X-Git-Url: https://dev.renevier.net/gitweb.cgi?p=syp.git;a=blobdiff_plain;f=api.php;h=a9df091477a85e509b4b71e9ed1c7ba3001d15dc;hp=18c7179cd1b9306a1ab34acb4bc6c2ed43b5f4f6;hb=3b38ca36fc18d34999073625a9c66dc2f05747a3;hpb=9acc365249b5e630da6b5cdd23e3a8015f39ddc7 diff --git a/api.php b/api.php index 18c7179..a9df091 100644 --- a/api.php +++ b/api.php @@ -10,8 +10,11 @@ function exit_document ($body) { exit ("$body"); } -function success_auth () { - success ("auth"); +function success_auth ($user) { + $res = "" . + htmlspecialchars ($user) . + ""; + exit_document ($res); } function success_feature ($feature, $request) { @@ -100,17 +103,9 @@ function save_uploaded_file ($file, $con) { } $mini_dest = getthumbsdir () . "/mini_" . basename_safe ($dest); - try { - $thumbnail_ok = create_thumbnail ($dest, $mini_dest); - } catch (Exception $e) { - $thumbnail_ok = false; - } - if (!$thumbnail_ok) { - if (!copy ($dest, $mini_dest)) { - server_error (); - } + if (!create_thumbnail_or_copy ($dest, $mini_dest)) { + server_error (); } - } return basename_safe ($dest); } @@ -175,28 +170,45 @@ function unique_file ($dirname, $relpath, $con) { return null; } -function main ($con) { - if (!isset ($_POST ["request"])) { - request_error (); - } - if ($_POST ["request"] == "auth") { - $pwd = unquote ($_POST["password"]); - $user = "admin"; +function check_auth ($con, $user, $pwd, $auth_only) { + $authentificated = false; + + if (isset ($pwd)) { if ($con->checkpwdmd5 ($user, md5 ($pwd))) { // cookie will be valid for 2 weeks. I've chosen that value // arbitrarily, and it may change in the future. $time = time () + 14 * 60 * 24 * 60; - $cookie_name = sprintf ("%sauth", DBPREFIX); - setcookie ($cookie_name, md5 ($pwd), $time, "" , "", false, true); - success_auth (); + setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false, true); + setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false, true); + $authentificated = true; + if ($auth_only) { + success_auth ($user); + } } else { unauthorized_error (); } } - if (!($con->checkpwdmd5 ("admin", - $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) { + + if (!$authentificated && !($con->checkpwdmd5 ( + $_COOKIE [sprintf ("%suser", DBPREFIX)], + $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) { unauthorized_error (); } +} + +function main ($con) { + if (!isset ($_POST ["request"])) { + request_error (); + } + + $pwd = unquote ($_POST ["password"]); + $user = unquote ($_POST ["user"]); + // does user only want authentication or does he want to do other things + $auth_only = ($_POST ["request"] == "auth"); + check_auth ($con, $user, $pwd, $auth_only); + if (!$user) { + $user = $_COOKIE [sprintf ("%suser", DBPREFIX)]; + } switch ($_POST ["request"]) { case "update": @@ -205,6 +217,9 @@ function main ($con) { if (!isset ($feature)) { unreferenced_error ($id); } + if ($feature->user != $user) { + unauthorized_error (); + } // no file uploaded, but editor currently has an image: it means // image was not changed @@ -220,7 +235,7 @@ function main ($con) { $description = unquote ($_POST ["description"]); try { - $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0); + $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0, $user); } catch (Exception $e) { request_error (); } @@ -258,7 +273,7 @@ function main ($con) { $title = unquote ($_POST ["title"]); $description = unquote ($_POST ["description"]); try { - $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0); + $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0, $user); } catch (Exception $e) { request_error (); } @@ -275,6 +290,9 @@ function main ($con) { if (!isset ($feature)) { unreferenced_error ($id); } + if ($feature->user != $user) { + unauthorized_error (); + } $imgpath = $feature->imgpath; try {