X-Git-Url: https://dev.renevier.net/gitweb.cgi?p=syp.git;a=blobdiff_plain;f=api.php;h=a9df091477a85e509b4b71e9ed1c7ba3001d15dc;hp=6ed26c9712435eec3dad280935df78b5c4023c65;hb=3b38ca36fc18d34999073625a9c66dc2f05747a3;hpb=e4a4e5149d55cf01a86f26392c52fdca803654ce

diff --git a/api.php b/api.php
index 6ed26c9..a9df091 100644
--- a/api.php
+++ b/api.php
@@ -10,8 +10,11 @@ function exit_document ($body) {
     exit ("<html><head></head><body>$body</body></html>");
 }
 
-function success_auth () {
-    success ("auth");
+function success_auth ($user) {
+    $res = "<success request=\"$reason\"><user>" . 
+            htmlspecialchars ($user) .
+            "</user></success>";
+    exit_document ($res);
 }
 
 function success_feature ($feature, $request) {
@@ -20,7 +23,7 @@ function success_feature ($feature, $request) {
 
     $res .= "<imgurl>" .
              ($feature->imgpath ? 
-                    full_url_from_imgpath ($feature->imgpath)
+                    image_url_from_imgpath ($feature->imgpath)
                     : "") .
              "</imgurl>";
 
@@ -98,8 +101,13 @@ function save_uploaded_file ($file, $con) {
                 (!move_uploaded_file ($file ["tmp_name"], $dest))) {
             server_error ();
         }
+        $mini_dest = getthumbsdir () . "/mini_" . basename_safe ($dest);
+
+        if (!create_thumbnail_or_copy ($dest, $mini_dest)) {
+            server_error ();
+        }
     }
-    return basename($dest);
+    return basename_safe ($dest);
 }
 
 function img_check_upload ($file) {
@@ -116,15 +124,21 @@ function img_check_upload ($file) {
 }
 
 function delete_image_if_unused ($imgpath, $con) {
+    if (!isset ($imgpath) || (strlen ($imgpath) == 0)) {
+        return;
+    }
     if ($con->imgpath_exists ($imgpath)) {
-        return false;
+        return;
     }
+
     $path = UPLOADDIR . "/" . $imgpath;
-    if (file_exists($path)) {
+    if (file_exists ($path)) {
         unlink ($path);
-        return true;
-    } else {
-        return false;
+    }
+
+    $thumb_path = getthumbsdir () . "/mini_" . $imgpath;
+    if (file_exists ($thumb_path)) {
+        unlink ($thumb_path);
     }
 }
 
@@ -145,7 +159,7 @@ function unique_file ($dirname, $relpath, $con) {
 
    while ($counter < 1000) {
        if (!file_exists ($filename) && 
-           !($con->imgpath_exists (basename ($filename)))) {
+           !($con->imgpath_exists (basename_safe ($filename)))) {
            return $filename;
        } else {
             $counter++;
@@ -156,28 +170,45 @@ function unique_file ($dirname, $relpath, $con) {
    return null;
 }
 
-function main ($con) {
-    if (!isset ($_POST ["request"])) {
-        request_error ();
-    }
-    if ($_POST ["request"] == "auth") {
-        $pwd = unquote ($_POST["password"]);
-        $user = "admin";
+function check_auth ($con, $user, $pwd, $auth_only) {
+    $authentificated = false;
+
+    if (isset ($pwd)) {
         if ($con->checkpwdmd5 ($user, md5 ($pwd))) {
             // cookie will be valid for 2 weeks. I've chosen that value
             // arbitrarily, and it may change in the future.
             $time = time () + 14 * 60 * 24 * 60;
-            $cookie_name = sprintf ("%sauth", DBPREFIX);
-            setcookie ($cookie_name, md5 ($pwd), $time, "" , "", false, true);
-            success_auth ();
+            setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false, true);
+            setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false, true);
+            $authentificated = true;
+            if ($auth_only) {
+                success_auth ($user);
+            }
         } else {
             unauthorized_error ();
         }
     }
-    if (!($con->checkpwdmd5 ("admin",
-                             $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) {
+
+    if (!$authentificated && !($con->checkpwdmd5 (
+                             $_COOKIE [sprintf ("%suser",  DBPREFIX)],
+                             $_COOKIE [sprintf ("%sauth",  DBPREFIX)]))) {
         unauthorized_error ();
     }
+}
+
+function main ($con) {
+    if (!isset ($_POST ["request"])) {
+        request_error ();
+    }
+
+    $pwd = unquote ($_POST ["password"]);
+    $user = unquote ($_POST ["user"]);
+    // does user only want authentication or does he want to do other things
+    $auth_only = ($_POST ["request"] == "auth");
+    check_auth ($con, $user, $pwd, $auth_only);
+    if (!$user) {
+        $user = $_COOKIE [sprintf ("%suser",  DBPREFIX)];
+    }
 
     switch ($_POST ["request"]) {
         case "update":
@@ -186,6 +217,9 @@ function main ($con) {
             if (!isset ($feature)) {
                 unreferenced_error ($id);
             }
+            if ($feature->user != $user) {
+                unauthorized_error ();
+            }
 
             // no file uploaded, but editor currently has an image: it means
             // image was not changed
@@ -201,7 +235,7 @@ function main ($con) {
             $description = unquote ($_POST ["description"]);
 
             try {
-                $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0);
+                $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0, $user);
             } catch (Exception $e) {
                 request_error ();
             }
@@ -239,7 +273,7 @@ function main ($con) {
             $title = unquote ($_POST ["title"]);
             $description = unquote ($_POST ["description"]);
             try {
-                $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0);
+                $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0, $user);
             } catch (Exception $e) {
                 request_error ();
             }
@@ -256,6 +290,9 @@ function main ($con) {
             if (!isset ($feature)) {
                 unreferenced_error ($id);
             }
+            if ($feature->user != $user) {
+                unauthorized_error ();
+            }
             $imgpath = $feature->imgpath;
 
             try {