X-Git-Url: https://dev.renevier.net/gitweb.cgi?p=syp.git;a=blobdiff_plain;f=api.php;h=af8af1a836a65baef44b819cae3953422d1bb88a;hp=50e8bfe3cfa2cc5cc1fad902cc24cde9757d03e8;hb=3c74920cb66b4e6c47c7e8a0eaeed40ffb7e8544;hpb=4acc8da49e3d4083fd9906388dd8fe0212bb9f42

diff --git a/api.php b/api.php
index 50e8bfe..af8af1a 100644
--- a/api.php
+++ b/api.php
@@ -2,16 +2,26 @@
 /* Copyright (c) 2009 Arnaud Renevier, Inc, published under the modified BSD
    license. */
 
-require_once ("./inc/settings.php");
-require_once ("./inc/db/mysql.php");
-require_once ("./inc/utils.php");
-
 function exit_document ($body) {
     exit ("<html><head></head><body>$body</body></html>");
 }
 
-function success_auth () {
-    success ("auth");
+function success ($reason) {
+    exit_document ("<success request=\"$reason\"></success>");
+}
+
+function success_newuser ($username) {
+    $res = "<success request=\"newuser\"><user>" .
+            htmlspecialchars ($user) .
+            "</user></success>";
+    exit_document ($res);
+}
+
+function success_auth ($user) {
+    $res = "<success request=\"$reason\"><user>" . 
+            htmlspecialchars ($user) .
+            "</user></success>";
+    exit_document ($res);
 }
 
 function success_feature ($feature, $request) {
@@ -20,7 +30,7 @@ function success_feature ($feature, $request) {
 
     $res .= "<imgurl>" .
              ($feature->imgpath ? 
-                    full_url_from_imgpath ($feature->imgpath)
+                    image_url_from_imgpath ($feature->imgpath)
                     : "") .
              "</imgurl>";
 
@@ -47,14 +57,14 @@ function success_delete_feature ($feature) {
     exit_document ($res);
 }
 
-function success ($reason) {
-    exit_document ("<success request=\"$reason\"></success>");
-}
-
 function error ($reason) {
     exit_document ("<error reason=\"$reason\"></error>");
 }
 
+function error_newuser_exists () {
+    error ("newuser_exists");
+}
+
 function error_feature ($id, $reason) {
     $res = "<error reason=\"$reason\"><feature>";
     $res .= "<id>" .  $id .  "</id>";
@@ -62,30 +72,30 @@ function error_feature ($id, $reason) {
     exit_document ($res);
 }
 
-function nochange_error ($id) {
+function error_nochange ($id) {
     error_feature ($id, "nochange");
 }
-function unreferenced_error ($id) {
+function error_unreferenced ($id) {
     error_feature ($id, "unreferenced");
 }
 
-function server_error () {
+function error_server () {
     error ("server");
 }
 
-function unauthorized_error () {
+function error_unauthorized () {
     error ("unauthorized");
 }
 
-function request_error () {
+function error_request () {
     error ("request");
 }
 
-function file_too_big_error () {
+function error_file_too_big () {
     error ("toobig");
 }
 
-function notanimage_error () {
+function error_notanimage () {
     error ("notimage");
 }
 
@@ -96,22 +106,27 @@ function save_uploaded_file ($file, $con) {
         $dest = unique_file (UPLOADDIR, $file ["name"], $con);
         if (!isset ($dest) || 
                 (!move_uploaded_file ($file ["tmp_name"], $dest))) {
-            server_error ();
+            error_server ();
+        }
+        $mini_dest = getthumbsdir () . "/mini_" . basename_safe ($dest);
+
+        if (!create_thumbnail_or_copy ($dest, $mini_dest)) {
+            error_server ();
         }
     }
-    return basename($dest);
+    return basename_safe ($dest);
 }
 
 function img_check_upload ($file) {
     if (!is_uploaded_file ($file ["tmp_name"])) {
         if ($file ["error"] ==  UPLOAD_ERR_INI_SIZE) {
-            file_too_big_error ();
+            error_file_too_big ();
         } else {
-            server_error ();
+            error_server ();
         }
     }
     if (!getimagesize ($file ["tmp_name"])) {
-        notanimage_error ();
+        error_notanimage ();
     }
 }
 
@@ -120,14 +135,17 @@ function delete_image_if_unused ($imgpath, $con) {
         return;
     }
     if ($con->imgpath_exists ($imgpath)) {
-        return false;
+        return;
     }
+
     $path = UPLOADDIR . "/" . $imgpath;
-    if (file_exists($path)) {
+    if (file_exists ($path)) {
         unlink ($path);
-        return true;
-    } else {
-        return false;
+    }
+
+    $thumb_path = getthumbsdir () . "/mini_" . $imgpath;
+    if (file_exists ($thumb_path)) {
+        unlink ($thumb_path);
     }
 }
 
@@ -148,7 +166,7 @@ function unique_file ($dirname, $relpath, $con) {
 
    while ($counter < 1000) {
        if (!file_exists ($filename) && 
-           !($con->imgpath_exists (basename ($filename)))) {
+           !($con->imgpath_exists (basename_safe ($filename)))) {
            return $filename;
        } else {
             $counter++;
@@ -159,27 +177,44 @@ function unique_file ($dirname, $relpath, $con) {
    return null;
 }
 
