exit ("<html><head></head><body>$body</body></html>");
}
-function success_auth () {
- success ("auth");
+function success_auth ($user) {
+ $res = "<success request=\"$reason\"><user>" .
+ htmlspecialchars ($user) .
+ "</user></success>";
+ exit_document ($res);
}
function success_feature ($feature, $request) {
$res .= "<imgurl>" .
($feature->imgpath ?
- full_url_from_imgpath ($feature->imgpath)
+ image_url_from_imgpath ($feature->imgpath)
: "") .
"</imgurl>";
(!move_uploaded_file ($file ["tmp_name"], $dest))) {
server_error ();
}
+ $mini_dest = getthumbsdir () . "/mini_" . basename_safe ($dest);
+
+ if (!create_thumbnail_or_copy ($dest, $mini_dest)) {
+ server_error ();
+ }
}
- return basename($dest);
+ return basename_safe ($dest);
}
function img_check_upload ($file) {
return;
}
if ($con->imgpath_exists ($imgpath)) {
- return false;
+ return;
}
+
$path = UPLOADDIR . "/" . $imgpath;
- if (file_exists($path)) {
+ if (file_exists ($path)) {
unlink ($path);
- return true;
- } else {
- return false;
+ }
+
+ $thumb_path = getthumbsdir () . "/mini_" . $imgpath;
+ if (file_exists ($thumb_path)) {
+ unlink ($thumb_path);
}
}
while ($counter < 1000) {
if (!file_exists ($filename) &&
- !($con->imgpath_exists (basename ($filename)))) {
+ !($con->imgpath_exists (basename_safe ($filename)))) {
return $filename;
} else {
$counter++;
return null;
}
-function main ($con) {
- if (!isset ($_POST ["request"])) {
- request_error ();
- }
- if ($_POST ["request"] == "auth") {
- $pwd = unquote ($_POST["password"]);
- $user = "admin";
+function check_auth ($con, $user, $pwd, $auth_only) {
+ $authentificated = false;
+
+ if (isset ($pwd)) {
if ($con->checkpwdmd5 ($user, md5 ($pwd))) {
// cookie will be valid for 2 weeks. I've chosen that value
// arbitrarily, and it may change in the future.
$time = time () + 14 * 60 * 24 * 60;
- $cookie_name = sprintf ("%sauth", DBPREFIX);
- setcookie ($cookie_name, md5 ($pwd), $time, "" , "", false, true);
- success_auth ();
+ setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false, true);
+ setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false, true);
+ $authentificated = true;
+ if ($auth_only) {
+ success_auth ($user);
+ }
} else {
unauthorized_error ();
}
}
- if (!($con->checkpwdmd5 ("admin",
- $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) {
+
+ if (!$authentificated && !($con->checkpwdmd5 (
+ $_COOKIE [sprintf ("%suser", DBPREFIX)],
+ $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) {
unauthorized_error ();
}
+}
+
+function main ($con) {
+ if (!isset ($_POST ["request"])) {
+ request_error ();
+ }
+
+ $pwd = unquote ($_POST ["password"]);
+ $user = unquote ($_POST ["user"]);
+ // does user only want authentication or does he want to do other things
+ $auth_only = ($_POST ["request"] == "auth");
+ check_auth ($con, $user, $pwd, $auth_only);
+ if (!$user) {
+ $user = $_COOKIE [sprintf ("%suser", DBPREFIX)];
+ }
switch ($_POST ["request"]) {
case "update":
if (!isset ($feature)) {
unreferenced_error ($id);
}
+ if ($feature->user != $user) {
+ unauthorized_error ();
+ }
// no file uploaded, but editor currently has an image: it means
// image was not changed
$description = unquote ($_POST ["description"]);
try {
- $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0);
+ $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0, $user);
} catch (Exception $e) {
request_error ();
}
$title = unquote ($_POST ["title"]);
$description = unquote ($_POST ["description"]);
try {
- $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0);
+ $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0, $user);
} catch (Exception $e) {
request_error ();
}
if (!isset ($feature)) {
unreferenced_error ($id);
}
+ if ($feature->user != $user) {
+ unauthorized_error ();
+ }
$imgpath = $feature->imgpath;
try {