X-Git-Url: https://dev.renevier.net/?a=blobdiff_plain;f=api.php;h=0d6e7273349f9bcfd98307c817a97072dab9906b;hb=b6cae6a5698c5d0655d921f78f0ccab470bf034c;hp=50e8bfe3cfa2cc5cc1fad902cc24cde9757d03e8;hpb=4acc8da49e3d4083fd9906388dd8fe0212bb9f42;p=syp.git diff --git a/api.php b/api.php index 50e8bfe..0d6e727 100644 --- a/api.php +++ b/api.php @@ -2,16 +2,15 @@ /* Copyright (c) 2009 Arnaud Renevier, Inc, published under the modified BSD license. */ -require_once ("./inc/settings.php"); -require_once ("./inc/db/mysql.php"); -require_once ("./inc/utils.php"); - function exit_document ($body) { exit ("$body"); } -function success_auth () { - success ("auth"); +function success_auth ($user) { + $res = "" . + htmlspecialchars ($user) . + ""; + exit_document ($res); } function success_feature ($feature, $request) { @@ -20,7 +19,7 @@ function success_feature ($feature, $request) { $res .= "" . ($feature->imgpath ? - full_url_from_imgpath ($feature->imgpath) + image_url_from_imgpath ($feature->imgpath) : "") . ""; @@ -98,8 +97,13 @@ function save_uploaded_file ($file, $con) { (!move_uploaded_file ($file ["tmp_name"], $dest))) { server_error (); } + $mini_dest = getthumbsdir () . "/mini_" . basename_safe ($dest); + + if (!create_thumbnail_or_copy ($dest, $mini_dest)) { + server_error (); + } } - return basename($dest); + return basename_safe ($dest); } function img_check_upload ($file) { @@ -120,14 +124,17 @@ function delete_image_if_unused ($imgpath, $con) { return; } if ($con->imgpath_exists ($imgpath)) { - return false; + return; } + $path = UPLOADDIR . "/" . $imgpath; - if (file_exists($path)) { + if (file_exists ($path)) { unlink ($path); - return true; - } else { - return false; + } + + $thumb_path = getthumbsdir () . "/mini_" . $imgpath; + if (file_exists ($thumb_path)) { + unlink ($thumb_path); } } @@ -148,7 +155,7 @@ function unique_file ($dirname, $relpath, $con) { while ($counter < 1000) { if (!file_exists ($filename) && - !($con->imgpath_exists (basename ($filename)))) { + !($con->imgpath_exists (basename_safe ($filename)))) { return $filename; } else { $counter++; @@ -159,28 +166,45 @@ function unique_file ($dirname, $relpath, $con) { return null; } -function main ($con) { - if (!isset ($_POST ["request"])) { - request_error (); - } - if ($_POST ["request"] == "auth") { - $pwd = unquote ($_POST["password"]); - $user = "admin"; +function check_auth ($con, $user, $pwd, $auth_only) { + $authentificated = false; + + if (isset ($pwd)) { if ($con->checkpwdmd5 ($user, md5 ($pwd))) { // cookie will be valid for 2 weeks. I've chosen that value // arbitrarily, and it may change in the future. $time = time () + 14 * 60 * 24 * 60; - $cookie_name = sprintf ("%sauth", DBPREFIX); - setcookie ($cookie_name, md5 ($pwd), $time, "" , "", false, true); - success_auth (); + setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false, true); + setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false, true); + $authentificated = true; + if ($auth_only) { + success_auth ($user); + } } else { unauthorized_error (); } } - if (!($con->checkpwdmd5 ("admin", - $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) { + + if (!$authentificated && !($con->checkpwdmd5 ( + $_COOKIE [sprintf ("%suser", DBPREFIX)], + $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) { unauthorized_error (); } +} + +function main ($con) { + if (!isset ($_POST ["request"])) { + request_error (); + } + + $pwd = unquote ($_POST ["password"]); + $user = unquote ($_POST ["user"]); + // does user only want authentication or does he want to do other things + $auth_only = ($_POST ["request"] == "auth"); + check_auth ($con, $user, $pwd, $auth_only); + if (!$user) { + $user = $_COOKIE [sprintf ("%suser", DBPREFIX)]; + } switch ($_POST ["request"]) { case "update": @@ -189,6 +213,9 @@ function main ($con) { if (!isset ($feature)) { unreferenced_error ($id); } + if ($feature->user != $user) { + unauthorized_error (); + } // no file uploaded, but editor currently has an image: it means // image was not changed @@ -204,7 +231,7 @@ function main ($con) { $description = unquote ($_POST ["description"]); try { - $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0); + $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0, $user); } catch (Exception $e) { request_error (); } @@ -242,7 +269,7 @@ function main ($con) { $title = unquote ($_POST ["title"]); $description = unquote ($_POST ["description"]); try { - $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0); + $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0, $user); } catch (Exception $e) { request_error (); } @@ -259,6 +286,9 @@ function main ($con) { if (!isset ($feature)) { unreferenced_error ($id); } + if ($feature->user != $user) { + unauthorized_error (); + } $imgpath = $feature->imgpath; try { @@ -280,6 +310,12 @@ function main ($con) { server_error (); } +if (!@include_once ("./inc/settings.php")) { + server_error (); +} +require_once ("./inc/db/mysql.php"); +require_once ("./inc/utils.php"); + try { $connection->connect (DBHOST, DBUSER, DBPWD, DBNAME, DBPREFIX); } catch (Exception $e) {