have been computed

afterAction()

This method is invoked right after an action is executed.

public afterAction(Action $action, mixed $result) : mixed

You may override this method to do some postprocessing for the action.

Parameters
$action : Action

the action just executed.

$result : mixed

the action execution result

Return values
mixed

the processed action result.

attach()

Attaches the behavior object to the component.

public attach(mixed $owner) : mixed
Parameters
$owner : mixed

the component that this behavior is to be attached to.

beforeAction()

This method is invoked right before an action is to be executed (after all possible filters.) You may override this method to do last-minute preparation for the action.

public beforeAction(mixed $action) : bool
Parameters
$action : mixed

the action to be executed.

Return values
bool

whether the action should continue to be executed.

canGetProperty()

Returns a value indicating whether a property can be read.

public canGetProperty(string $name[, bool $checkVars = true ]) : bool

A property is readable if:

  • the class has a getter method associated with the specified name (in this case, property name is case-insensitive);
  • the class has a member variable with the specified name (when $checkVars is true);
Parameters
$name : string

the property name

$checkVars : bool = true

whether to treat member variables as properties

Tags
see
canSetProperty()
Return values
bool

whether the property can be read

canSetProperty()

Returns a value indicating whether a property can be set.

public canSetProperty(string $name[, bool $checkVars = true ]) : bool

A property is writable if:

  • the class has a setter method associated with the specified name (in this case, property name is case-insensitive);
  • the class has a member variable with the specified name (when $checkVars is true);
Parameters
$name : string

the property name

$checkVars : bool = true

whether to treat member variables as properties

Tags
see
canGetProperty()
Return values
bool

whether the property can be written

className()

Returns the fully qualified name of this class.

public static className() : string
Tags
deprecated

since 2.0.14. On PHP >=5.5, use ::class instead.

Return values
string

the fully qualified name of this class.

detach()

Detaches the behavior object from the component.

public detach() : mixed

events()

Declares event handlers for the [[owner]]'s events.

public events() : array<string|int, mixed>

Child classes may override this method to declare what PHP callbacks should be attached to the events of the [[owner]] component.

The callbacks will be attached to the [[owner]]'s events when the behavior is attached to the owner; and they will be detached from the events when the behavior is detached from the component.

The callbacks can be any of the following:

  • method in this behavior: 'handleClick', equivalent to [$this, 'handleClick']
  • object method: [$object, 'handleClick']
  • static method: ['Page', 'handleClick']
  • anonymous function: function ($event) { ... }

The following is an example:

[
    Model::EVENT_BEFORE_VALIDATE => 'myBeforeValidate',
    Model::EVENT_AFTER_VALIDATE => 'myAfterValidate',
]
Return values
array<string|int, mixed>

events (array keys) and the corresponding event handler methods (array values).

extractHeaders()

Extract CORS headers from the request.

public extractHeaders() : array<string|int, mixed>
Return values
array<string|int, mixed>

CORS headers to handle

hasMethod()

Returns a value indicating whether a method is defined.

public hasMethod(string $name) : bool

The default implementation is a call to php function method_exists(). You may override this method when you implemented the php magic method __call().

Parameters
$name : string

the method name

Return values
bool

whether the method is defined

hasProperty()

Returns a value indicating whether a property is defined.

public hasProperty(string $name[, bool $checkVars = true ]) : bool

A property is defined if:

  • the class has a getter or setter method associated with the specified name (in this case, property name is case-insensitive);
  • the class has a member variable with the specified name (when $checkVars is true);
Parameters
$name : string

the property name

$checkVars : bool = true

whether to treat member variables as properties

Tags
see
canGetProperty()
see
canSetProperty()
Return values
bool

whether the property is defined

init()

Initializes the object.

public init() : mixed

This method is invoked at the end of the constructor after the object is initialized with the given configuration.

overrideDefaultSettings()

Override settings for specific action.

public overrideDefaultSettings(Action $action) : mixed
Parameters
$action : Action

the action settings to override

prepareHeaders()

For each CORS headers create the specific response.

public prepareHeaders(array<string|int, mixed> $requestHeaders) : array<string|int, mixed>
Parameters
$requestHeaders : array<string|int, mixed>

CORS headers we have detected

Return values
array<string|int, mixed>

CORS headers ready to be sent

getActionId()

Returns an action ID by converting [[Action::$uniqueId]] into an ID relative to the module.

protected getActionId(Action $action) : string
Parameters
$action : Action
Tags
since
2.0.7
Return values
string

headerize()

Convert any string (including php headers with HTTP prefix) to header format.

protected headerize(string $string) : string

Example:

  • X-PINGOTHER -> X-Pingother
  • X_PINGOTHER -> X-Pingother
Parameters
$string : string

string to convert

Return values
string

the result in "header" format

headerizeToPhp()

Convert any string (including php headers with HTTP prefix) to header format.

protected headerizeToPhp(string $string) : string

Example:

  • X-Pingother -> HTTP_X_PINGOTHER
  • X PINGOTHER -> HTTP_X_PINGOTHER
Parameters
$string : string

string to convert

Return values
string

the result in "php $_SERVER header" format

isActive()

Returns a value indicating whether the filter is active for the given action.

protected isActive(Action $action) : bool
Parameters
$action : Action

the action being filtered

Return values
bool

whether the filter is active for the given action.

prepareAllowHeaders()

Handle classic CORS request to avoid duplicate code.

protected prepareAllowHeaders(string $type, array<string|int, mixed> $requestHeaders, array<string|int, mixed> &$responseHeaders) : mixed
Parameters
$type : string

the kind of headers we would handle

$requestHeaders : array<string|int, mixed>

CORS headers request by client

$responseHeaders : array<string|int, mixed>

CORS response headers sent to the client


        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results