X-Git-Url: https://dev.renevier.net/?a=blobdiff_plain;ds=inline;f=api.php;h=ac49d76665ca7cec11da77cad84d1b03c3bc3181;hb=274b5f5506b242b4680bc8fe3d9811f668c06f29;hp=39c6319ab5c749d857665830e0bb040f5dfe30e3;hpb=2342c1689c6155fc545c372e24dbcac27fcf21e9;p=syp.git
diff --git a/api.php b/api.php
index 39c6319..ac49d76 100644
--- a/api.php
+++ b/api.php
@@ -2,16 +2,34 @@
/* Copyright (c) 2009 Arnaud Renevier, Inc, published under the modified BSD
license. */
-require_once ("./inc/settings.php");
-require_once ("./inc/db/mysql.php");
-require_once ("./inc/utils.php");
-
function exit_document ($body) {
- exit ("
$body");
+ $charset_meta = '';
+ exit ("$charset_meta$body");
+}
+
+function success ($reason) {
+ exit_document ("");
+}
+
+function success_changepass ($username) {
+ $res = "" .
+ htmlspecialchars ($username) .
+ "";
+ exit_document ($res);
+}
+
+function success_newuser ($username) {
+ $res = "" .
+ htmlspecialchars ($username) .
+ "";
+ exit_document ($res);
}
-function success_auth () {
- success ("auth");
+function success_auth ($user) {
+ $res = "" .
+ htmlspecialchars ($user) .
+ "";
+ exit_document ($res);
}
function success_feature ($feature, $request) {
@@ -20,7 +38,7 @@ function success_feature ($feature, $request) {
$res .= "" .
($feature->imgpath ?
- full_url_from_imgpath ($feature->imgpath)
+ image_url_from_imgpath ($feature->imgpath)
: "") .
"";
@@ -47,14 +65,14 @@ function success_delete_feature ($feature) {
exit_document ($res);
}
-function success ($reason) {
- exit_document ("");
-}
-
function error ($reason) {
exit_document ("");
}
+function error_newuser_exists () {
+ error ("newuser_exists");
+}
+
function error_feature ($id, $reason) {
$res = "";
$res .= "" . $id . "";
@@ -62,30 +80,34 @@ function error_feature ($id, $reason) {
exit_document ($res);
}
-function nochange_error ($id) {
+function error_nochange ($id) {
error_feature ($id, "nochange");
}
-function unreferenced_error ($id) {
+function error_unreferenced ($id) {
error_feature ($id, "unreferenced");
}
-function server_error () {
+function error_server () {
error ("server");
}
-function unauthorized_error () {
+function error_wrongpass () {
+ error ("wrongpass");
+}
+
+function error_unauthorized () {
error ("unauthorized");
}
-function request_error () {
+function error_request () {
error ("request");
}
-function file_too_big_error () {
+function error_file_too_big () {
error ("toobig");
}
-function notanimage_error () {
+function error_notanimage () {
error ("notimage");
}
@@ -96,7 +118,12 @@ function save_uploaded_file ($file, $con) {
$dest = unique_file (UPLOADDIR, $file ["name"], $con);
if (!isset ($dest) ||
(!move_uploaded_file ($file ["tmp_name"], $dest))) {
- server_error ();
+ error_server ();
+ }
+ $mini_dest = getthumbsdir () . "/mini_" . basename_safe ($dest);
+
+ if (!create_thumbnail_or_copy ($dest, $mini_dest)) {
+ error_server ();
}
}
return basename_safe ($dest);
@@ -105,13 +132,13 @@ function save_uploaded_file ($file, $con) {
function img_check_upload ($file) {
if (!is_uploaded_file ($file ["tmp_name"])) {
if ($file ["error"] == UPLOAD_ERR_INI_SIZE) {
- file_too_big_error ();
+ error_file_too_big ();
} else {
- server_error ();
+ error_server ();
}
}
if (!getimagesize ($file ["tmp_name"])) {
- notanimage_error ();
+ error_notanimage ();
}
}
@@ -120,14 +147,17 @@ function delete_image_if_unused ($imgpath, $con) {
return;
}
if ($con->imgpath_exists ($imgpath)) {
- return false;
+ return;
}
+
$path = UPLOADDIR . "/" . $imgpath;
- if (file_exists($path)) {
+ if (file_exists ($path)) {
unlink ($path);
- return true;
- } else {
- return false;
+ }
+
+ $thumb_path = getthumbsdir () . "/mini_" . $imgpath;
+ if (file_exists ($thumb_path)) {
+ unlink ($thumb_path);
}
}
@@ -159,27 +189,54 @@ function unique_file ($dirname, $relpath, $con) {
return null;
}
-function main ($con) {
- if (!isset ($_POST ["request"])) {
- request_error ();
+function setcookies ($user, $pwd) {
+ // cookie will be valid for 2 weeks. I've chosen that value
+ // arbitrarily, and it may change in the future.
+ $time = time () + 14 * 60 * 24 * 60;
+ if (version_compare (PHP_VERSION, '5.2.0', '>=')) {
+ setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false, true);
+ setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false, true);
+ } else {
+ setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false);
+ setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false);
}
- if ($_POST ["request"] == "auth") {
- $pwd = unquote ($_POST["password"]);
- $user = "admin";
+
+}
+
+function check_auth ($con, $user, $pwd, $auth_only) {
+ $authentificated = false;
+
+ if (isset ($pwd)) {
if ($con->checkpwdmd5 ($user, md5 ($pwd))) {
- // cookie will be valid for 2 weeks. I've chosen that value
- // arbitrarily, and it may change in the future.
