2 /* Copyright (c) 2009 Arnaud Renevier, Inc, published under the modified BSD
5 function exit_document ($body) {
6 $charset_meta = '<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">';
7 exit ("<html>$charset_meta<head></head><body>$body</body></html>");
10 function success ($reason) {
11 exit_document ("<success request=\"$reason\"></success>");
14 function success_changepass ($username) {
15 $res = "<success request=\"changepass\"><user>" .
16 htmlspecialchars ($username) .
21 function success_newuser ($username) {
22 $res = "<success request=\"newuser\"><user>" .
23 htmlspecialchars ($username) .
28 function success_auth ($user) {
29 $res = "<success request=\"$reason\"><user>" .
30 htmlspecialchars ($user) .
35 function success_feature ($feature, $request) {
36 $res = "<success request=\"$request\"><feature>";
37 $res .= "<id>" . $feature->id . "</id>";
41 image_url_from_imgpath ($feature->imgpath)
45 $res .= "<description>" .
46 htmlspecialchars ($feature->description) .
49 // XXX: we do not use <title> because that would be interpreted and
50 // altered by browers html parser
52 htmlspecialchars ($feature->title) .
55 $res .= "<lon>" . $feature->lon . "</lon>";
56 $res .= "<lat>" . $feature->lat . "</lat>";
57 $res .= "</feature></success>";
61 function success_delete_feature ($feature) {
62 $res = "<success request=\"del\"><feature>";
63 $res .= "<id>" . $feature->id . "</id>";
64 $res .= "</feature></success>";
68 function error ($reason) {
69 exit_document ("<error reason=\"$reason\"></error>");
72 function error_newuser_exists () {
73 error ("newuser_exists");
76 function error_feature ($id, $reason) {
77 $res = "<error reason=\"$reason\"><feature>";
78 $res .= "<id>" . $id . "</id>";
79 $res .= "</feature></error>";
83 function error_nochange ($id) {
84 error_feature ($id, "nochange");
86 function error_unreferenced ($id) {
87 error_feature ($id, "unreferenced");
90 function error_server () {
94 function error_wrongpass () {
98 function error_unauthorized () {
99 error ("unauthorized");
102 function error_request () {
106 function error_file_too_big () {
110 function error_notanimage () {
114 function save_uploaded_file ($file, $con) {
116 if (isset ($file) && ($file ["error"] != UPLOAD_ERR_NO_FILE)) {
117 img_check_upload ($file);
118 $dest = unique_file (UPLOADDIR, $file ["name"], $con);
119 if (!isset ($dest) ||
120 (!move_uploaded_file ($file ["tmp_name"], $dest))) {
124 $mini_dest = getthumbsdir () . "/mini_" . basename_safe ($dest);
126 if (!create_thumbnail_or_copy ($dest, $mini_dest)) {
129 send_to_ftp ($mini_dest);
131 return basename_safe ($dest);
134 function img_check_upload ($file) {
135 if (!is_uploaded_file ($file ["tmp_name"])) {
136 if ($file ["error"] == UPLOAD_ERR_INI_SIZE) {
137 error_file_too_big ();
142 if (!getimagesize ($file ["tmp_name"])) {
147 function delete_image_if_unused ($imgpath, $con) {
148 if (!isset ($imgpath) || (strlen ($imgpath) == 0)) {
151 if ($con->imgpath_exists ($imgpath)) {
155 $path = UPLOADDIR . "/" . $imgpath;
156 if (file_exists ($path)) {
158 delete_from_ftp ($path);
161 $thumb_path = getthumbsdir () . "/mini_" . $imgpath;
162 if (file_exists ($thumb_path)) {
163 unlink ($thumb_path);
164 delete_from_ftp ($thumb_path);
168 function unique_file ($dirname, $relpath, $con) {
169 $relpath = str_replace ('/', '', $relpath); // strip slashes from path
170 $relpath = str_replace ('\\', '', $relpath); // strip antislashes from path
171 $filename = $dirname . '/' . $relpath;
174 $dotpos = strrpos ($relpath, '.');
176 $base = substr ($relpath, 0, $dotpos);
177 $ext = substr ($relpath, $dotpos + 1);
183 while ($counter < 1000) {
184 if (!file_exists ($filename) &&
185 !($con->imgpath_exists (basename_safe ($filename)))) {
189 $filename = $dirname . '/' . $base . '_' . $counter . '.' . $ext;
192 // we tried to find an unused filename 1000 times. Give up now.
196 function setcookies ($user, $pwd) {
197 // cookie will be valid for 2 weeks. I've chosen that value
198 // arbitrarily, and it may change in the future.
