2 /* Copyright (c) 2009 Arnaud Renevier, Inc, published under the modified BSD
5 function exit_document ($body) {
6 exit ("<html><head></head><body>$body</body></html>");
9 function success ($reason) {
10 exit_document ("<success request=\"$reason\"></success>");
13 function success_changepass ($username) {
14 $res = "<success request=\"changepass\"><user>" .
15 htmlspecialchars ($username) .
20 function success_newuser ($username) {
21 $res = "<success request=\"newuser\"><user>" .
22 htmlspecialchars ($username) .
27 function success_auth ($user) {
28 $res = "<success request=\"$reason\"><user>" .
29 htmlspecialchars ($user) .
34 function success_feature ($feature, $request) {
35 $res = "<success request=\"$request\"><feature>";
36 $res .= "<id>" . $feature->id . "</id>";
40 image_url_from_imgpath ($feature->imgpath)
44 $res .= "<description>" .
45 htmlspecialchars ($feature->description) .
48 // XXX: we do not use <title> because that would be interpreted and
49 // altered by browers html parser
51 htmlspecialchars ($feature->title) .
54 $res .= "<lon>" . $feature->lon . "</lon>";
55 $res .= "<lat>" . $feature->lat . "</lat>";
56 $res .= "</feature></success>";
60 function success_delete_feature ($feature) {
61 $res = "<success request=\"del\"><feature>";
62 $res .= "<id>" . $feature->id . "</id>";
63 $res .= "</feature></success>";
67 function error ($reason) {
68 exit_document ("<error reason=\"$reason\"></error>");
71 function error_newuser_exists () {
72 error ("newuser_exists");
75 function error_feature ($id, $reason) {
76 $res = "<error reason=\"$reason\"><feature>";
77 $res .= "<id>" . $id . "</id>";
78 $res .= "</feature></error>";
82 function error_nochange ($id) {
83 error_feature ($id, "nochange");
85 function error_unreferenced ($id) {
86 error_feature ($id, "unreferenced");
89 function error_server () {
93 function error_wrongpass () {
97 function error_unauthorized () {
98 error ("unauthorized");
101 function error_request () {
105 function error_file_too_big () {
109 function error_notanimage () {
113 function save_uploaded_file ($file, $con) {
115 if (isset ($file) && ($file ["error"] != UPLOAD_ERR_NO_FILE)) {
116 img_check_upload ($file);
117 $dest = unique_file (UPLOADDIR, $file ["name"], $con);
118 if (!isset ($dest) ||
119 (!move_uploaded_file ($file ["tmp_name"], $dest))) {
122 $mini_dest = getthumbsdir () . "/mini_" . basename_safe ($dest);
124 if (!create_thumbnail_or_copy ($dest, $mini_dest)) {
128 return basename_safe ($dest);
131 function img_check_upload ($file) {
132 if (!is_uploaded_file ($file ["tmp_name"])) {
133 if ($file ["error"] == UPLOAD_ERR_INI_SIZE) {
134 error_file_too_big ();
139 if (!getimagesize ($file ["tmp_name"])) {
144 function delete_image_if_unused ($imgpath, $con) {
145 if (!isset ($imgpath) || (strlen ($imgpath) == 0)) {
148 if ($con->imgpath_exists ($imgpath)) {
152 $path = UPLOADDIR . "/" . $imgpath;
153 if (file_exists ($path)) {
157 $thumb_path = getthumbsdir () . "/mini_" . $imgpath;
158 if (file_exists ($thumb_path)) {
159 unlink ($thumb_path);
163 function unique_file ($dirname, $relpath, $con) {
164 $relpath = str_replace ('/', '', $relpath); // strip slashes from path
165 $relpath = str_replace ('\\', '', $relpath); // strip antislashes from path
166 $filename = $dirname . '/' . $relpath;
169 $dotpos = strrpos ($relpath, '.');
171 $base = substr ($relpath, 0, $dotpos);
172 $ext = substr ($relpath, $dotpos + 1);
178 while ($counter < 1000) {
179 if (!file_exists ($filename) &&
180 !($con->imgpath_exists (basename_safe ($filename)))) {
184 $filename = $dirname . '/' . $base . '_' . $counter . '.' . $ext;
187 // we tried to find an unused filename 1000 times. Give up now.
191 function setcookies ($user, $pwd) {
192 // cookie will be valid for 2 weeks. I've chosen that value
193 // arbitrarily, and it may change in the future.