-function main ($con) {
-    if (!isset ($_POST ["request"])) {
-        request_error ();
-    }
-    if ($_POST ["request"] == "auth") {
-        $pwd = unquote ($_POST["password"]);
-        $user = "admin";
+function check_auth ($con, $user, $pwd, $auth_only) {
+    $authentificated = false;
+
+    if (isset ($pwd)) {
         if ($con->checkpwdmd5 ($user, md5 ($pwd))) {
             // cookie will be valid for 2 weeks. I've chosen that value
             // arbitrarily, and it may change in the future.
             $time = time () + 14 * 60 * 24 * 60;
-            $cookie_name = sprintf ("%sauth", DBPREFIX);
-            setcookie ($cookie_name, md5 ($pwd), $time, "" , "", false, true);
-            success_auth ();
+            setcookie (sprintf ("%sauth", DBPREFIX), md5 ($pwd), $time, "" , "", false, true);
+            setcookie (sprintf ("%suser", DBPREFIX), $user, $time, "" , "", false, true);
+            $authentificated = true;
+            if ($auth_only) {
+                success_auth ($user);
+            }
         } else {
-            unauthorized_error ();
+            error_unauthorized ();
         }
     }
-    if (!($con->checkpwdmd5 ("admin",
-                             $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) {
-        unauthorized_error ();
+
+    if (!$authentificated && !($con->checkpwdmd5 (
+                             $_COOKIE [sprintf ("%suser",  DBPREFIX)],
+                             $_COOKIE [sprintf ("%sauth",  DBPREFIX)]))) {
+        error_unauthorized ();
+    }
+}
+
+function main ($con) {
+    if (!isset ($_POST ["request"])) {
+        error_request ();
+    }
+
+    $pwd = unquote ($_POST ["password"]);
+    $user = unquote ($_POST ["user"]);
+    // does user only want authentication or does he want to do other things
+    $auth_only = ($_POST ["request"] == "auth");
+    check_auth ($con, $user, $pwd, $auth_only);
+    if (!$user) {
+        $user = $_COOKIE [sprintf ("%suser",  DBPREFIX)];
     }
 
     switch ($_POST ["request"]) {
@@ -187,7 +222,10 @@ function main ($con) {
             $id = $_POST ["fid"];
             $feature = $con->getfeature ($id);
             if (!isset ($feature)) {
-                unreferenced_error ($id);
+                error_unreferenced ($id);
+            }
+            if ($feature->user != $user) {
+                error_unauthorized ();
             }
 
             // no file uploaded, but editor currently has an image: it means
@@ -204,9 +242,9 @@ function main ($con) {
             $description = unquote ($_POST ["description"]);
 
             try {
-                $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0);
+                $new_feature = new feature ($id, $lon, $lat, $imgpath, $title, $description, 0, $user);
             } catch (Exception $e) {
-                request_error ();
+                error_request ();
             }
 
             if (($new_feature->lon == $feature->lon) &&
@@ -214,7 +252,7 @@ function main ($con) {
                 ($new_feature->title == $feature->title) &&
                 ($new_feature->imgpath == $feature->imgpath) &&
                 ($new_feature->description == $feature->description)) {
-                nochange_error ($feature->id);
+                error_nochange ($feature->id);
             }
 
             $old_imgpath = "";
@@ -225,7 +263,7 @@ function main ($con) {
             try {
                 $con->save_feature ($new_feature);
             } catch (Exception $e) {
-                server_error ();
+                error_server ();
             }
             if ($old_imgpath) {
                 try {
@@ -242,14 +280,14 @@ function main ($con) {
             $title = unquote ($_POST ["title"]);
             $description = unquote ($_POST ["description"]);
             try {
-                $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0);
+                $feature = new feature (null, $lon, $lat, $imgpath, $title, $description, 0, $user);
             } catch (Exception $e) {
-                request_error ();
+                error_request ();
             }
             try {
                 $feature = $con->save_feature ($feature);
             } catch (Exception $e) {
-                server_error ();
+                error_server ();
             }
             success_feature ($feature, "add");
         break;
@@ -257,14 +295,17 @@ function main ($con) {
             $id = $_POST ["fid"];
             $feature = $con->getfeature ($id);
             if (!isset ($feature)) {
-                unreferenced_error ($id);
+                error_unreferenced ($id);
+            }
+            if ($feature->user != $user) {
+                error_unauthorized ();
             }
             $imgpath = $feature->imgpath;
 
             try {
                 $con->delete_feature ($feature);
             } catch (Exception $e) {
-                server_error ();
+                error_server ();
             }
 
             try {
@@ -272,18 +313,44 @@ function main ($con) {
             } catch (Exception $e) {}
 
             success_delete_feature ($feature);
+        case "newuser":
+            if ($user != "admin") {
+                error_unauthorized ();
+            }
+            $newuser_name = unquote ($_POST ["newuser_name"]);
+            if (!$newuser_name) {
+                error_request ();
+            }
+            $newuser_password = unquote ($_POST ["newuser_password"]);
+            try {
+                $con->setpwd ($newuser_name, $newuser_password, false);
+            } catch (Exception $e) {
+                if ($e->getMessage () == anydbConnection::err_query) {
+                    error_newuser_exists ();
+                } else {
+                    error_server ();
+                }
+            }
+            success_newuser ($newuser_name);
+        break;
         default:
-            request_error();
+            error_request();
         break;
     }
 
-    server_error ();
+    error_server ();
+}
+
+if (!@include_once ("./inc/settings.php")) {
+    error_server ();
 }
+require_once ("./inc/db/mysql.php");
+require_once ("./inc/utils.php");
 
 try {
     $connection->connect (DBHOST, DBUSER, DBPWD, DBNAME, DBPREFIX);
 } catch (Exception $e) {
-    server_error ();
+    error_server ();
 }
 
 main ($connection);