X-Git-Url: https://dev.renevier.net/?a=blobdiff_plain;f=api.php;h=0d6e7273349f9bcfd98307c817a97072dab9906b;hb=b6cae6a5698c5d0655d921f78f0ccab470bf034c;hp=052b5145a47e5aef5701b72648896a3c08367369;hpb=080f837e8fbca48c55f4549df13b9c4772db3613;p=syp.git
diff --git a/api.php b/api.php
index 052b514..0d6e727 100644
--- a/api.php
+++ b/api.php
@@ -2,16 +2,15 @@
/* Copyright (c) 2009 Arnaud Renevier, Inc, published under the modified BSD
license. */
-require_once ("./inc/settings.php");
-require_once ("./inc/db/mysql.php");
-require_once ("./inc/utils.php");
-
function exit_document ($body) {
exit ("
$body");
}
-function success_auth () {
- success ("auth");
+function success_auth ($user) {
+ $res = "" .
+ htmlspecialchars ($user) .
+ "";
+ exit_document ($res);
}
function success_feature ($feature, $request) {
@@ -100,17 +99,9 @@ function save_uploaded_file ($file, $con) {
}
$mini_dest = getthumbsdir () . "/mini_" . basename_safe ($dest);
- try {
- $thumbnail_ok = create_thumbnail ($dest, $mini_dest);
- } catch (Exception $e) {
- $thumbnail_ok = false;
- }
- if (!$thumbnail_ok) {
- if (!copy ($dest, $mini_dest)) {
- server_error ();
- }
+ if (!create_thumbnail_or_copy ($dest, $mini_dest)) {
+ server_error ();
}
-
}
return basename_safe ($dest);
}
@@ -175,27 +166,28 @@ function unique_file ($dirname, $relpath, $con) {
return null;
}
-function check_auth ($con, $pwd, $cookie_name, $auth_only) {
+function check_auth ($con, $user, $pwd, $auth_only) {
$authentificated = false;
- $user = "admin";
- if ($pwd) {
+ if (isset ($pwd)) {
if ($con->checkpwdmd5 ($user, md5 ($pwd))) {
// cookie will be valid for 2 weeks. I've chosen that value
// arbitrarily, and it may change in the future.
$time = time () + 14 * 60 * 24 * 60;
- setcookie ($cookie_name, md5 ($pwd), $time, "" , "", false, true);
+ setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false, true);
+ setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false, true);
$authentificated = true;
if ($auth_only) {
- success_auth ();
+ success_auth ($user);
}
} else {
unauthorized_error ();
}
}
- if (!$authentificated && !($con->checkpwdmd5 ($user,
- $_COOKIE [$cookie_name]))) {
+ if (!$authentificated && !($con->checkpwdmd5 (
+ $_COOKIE [sprintf ("%suser", DBPREFIX)],
+ $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) {
unauthorized_error ();
}
}
@@ -205,11 +197,14 @@ function main ($con) {
request_error ();
}
- $pwd = unquote ($_POST["password"]);
- $cookie_name = sprintf ("%sauth", DBPREFIX);
+ $pwd = unquote ($_POST ["password"]);
+ $user = unquote ($_POST ["user"]);
// does user only want authentication or does he want to do other things
$auth_only = ($_POST ["request"] == "auth");
- check_auth ($con, $pwd, $cookie_name, $auth_only);
+ check_auth ($con, $user, $pwd, $auth_only);
+ if (!$user) {
+ $user = $_COOKIE [sprintf ("%suser", DBPREFIX)];
+ }
switch ($_POST ["request"]) {
case "update":
@@ -218,6 +213,9 @@ function main ($con) {
if (!isset ($feature)) {
unreferenced_error ($id);
}
+ if ($feature->user != $user) {
+ unauthorized_error ();
+ }
// no file uploaded, but editor currently has an image: it means
// image was not changed
@@ -233,7 +231,7 @@ function main ($con) {
$description = unquote ($_POST ["description"]);
try {
- $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0);
+ $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0, $user);
} catch (Exception $e) {
request_error ();
}
@@ -271,7 +269,7 @@ function main ($con) {
$title = unquote ($_POST ["title"]);
$description = unquote ($_POST ["description"]);
try {
- $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0);
+ $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0, $user);
} catch (Exception $e) {
request_error ();
}
@@ -288,6 +286,9 @@ function main ($con) {
if (!isset ($feature)) {
unreferenced_error ($id);
}
+ if ($feature->user != $user) {
+ unauthorized_error ();
+ }
$imgpath = $feature->imgpath;
try {
@@ -309,6 +310,12 @@ function main ($con) {
server_error ();
}
+if (!@include_once ("./inc/settings.php")) {
+ server_error ();
+}
+require_once ("./inc/db/mysql.php");
+require_once ("./inc/utils.php");
+
try {
$connection->connect (DBHOST, DBUSER, DBPWD, DBNAME, DBPREFIX);
} catch (Exception $e) {