X-Git-Url: https://dev.renevier.net/gitweb.cgi?p=syp.git;a=blobdiff_plain;f=api.php;h=a9df091477a85e509b4b71e9ed1c7ba3001d15dc;hp=2054350084a29108e54982d3de468354805b33da;hb=3b38ca36fc18d34999073625a9c66dc2f05747a3;hpb=3181694edcb311144c22078ab6d59112bcde612a diff --git a/api.php b/api.php index 2054350..a9df091 100644 --- a/api.php +++ b/api.php @@ -10,8 +10,11 @@ function exit_document ($body) { exit ("$body"); } -function success_auth () { - success ("auth"); +function success_auth ($user) { + $res = "" . + htmlspecialchars ($user) . + ""; + exit_document ($res); } function success_feature ($feature, $request) { @@ -167,27 +170,28 @@ function unique_file ($dirname, $relpath, $con) { return null; } -function check_auth ($con, $pwd, $cookie_name, $auth_only) { +function check_auth ($con, $user, $pwd, $auth_only) { $authentificated = false; - $user = "admin"; - if ($pwd) { + if (isset ($pwd)) { if ($con->checkpwdmd5 ($user, md5 ($pwd))) { // cookie will be valid for 2 weeks. I've chosen that value // arbitrarily, and it may change in the future. $time = time () + 14 * 60 * 24 * 60; - setcookie ($cookie_name, md5 ($pwd), $time, "" , "", false, true); + setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false, true); + setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false, true); $authentificated = true; if ($auth_only) { - success_auth (); + success_auth ($user); } } else { unauthorized_error (); } } - if (!$authentificated && !($con->checkpwdmd5 ($user, - $_COOKIE [$cookie_name]))) { + if (!$authentificated && !($con->checkpwdmd5 ( + $_COOKIE [sprintf ("%suser", DBPREFIX)], + $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) { unauthorized_error (); } } @@ -197,11 +201,14 @@ function main ($con) { request_error (); } - $pwd = unquote ($_POST["password"]); - $cookie_name = sprintf ("%sauth", DBPREFIX); + $pwd = unquote ($_POST ["password"]); + $user = unquote ($_POST ["user"]); // does user only want authentication or does he want to do other things $auth_only = ($_POST ["request"] == "auth"); - check_auth ($con, $pwd, $cookie_name, $auth_only); + check_auth ($con, $user, $pwd, $auth_only); + if (!$user) { + $user = $_COOKIE [sprintf ("%suser", DBPREFIX)]; + } switch ($_POST ["request"]) { case "update": @@ -210,6 +217,9 @@ function main ($con) { if (!isset ($feature)) { unreferenced_error ($id); } + if ($feature->user != $user) { + unauthorized_error (); + } // no file uploaded, but editor currently has an image: it means // image was not changed @@ -225,7 +235,7 @@ function main ($con) { $description = unquote ($_POST ["description"]); try { - $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0); + $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0, $user); } catch (Exception $e) { request_error (); } @@ -263,7 +273,7 @@ function main ($con) { $title = unquote ($_POST ["title"]); $description = unquote ($_POST ["description"]); try { - $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0); + $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0, $user); } catch (Exception $e) { request_error (); } @@ -280,6 +290,9 @@ function main ($con) { if (!isset ($feature)) { unreferenced_error ($id); } + if ($feature->user != $user) { + unauthorized_error (); + } $imgpath = $feature->imgpath; try {