- $time = time () + 14 * 60 * 24 * 60;
- $cookie_name = sprintf ("%sauth", DBPREFIX);
- setcookie ($cookie_name, md5 ($pwd), $time, "" , "", false, true);
- success_auth ();
+ setcookies ($user, $pwd);
+ $authentificated = true;
+ if ($auth_only) {
+ success_auth ($user);
+ }
} else {
- unauthorized_error ();
+ error_unauthorized ();
}
}
- if (!($con->checkpwdmd5 ("admin",
- $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) {
- unauthorized_error ();
+
+ if (!$authentificated && !($con->checkpwdmd5 (
+ $_COOKIE [sprintf ("%suser", DBPREFIX)],
+ $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) {
+ error_unauthorized ();
+ }
+}
+
+function main ($con) {
+ if (!isset ($_POST ["request"])) {
+ error_request ();
+ }
+
+ $pwd = unquote ($_POST ["password"]);
+ $user = unquote ($_POST ["user"]);
+ // does user only want authentication or does he want to do other things
+ $auth_only = ($_POST ["request"] == "auth");
+ check_auth ($con, $user, $pwd, $auth_only);
+ if (!$user) {
+ $user = $_COOKIE [sprintf ("%suser", DBPREFIX)];
}
switch ($_POST ["request"]) {
@@ -187,7 +244,10 @@ function main ($con) {
$id = $_POST ["fid"];
$feature = $con->getfeature ($id);
if (!isset ($feature)) {
- unreferenced_error ($id);
+ error_unreferenced ($id);
+ }
+ if (($feature->user != $user) && ($user != "admin")) {
+ error_unauthorized ();
}
// no file uploaded, but editor currently has an image: it means
@@ -204,9 +264,9 @@ function main ($con) {
$description = unquote ($_POST ["description"]);
try {
- $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0);
+ $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0, $user);
} catch (Exception $e) {
- request_error ();
+ error_request ();
}
if (($new_feature->lon == $feature->lon) &&
@@ -214,7 +274,7 @@ function main ($con) {
($new_feature->title == $feature->title) &&
($new_feature->imgpath == $feature->imgpath) &&
($new_feature->description == $feature->description)) {
- nochange_error ($feature->id);
+ error_nochange ($feature->id);
}
$old_imgpath = "";
@@ -225,7 +285,7 @@ function main ($con) {
try {
$con->save_feature ($new_feature);
} catch (Exception $e) {
- server_error ();
+ error_server ();
}
if ($old_imgpath) {
try {
@@ -242,14 +302,14 @@ function main ($con) {
$title = unquote ($_POST ["title"]);
$description = unquote ($_POST ["description"]);
try {
- $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0);
+ $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0, $user);
} catch (Exception $e) {
- request_error ();
+ error_request ();
}
try {
$feature = $con->save_feature ($feature);
} catch (Exception $e) {
- server_error ();
+ error_server ();
}
success_feature ($feature, "add");
break;
@@ -257,14 +317,17 @@ function main ($con) {
$id = $_POST ["fid"];
$feature = $con->getfeature ($id);
if (!isset ($feature)) {
- unreferenced_error ($id);
+ error_unreferenced ($id);
+ }
+ if ($feature->user != $user) {
+ error_unauthorized ();
}
$imgpath = $feature->imgpath;
try {
$con->delete_feature ($feature);
} catch (Exception $e) {
- server_error ();
+ error_server ();
}
try {
@@ -272,18 +335,57 @@ function main ($con) {
} catch (Exception $e) {}
success_delete_feature ($feature);
+ case "changepass":
+ $currpass = unquote ($_POST ["pass_current"]);
+ if (!$con->checkpwdmd5 ($user, md5 ($currpass))) {
+ error_wrongpass ();
+ }
+ $newpass = unquote ($_POST ["pass_new"]);
+ try {
+ $con->setpwd ($user, $newpass);
+ } catch (Exception $e) {
+ error_server ();
+ }
+ setcookies ($user, $newpass);
+ success_changepass ($user);
+ break;
+ case "newuser":
+ if ($user != "admin") {
+ error_unauthorized ();
+ }
+ $newuser_name = unquote ($_POST ["newuser_name"]);
+ if (!$newuser_name) {
+ error_request ();
+ }
+ if ($con->user_exists ($newuser_name)) {
+ error_newuser_exists ();
+ }
+ $newuser_password = unquote ($_POST ["newuser_password"]);
+ try {
+ $con->setpwd ($newuser_name, $newuser_password);
+ } catch (Exception $e) {
+ error_server ();
+ }
+ success_newuser ($newuser_name);
+ break;
default:
- request_error();
+ error_request();
break;
}
- server_error ();
+ error_server ();
}
+if (!@include_once ("./inc/settings.php")) {
+ error_server ();
+}
+require_once ("./inc/db/mysql.php");
+require_once ("./inc/utils.php");
+
try {
$connection->connect (DBHOST, DBUSER, DBPWD, DBNAME, DBPREFIX);
} catch (Exception $e) {
- server_error ();
+ error_server ();
}
main ($connection);