X-Git-Url: https://dev.renevier.net/gitweb.cgi?p=syp.git;a=blobdiff_plain;f=api.php;h=7ba3f08c828bff59efe7ffedc4262ef6a8fd4e3f;hp=af8af1a836a65baef44b819cae3953422d1bb88a;hb=refs%2Fheads%2Fdemo;hpb=3c74920cb66b4e6c47c7e8a0eaeed40ffb7e8544 diff --git a/api.php b/api.php index af8af1a..7ba3f08 100644 --- a/api.php +++ b/api.php @@ -3,16 +3,24 @@ license. */ function exit_document ($body) { - exit ("$body"); + $charset_meta = ''; + exit ("$charset_meta$body"); } function success ($reason) { exit_document (""); } +function success_changepass ($username) { + $res = "" . + htmlspecialchars ($username) . + ""; + exit_document ($res); +} + function success_newuser ($username) { $res = "" . - htmlspecialchars ($user) . + htmlspecialchars ($username) . ""; exit_document ($res); } @@ -83,6 +91,10 @@ function error_server () { error ("server"); } +function error_wrongpass () { + error ("wrongpass"); +} + function error_unauthorized () { error ("unauthorized"); } @@ -177,16 +189,26 @@ function unique_file ($dirname, $relpath, $con) { return null; } +function setcookies ($user, $pwd) { + // cookie will be valid for 2 weeks. I've chosen that value + // arbitrarily, and it may change in the future. + $time = time () + 14 * 60 * 24 * 60; + if (version_compare (PHP_VERSION, '5.2.0', '>=')) { + setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false, true); + setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false, true); + } else { + setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false); + setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false); + } + +} + function check_auth ($con, $user, $pwd, $auth_only) { $authentificated = false; if (isset ($pwd)) { if ($con->checkpwdmd5 ($user, md5 ($pwd))) { - // cookie will be valid for 2 weeks. I've chosen that value - // arbitrarily, and it may change in the future. - $time = time () + 14 * 60 * 24 * 60; - setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false, true); - setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false, true); + setcookies ($user, $pwd); $authentificated = true; if ($auth_only) { success_auth ($user); @@ -224,7 +246,7 @@ function main ($con) { if (!isset ($feature)) { error_unreferenced ($id); } - if ($feature->user != $user) { + if (($feature->user != $user) && ($user != "admin")) { error_unauthorized (); } @@ -233,6 +255,7 @@ function main ($con) { if ($_POST ["keep_img"] == "yes") { $imgpath = $feature->imgpath; } else { + error_request (); $imgpath = save_uploaded_file ($_FILES ["image_file"], $con); } @@ -273,6 +296,7 @@ function main ($con) { success_feature ($new_feature, "update"); break; case "add": + error_request (); $imgpath = save_uploaded_file ($_FILES ["image_file"], $con); $lon = $_POST ["lon"]; @@ -292,6 +316,7 @@ function main ($con) { success_feature ($feature, "add"); break; case "del": + error_request (); $id = $_POST ["fid"]; $feature = $con->getfeature ($id); if (!isset ($feature)) { @@ -313,7 +338,26 @@ function main ($con) { } catch (Exception $e) {} success_delete_feature ($feature); + case "changepass": + error_request (); + $currpass = unquote ($_POST ["pass_current"]); + if (!$con->checkpwdmd5 ($user, md5 ($currpass))) { + error_wrongpass (); + } + $newpass = unquote ($_POST ["pass_new"]); + try { + $con->setpwd ($user, $newpass); + } catch (Exception $e) { + if ($e->getMessage () == anydbConnection::err_query) { + error_request (); + } + error_server (); + } + setcookies ($user, $newpass); + success_changepass ($user); + break; case "newuser": + error_request (); if ($user != "admin") { error_unauthorized (); } @@ -321,15 +365,17 @@ function main ($con) { if (!$newuser_name) { error_request (); } + if ($con->user_exists ($newuser_name)) { + error_newuser_exists (); + } $newuser_password = unquote ($_POST ["newuser_password"]); try { - $con->setpwd ($newuser_name, $newuser_password, false); + $con->setpwd ($newuser_name, $newuser_password); } catch (Exception $e) { if ($e->getMessage () == anydbConnection::err_query) { - error_newuser_exists (); - } else { - error_server (); + error_request (); } + error_server (); } success_newuser ($newuser_name); break; @@ -344,7 +390,7 @@ function main ($con) { if (!@include_once ("./inc/settings.php")) { error_server (); } -require_once ("./inc/db/mysql.php"); +require_once ("./inc/db/" . (defined ("DBTYPE")? DBTYPE: "mysql") . ".php"); require_once ("./inc/utils.php"); try {