X-Git-Url: https://dev.renevier.net/gitweb.cgi?p=syp.git;a=blobdiff_plain;f=api.php;h=2dbfac4857a88e258513b114b3dcdb262ad770a3;hp=93f27bde6bd5e658a5a0a7af32c297754abe76f0;hb=19730f2e2bbf61f389882c646f58349df3bcd848;hpb=57511b4efd7402ef58de66ac1fe2c01ed1b1d7b5 diff --git a/api.php b/api.php index 93f27bd..2dbfac4 100644 --- a/api.php +++ b/api.php @@ -2,16 +2,34 @@ /* Copyright (c) 2009 Arnaud Renevier, Inc, published under the modified BSD license. */ -require_once ("./inc/settings.php"); -require_once ("./inc/db/mysql.php"); -require_once ("./inc/utils.php"); - function exit_document ($body) { - exit ("$body"); + $charset_meta = ''; + exit ("$charset_meta$body"); +} + +function success ($reason) { + exit_document (""); +} + +function success_changepass ($username) { + $res = "" . + htmlspecialchars ($username) . + ""; + exit_document ($res); +} + +function success_newuser ($username) { + $res = "" . + htmlspecialchars ($username) . + ""; + exit_document ($res); } -function success_auth () { - success ("auth"); +function success_auth ($user) { + $res = "" . + htmlspecialchars ($user) . + ""; + exit_document ($res); } function success_feature ($feature, $request) { @@ -20,7 +38,7 @@ function success_feature ($feature, $request) { $res .= "" . ($feature->imgpath ? - full_url_from_filename ($feature->imgpath) + image_url_from_imgpath ($feature->imgpath) : "") . ""; @@ -47,14 +65,14 @@ function success_delete_feature ($feature) { exit_document ($res); } -function success ($reason) { - exit_document (""); -} - function error ($reason) { exit_document (""); } +function error_newuser_exists () { + error ("newuser_exists"); +} + function error_feature ($id, $reason) { $res = ""; $res .= "" . $id . ""; @@ -62,30 +80,34 @@ function error_feature ($id, $reason) { exit_document ($res); } -function nochange_error ($id) { +function error_nochange ($id) { error_feature ($id, "nochange"); } -function unreferenced_error ($id) { +function error_unreferenced ($id) { error_feature ($id, "unreferenced"); } -function server_error () { +function error_server () { error ("server"); } -function unauthorized_error () { +function error_wrongpass () { + error ("wrongpass"); +} + +function error_unauthorized () { error ("unauthorized"); } -function request_error () { +function error_request () { error ("request"); } -function file_too_big_error () { +function error_file_too_big () { error ("toobig"); } -function notanimage_error () { +function error_notanimage () { error ("notimage"); } @@ -96,35 +118,46 @@ function save_uploaded_file ($file, $con) { $dest = unique_file (UPLOADDIR, $file ["name"], $con); if (!isset ($dest) || (!move_uploaded_file ($file ["tmp_name"], $dest))) { - server_error (); + error_server (); + } + $mini_dest = getthumbsdir () . "/mini_" . basename_safe ($dest); + + if (!create_thumbnail_or_copy ($dest, $mini_dest)) { + error_server (); } } - return basename($dest); + return basename_safe ($dest); } function img_check_upload ($file) { if (!is_uploaded_file ($file ["tmp_name"])) { if ($file ["error"] == UPLOAD_ERR_INI_SIZE) { - file_too_big_error (); + error_file_too_big (); } else { - server_error (); + error_server (); } } if (!getimagesize ($file ["tmp_name"])) { - notanimage_error (); + error_notanimage (); } } function delete_image_if_unused ($imgpath, $con) { + if (!isset ($imgpath) || (strlen ($imgpath) == 0)) { + return; + } if ($con->imgpath_exists ($imgpath)) { - return false; + return; } + $path = UPLOADDIR . "/" . $imgpath; - if (file_exists($path)) { + if (file_exists ($path)) { unlink ($path); - return true; - } else { - return false; + } + + $thumb_path = getthumbsdir () . "/mini_" . $imgpath; + if (file_exists ($thumb_path)) { + unlink ($thumb_path); } } @@ -145,7 +178,7 @@ function unique_file ($dirname, $relpath, $con) { while ($counter < 1000) { if (!file_exists ($filename) && - !($con->imgpath_exists (basename ($filename)))) { + !($con->imgpath_exists (basename_safe ($filename)))) { return $filename; } else { $counter++; @@ -156,27 +189,54 @@ function unique_file ($dirname, $relpath, $con) { return null; } -function main ($con) { - if (!isset ($_POST ["request"])) { - request_error (); +function setcookies ($user, $pwd) { + // cookie will be valid for 2 weeks. I've chosen that value + // arbitrarily, and it may change in the future. + $time = time () + 14 * 60 * 24 * 60; + if (version_compare (PHP_VERSION, '5.2.0', '>=')) { + setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false, true); + setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false, true); + } else { + setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false); + setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false); } - if ($_POST ["request"] == "auth") { - $pwd = unquote ($_POST["password"]); - $user = "admin"; + +} + +function check_auth ($con, $user, $pwd, $auth_only) { + $authentificated = false; + + if (isset ($pwd)) { if ($con->checkpwdmd5 ($user, md5 ($pwd))) { - // cookie will be valid for 2 weeks. I've chosen that value - // arbitrarily, and it may change in the future. - $time = time () + 14 * 60 * 24 * 60; - $cookie_name = sprintf ("%sauth", DBPREFIX); - setcookie ($cookie_name, md5 ($pwd), $time, "" , "", false, true); - success_auth (); + setcookies ($user, $pwd); + $authentificated = true; + if ($auth_only) { + success_auth ($user); + } } else { - unauthorized_error (); + error_unauthorized (); } } - if (!