199 $time = time () + 14 * 60 * 24 * 60;
200 if (version_compare (PHP_VERSION, '5.2.0', '>=')) {
201 setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false, true);
202 setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false, true);
204 setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false);
205 setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false);
210 function check_auth ($con, $user, $pwd, $auth_only) {
211 $authentificated = false;
214 if ($con->checkpwdmd5 ($user, md5 ($pwd))) {
215 setcookies ($user, $pwd);
216 $authentificated = true;
218 success_auth ($user);
221 error_unauthorized ();
225 if (!$authentificated && !($con->checkpwdmd5 (
226 $_COOKIE [sprintf ("%suser", DBPREFIX)],
227 $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) {
228 error_unauthorized ();
232 function main ($con) {
233 if (!isset ($_POST ["request"])) {
237 $pwd = unquote ($_POST ["password"]);
238 $user = unquote ($_POST ["user"]);
239 // does user only want authentication or does he want to do other things
240 $auth_only = ($_POST ["request"] == "auth");
241 check_auth ($con, $user, $pwd, $auth_only);
243 $user = $_COOKIE [sprintf ("%suser", DBPREFIX)];
246 switch ($_POST ["request"]) {
248 $id = $_POST ["fid"];
249 $feature = $con->getfeature ($id);
250 if (!isset ($feature)) {
251 error_unreferenced ($id);
253 if (($feature->user != $user) && ($user != "admin")) {
254 error_unauthorized ();
257 // no file uploaded, but editor currently has an image: it means
258 // image was not changed
259 if ($_POST ["keep_img"] == "yes") {
260 $imgpath = $feature->imgpath;
262 $imgpath = save_uploaded_file ($_FILES ["image_file"], $con);
265 $lon = $_POST ["lon"];
266 $lat = $_POST ["lat"];
267 $title = unquote ($_POST ["title"]);
268 $description = unquote ($_POST ["description"]);
271 $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0, $user);
272 } catch (Exception $e) {
276 if (($new_feature->lon == $feature->lon) &&
277 ($new_feature->lat == $feature->lat) &&
278 ($new_feature->title == $feature->title) &&
279 ($new_feature->imgpath == $feature->imgpath) &&
280 ($new_feature->description == $feature->description)) {
281 error_nochange ($feature->id);
285 if ($feature->imgpath && ($feature->imgpath != $new_feature->imgpath)) {
286 $old_imgpath = $feature->imgpath;
290 $con->save_feature ($new_feature);
291 } catch (Exception $e) {
296 delete_image_if_unused ($old_imgpath, $con);
297 } catch (Exception $e) {}
299 success_feature ($new_feature, "update");
302 $imgpath = save_uploaded_file ($_FILES ["image_file"], $con);
304 $lon = $_POST ["lon"];
305 $lat = $_POST ["lat"];
306 $title = unquote ($_POST ["title"]);
307 $description = unquote ($_POST ["description"]);
309 $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0, $user);
310 } catch (Exception $e) {
314 $feature = $con->save_feature ($feature);
315 } catch (Exception $e) {
318 success_feature ($feature, "add");
321 $id = $_POST ["fid"];
322 $feature = $con->getfeature ($id);
323 if (!isset ($feature)) {
324 error_unreferenced ($id);
326 if ($feature->user != $user) {
327 error_unauthorized ();
329 $imgpath = $feature->imgpath;
332 $con->delete_feature ($feature);
333 } catch (Exception $e) {
338 delete_image_if_unused ($imgpath, $con);
339 } catch (Exception $e) {}
341 success_delete_feature ($feature);
343 $currpass = unquote ($_POST ["pass_current"]);
344 if (!$con->checkpwdmd5 ($user, md5 ($currpass))) {
347 $newpass = unquote ($_POST ["pass_new"]);
349 $con->setpwd ($user, $newpass);
350 } catch (Exception $e) {
353 setcookies ($user, $newpass);
354 success_changepass ($user);
357 if ($user != "admin") {
358 error_unauthorized ();
360 $newuser_name = unquote ($_POST ["newuser_name"]);
361 if (!$newuser_name) {
364 if ($con->user_exists ($newuser_name)) {
365 error_newuser_exists ();
367 $newuser_password = unquote ($_POST ["newuser_password"]);
369 $con->setpwd ($newuser_name, $newuser_password);
370 } catch (Exception $e) {
373 success_newuser ($newuser_name);
383 if (!@include_once ("./inc/settings.php")) {
386 require_once ("./inc/db/mysql.php");
387 require_once ("./inc/utils.php");
390 $connection->connect (DBHOST, DBUSER, DBPWD, DBNAME, DBPREFIX);
391 } catch (Exception $e) {