194 $time = time () + 14 * 60 * 24 * 60;
195 setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false, true);
196 setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false, true);
199 function check_auth ($con, $user, $pwd, $auth_only) {
200 $authentificated = false;
203 if ($con->checkpwdmd5 ($user, md5 ($pwd))) {
204 setcookies ($user, $pwd);
205 $authentificated = true;
207 success_auth ($user);
210 error_unauthorized ();
214 if (!$authentificated && !($con->checkpwdmd5 (
215 $_COOKIE [sprintf ("%suser", DBPREFIX)],
216 $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) {
217 error_unauthorized ();
221 function main ($con) {
222 if (!isset ($_POST ["request"])) {
226 $pwd = unquote ($_POST ["password"]);
227 $user = unquote ($_POST ["user"]);
228 // does user only want authentication or does he want to do other things
229 $auth_only = ($_POST ["request"] == "auth");
230 check_auth ($con, $user, $pwd, $auth_only);
232 $user = $_COOKIE [sprintf ("%suser", DBPREFIX)];
235 switch ($_POST ["request"]) {
237 $id = $_POST ["fid"];
238 $feature = $con->getfeature ($id);
239 if (!isset ($feature)) {
240 error_unreferenced ($id);
242 if ($feature->user != $user) {
243 error_unauthorized ();
246 // no file uploaded, but editor currently has an image: it means
247 // image was not changed
248 if ($_POST ["keep_img"] == "yes") {
249 $imgpath = $feature->imgpath;
251 $imgpath = save_uploaded_file ($_FILES ["image_file"], $con);
254 $lon = $_POST ["lon"];
255 $lat = $_POST ["lat"];
256 $title = unquote ($_POST ["title"]);
257 $description = unquote ($_POST ["description"]);
260 $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0, $user);
261 } catch (Exception $e) {
265 if (($new_feature->lon == $feature->lon) &&
266 ($new_feature->lat == $feature->lat) &&
267 ($new_feature->title == $feature->title) &&
268 ($new_feature->imgpath == $feature->imgpath) &&
269 ($new_feature->description == $feature->description)) {
270 error_nochange ($feature->id);
274 if ($feature->imgpath && ($feature->imgpath != $new_feature->imgpath)) {
275 $old_imgpath = $feature->imgpath;
279 $con->save_feature ($new_feature);
280 } catch (Exception $e) {
285 delete_image_if_unused ($old_imgpath, $con);
286 } catch (Exception $e) {}
288 success_feature ($new_feature, "update");
291 $imgpath = save_uploaded_file ($_FILES ["image_file"], $con);
293 $lon = $_POST ["lon"];
294 $lat = $_POST ["lat"];
295 $title = unquote ($_POST ["title"]);
296 $description = unquote ($_POST ["description"]);
298 $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0, $user);
299 } catch (Exception $e) {
303 $feature = $con->save_feature ($feature);
304 } catch (Exception $e) {
307 success_feature ($feature, "add");
310 $id = $_POST ["fid"];
311 $feature = $con->getfeature ($id);
312 if (!isset ($feature)) {
313 error_unreferenced ($id);
315 if ($feature->user != $user) {
316 error_unauthorized ();
318 $imgpath = $feature->imgpath;
321 $con->delete_feature ($feature);
322 } catch (Exception $e) {
327 delete_image_if_unused ($imgpath, $con);
328 } catch (Exception $e) {}
330 success_delete_feature ($feature);
332 $currpass = unquote ($_POST ["pass_current"]);
333 if (!$con->checkpwdmd5 ($user, md5 ($currpass))) {
336 $newpass = unquote ($_POST ["pass_new"]);
338 $con->setpwd ($user, $newpass);
339 } catch (Exception $e) {
342 setcookies ($user, $newpass);
343 success_changepass ($user);
346 if ($user != "admin") {
347 error_unauthorized ();
349 $newuser_name = unquote ($_POST ["newuser_name"]);
350 if (!$newuser_name) {
353 if ($con->user_exists ($newuser_name)) {
354 error_newuser_exists ();
356 $newuser_password = unquote ($_POST ["newuser_password"]);
358 $con->setpwd ($newuser_name, $newuser_password);
359 } catch (Exception $e) {
362 success_newuser ($newuser_name);
372 if (!@include_once ("./inc/settings.php")) {
375 require_once ("./inc/db/mysql.php");
376 require_once ("./inc/utils.php");
379 $connection->connect (DBHOST, DBUSER, DBPWD, DBNAME, DBPREFIX);
380 } catch (Exception $e) {