forbird creation or deletion of item; forbids adding or deleting an image

[syp.git] / api.php

diff --git a/api.php b/api.php
index 18c7179cd1b9306a1ab34acb4bc6c2ed43b5f4f6..38dc35dab9ef09834ac3120e8e8f74b229a9a868 100644 (file)
--- a/api.php
+++ b/api.php
@@ -100,17 +100,9 @@ function save_uploaded_file ($file, $con) {
         }
         $mini_dest = getthumbsdir () . "/mini_" . basename_safe ($dest);
 
-        try {
-            $thumbnail_ok = create_thumbnail ($dest, $mini_dest);
-        } catch (Exception $e) {
-            $thumbnail_ok = false;
-        }
-        if (!$thumbnail_ok) {
-            if (!copy ($dest, $mini_dest)) {
-                server_error ();
-            }
+        if (!create_thumbnail_or_copy ($dest, $mini_dest)) {
+            server_error ();
         }
-
     }
     return basename_safe ($dest);
 }
@@ -175,28 +167,41 @@ function unique_file ($dirname, $relpath, $con) {
    return null;
 }
 
-function main ($con) {
-    if (!isset ($_POST ["request"])) {
-        request_error ();
-    }
-    if ($_POST ["request"] == "auth") {
-        $pwd = unquote ($_POST["password"]);
-        $user = "admin";
+function check_auth ($con, $pwd, $cookie_name, $auth_only) {
+    $authentificated = false;
+    $user = "admin";
+
+    if ($pwd) {
         if ($con->checkpwdmd5 ($user, md5 ($pwd))) {
             // cookie will be valid for 2 weeks. I've chosen that value
             // arbitrarily, and it may change in the future.
             $time = time () + 14 * 60 * 24 * 60;
-            $cookie_name = sprintf ("%sauth", DBPREFIX);
             setcookie ($cookie_name, md5 ($pwd), $time, "" , "", false, true);
-            success_auth ();
+            $authentificated = true;
+            if ($auth_only) {
+                success_auth ();
+            }
         } else {
             unauthorized_error ();
         }
     }
-    if (!($con->checkpwdmd5 ("admin",
-                             $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) {
+
+    if (!$authentificated && !($con->checkpwdmd5 ($user,
+                             $_COOKIE [$cookie_name]))) {
         unauthorized_error ();
     }
+}
+
+function main ($con) {
+    if (!isset ($_POST ["request"])) {
+        request_error ();
+    }
+
+    $pwd = unquote ($_POST["password"]);
+    $cookie_name = sprintf ("%sauth", DBPREFIX);
+    // does user only want authentication or does he want to do other things
+    $auth_only = ($_POST ["request"] == "auth");
+    check_auth ($con, $pwd, $cookie_name, $auth_only);
 
     switch ($_POST ["request"]) {
         case "update":
@@ -211,6 +216,7 @@ function main ($con) {
             if ($_POST ["keep_img"] == "yes") {
                 $imgpath = $feature->imgpath;
             } else {
+                request_error ();
                 $imgpath = save_uploaded_file ($_FILES ["image_file"], $con);
             }
 
@@ -251,6 +257,7 @@ function main ($con) {
             success_feature ($new_feature, "update");
         break;
         case "add":
+            request_error ();
             $imgpath = save_uploaded_file ($_FILES ["image_file"], $con);
 
             $lon = $_POST ["lon"];
@@ -270,6 +277,7 @@ function main ($con) {
             success_feature ($feature, "add");
         break;
         case "del":
+            request_error ();
             $id = $_POST ["fid"];
             $feature = $con->getfeature ($id);
             if (!isset ($feature)) {