($con->checkpwdmd5 ("admin", - $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) { - unauthorized_error (); + + if (!$authentificated && !($con->checkpwdmd5 ( + $_COOKIE [sprintf ("%suser", DBPREFIX)], + $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) { + error_unauthorized (); + } +} + +function main ($con) { + if (!isset ($_POST ["request"])) { + error_request (); + } + + $pwd = unquote ($_POST ["password"]); + $user = unquote ($_POST ["user"]); + // does user only want authentication or does he want to do other things + $auth_only = ($_POST ["request"] == "auth"); + check_auth ($con, $user, $pwd, $auth_only); + if (!$user) { + $user = $_COOKIE [sprintf ("%suser", DBPREFIX)]; } switch ($_POST ["request"]) { @@ -184,7 +244,10 @@ function main ($con) { $id = $_POST ["fid"]; $feature = $con->getfeature ($id); if (!isset ($feature)) { - unreferenced_error ($id); + error_unreferenced ($id); + } + if (($feature->user != $user) && ($user != "admin")) { + error_unauthorized (); } // no file uploaded, but editor currently has an image: it means @@ -201,9 +264,9 @@ function main ($con) { $description = unquote ($_POST ["description"]); try { - $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description); + $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0, $user); } catch (Exception $e) { - request_error (); + error_request (); } if (($new_feature->lon == $feature->lon) && @@ -211,7 +274,7 @@ function main ($con) { ($new_feature->title == $feature->title) && ($new_feature->imgpath == $feature->imgpath) && ($new_feature->description == $feature->description)) { - nochange_error ($feature->id); + error_nochange ($feature->id); } $old_imgpath = ""; @@ -222,7 +285,7 @@ function main ($con) { try { $con->save_feature ($new_feature); } catch (Exception $e) { - server_error (); + error_server (); } if ($old_imgpath) { try { @@ -239,14 +302,14 @@ function main ($con) { $title = unquote ($_POST ["title"]); $description = unquote ($_POST ["description"]); try { - $feature = new feature (null, $lon, $lat, $imgpath, $title, $description); + $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0, $user); } catch (Exception $e) { - request_error (); + error_request (); } try { $feature = $con->save_feature ($feature); } catch (Exception $e) { - server_error (); + error_server (); } success_feature ($feature, "add"); break; @@ -254,14 +317,17 @@ function main ($con) { $id = $_POST ["fid"]; $feature = $con->getfeature ($id); if (!isset ($feature)) { - unreferenced_error ($id); + error_unreferenced ($id); + } + if ($feature->user != $user) { + error_unauthorized (); } $imgpath = $feature->imgpath; try { $con->delete_feature ($feature); } catch (Exception $e) { - server_error (); + error_server (); } try { @@ -269,18 +335,63 @@ function main ($con) { } catch (Exception $e) {} success_delete_feature ($feature); + case "changepass": + $currpass = unquote ($_POST ["pass_current"]); + if (!$con->checkpwdmd5 ($user, md5 ($currpass))) { + error_wrongpass (); + } + $newpass = unquote ($_POST ["pass_new"]); + try { + $con->setpwd ($user, $newpass); + } catch (Exception $e) { + if ($e->getMessage () == anydbConnection::err_query) { + error_request (); + } + error_server (); + } + setcookies ($user, $newpass); + success_changepass ($user); + break; + case "newuser": + if ($user != "admin") { + error_unauthorized (); + } + $newuser_name = unquote ($_POST ["newuser_name"]); + if (!$newuser_name) { + error_request (); + } + if ($con->user_exists ($newuser_name)) { + error_newuser_exists (); + } + $newuser_password = unquote ($_POST ["newuser_password"]); + try { + $con->setpwd ($newuser_name, $newuser_password); + } catch (Exception $e) { + if ($e->getMessage () == anydbConnection::err_query) { + error_request (); + } + error_server (); + } + success_newuser ($newuser_name); + break; default: - request_error(); + error_request(); break; } - server_error (); + error_server (); } +if (!@include_once ("./inc/settings.php")) { + error_server (); +} +require_once ("./inc/db/" . (defined ("DBTYPE")? DBTYPE: "mysql") . ".php"); +require_once ("./inc/utils.php"); + try { $connection->connect (DBHOST, DBUSER, DBPWD, DBNAME, DBPREFIX); } catch (Exception $e) { - server_error (); + error_server (); } main ($connection);