X-Git-Url: https://dev.renevier.net/gitweb.cgi?p=syp.git;a=blobdiff_plain;f=api.php;h=2dbfac4857a88e258513b114b3dcdb262ad770a3;hp=af8af1a836a65baef44b819cae3953422d1bb88a;hb=19730f2e2bbf61f389882c646f58349df3bcd848;hpb=3c74920cb66b4e6c47c7e8a0eaeed40ffb7e8544 diff --git a/api.php b/api.php index af8af1a..2dbfac4 100644 --- a/api.php +++ b/api.php @@ -3,16 +3,24 @@ license. */ function exit_document ($body) { - exit ("$body"); + $charset_meta = ''; + exit ("$charset_meta$body"); } function success ($reason) { exit_document (""); } +function success_changepass ($username) { + $res = "" . + htmlspecialchars ($username) . + ""; + exit_document ($res); +} + function success_newuser ($username) { $res = "" . - htmlspecialchars ($user) . + htmlspecialchars ($username) . ""; exit_document ($res); } @@ -83,6 +91,10 @@ function error_server () { error ("server"); } +function error_wrongpass () { + error ("wrongpass"); +} + function error_unauthorized () { error ("unauthorized"); } @@ -177,16 +189,26 @@ function unique_file ($dirname, $relpath, $con) { return null; } +function setcookies ($user, $pwd) { + // cookie will be valid for 2 weeks. I've chosen that value + // arbitrarily, and it may change in the future. + $time = time () + 14 * 60 * 24 * 60; + if (version_compare (PHP_VERSION, '5.2.0', '>=')) { + setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false, true); + setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false, true); + } else { + setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false); + setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false); + } + +} + function check_auth ($con, $user, $pwd, $auth_only) { $authentificated = false; if (isset ($pwd)) { if ($con->checkpwdmd5 ($user, md5 ($pwd))) { - // cookie will be valid for 2 weeks. I've chosen that value - // arbitrarily, and it may change in the future. - $time = time () + 14 * 60 * 24 * 60; - setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false, true); - setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false, true); + setcookies ($user, $pwd); $authentificated = true; if ($auth_only) { success_auth ($user); @@ -224,7 +246,7 @@ function main ($con) { if (!isset ($feature)) { error_unreferenced ($id); } - if ($feature->user != $user) { + if (($feature->user != $user) && ($user != "admin")) { error_unauthorized (); } @@ -313,6 +335,23 @@ function main ($con) { } catch (Exception $e) {} success_delete_feature ($feature); + case "changepass": + $currpass = unquote ($_POST ["pass_current"]); + if (!$con->checkpwdmd5 ($user, md5 ($currpass))) { + error_wrongpass (); + } + $newpass = unquote ($_POST ["pass_new"]); + try { + $con->setpwd ($user, $newpass); + } catch (Exception $e) { + if ($e->getMessage () == anydbConnection::err_query) { + error_request (); + } + error_server (); + } + setcookies ($user, $newpass); + success_changepass ($user); + break; case "newuser": if ($user != "admin") { error_unauthorized (); @@ -321,15 +360,17 @@ function main ($con) { if (!$newuser_name) { error_request (); } + if ($con->user_exists ($newuser_name)) { + error_newuser_exists (); + } $newuser_password = unquote ($_POST ["newuser_password"]); try { - $con->setpwd ($newuser_name, $newuser_password, false); + $con->setpwd ($newuser_name, $newuser_password); } catch (Exception $e) { if ($e->getMessage () == anydbConnection::err_query) { - error_newuser_exists (); - } else { - error_server (); + error_request (); } + error_server (); } success_newuser ($newuser_name); break; @@ -344,7 +385,7 @@ function main ($con) { if (!@include_once ("./inc/settings.php")) { error_server (); } -require_once ("./inc/db/mysql.php"); +require_once ("./inc/db/" . (defined ("DBTYPE")? DBTYPE: "mysql") . ".php"); require_once ("./inc/utils.php"); try {