adam/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-06-30 15:02:16 +02:00
Code Issues Packages Projects Releases Wiki Activity

ws_status is now removed from config table. It will be replaced by ws_access_control managed in config file.

Browse Source 
git-svn-id: http://piwigo.org/svn/trunk@1745 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
vdigital
2007-01-23 20:38:04 +00:00
parent e90aaffbd5
commit 9d451f6aa1
5 changed files with 300 additions and 1026 deletions
Download Patch File Download Diff File Expand all files Collapse all files
admin/ws_checker.php
+288 -343
View File
@@ -1,343 +1,288 @@
<?php
// +-----------------------------------------------------------------------+
// | PhpWebGallery - a PHP based picture gallery |
// | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net |
// | Copyright (C) 2003-2006 PhpWebGallery Team - http://phpwebgallery.net |
// +-----------------------------------------------------------------------+
// | branch : BSF (Best So Far)
// | file : $RCSfile$
// | last update : $Date: 2006-12-15 23:16:37 +0200 (ven., 15 dec. 2006) $
// | last modifier : $Author: vdigital $
// | revision : $Revision: 1658 $
// +-----------------------------------------------------------------------+
// | This program is free software; you can redistribute it and/or modify |
// | it under the terms of the GNU General Public License as published by |
// | the Free Software Foundation |
// | |
// | This program is distributed in the hope that it will be useful, but |
// | WITHOUT ANY WARRANTY; without even the implied warranty of |
// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
// | General Public License for more details. |
// | |
// | You should have received a copy of the GNU General Public License |
// | along with this program; if not, write to the Free Software |
// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
// | USA. |
// +-----------------------------------------------------------------------+
// Next evolution...
// Out of parameter WS management
// The remainer objective is to check
// - Does Web Service working properly?
// - Does any access return something really?
// Give a way to check to the webmaster...
// These questions are one of module name explainations (checker).
if((!defined("PHPWG_ROOT_PATH")) or (!$conf['allow_web_services']))
{
die('Hacking attempt!');
}
include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
// +-----------------------------------------------------------------------+
// | Check Access and exit when user status is not ok |
// +-----------------------------------------------------------------------+
check_status(ACCESS_ADMINISTRATOR);
// accepted queries
$req_type_list = official_req();
//--------------------------------------------------------- update informations
// Is status temporary changed?
if (isset($_POST['wss_submit']))
{
$ws_status = get_boolean( $_POST['ws_status'] ); // Requested status
$ws_update = $lang['ws_success_upd']; // Normal update
if ($conf['allow_web_services'] == false and $ws_status == true )
{ /* Set true is disallowed */
$ws_status = false;
$ws_update = $lang['ws_disallowed'];
}
if ( $ws_status !== true and $ws_status !== false )
{ /* Avoiding SQL injection by no change */
$ws_status = $conf['ws_status'];
}
if ($conf['ws_status'] == $ws_status)
{
$ws_update = $lang['ws_disallowed'];
}
else
{
$query = '
UPDATE '.CONFIG_TABLE.' SET
value = \''.boolean_to_string($ws_status).'\'
WHERE param = \'ws_status\'
AND value <> \''.boolean_to_string($ws_status).'\'
;';
pwg_query($query);
$conf['ws_status'] = $ws_status;
}
$template->assign_block_vars(
'update_result',
array(
'UPD_ELEMENT'=> $lang['ws_set_status'].': '.$ws_update,
)
);
}
// Next, is a new access required?
if (isset($_POST['wsa_submit']))
{
// Check $_post
$add_partner = htmlspecialchars( $_POST['add_partner'], ENT_QUOTES);
$add_access = check_target( $_POST['add_access']) ;
$add_start = ( is_numeric($_POST['add_start']) ) ? $_POST['add_start']:0;
$add_end = ( is_numeric($_POST['add_end']) ) ? $_POST['add_end']:0;
$add_request = ( ctype_alpha($_POST['add_request']) ) ?
$_POST['add_request']:'';
$add_high = ( $_POST['add_high'] == 'true' ) ? 'true':'false';
$add_normal = ( $_POST['add_normal'] == 'true' ) ? 'true':'false';
$add_limit = ( is_numeric($_POST['add_limit']) ) ? $_POST['add_limit']:1;
$add_comment = htmlspecialchars( $_POST['add_comment'], ENT_QUOTES);
if ( strlen($add_partner) < 8 )
{
}
$query = '
INSERT INTO '.WEB_SERVICES_ACCESS_TABLE.'
( `name` , `access` , `start` , `end` , `request` ,
`high` , `normal` , `limit` , `comment` )
VALUES (' . "
'$add_partner', '$add_access',
ADDDATE( NOW(), INTERVAL $add_start DAY),
ADDDATE( NOW(), INTERVAL $add_end DAY),
'$add_request', '$add_high', '$add_normal', '$add_limit', '$add_comment' );";
pwg_query($query);
$template->assign_block_vars(
'update_result',
array(
'UPD_ELEMENT'=> $lang['ws_adding_legend'].$lang['ws_success_upd'],
)
);
}
// Next, Update selected access
if (isset($_POST['wsu_submit']))
{
$upd_end = ( is_numeric($_POST['upd_end']) ) ? $_POST['upd_end']:0;
$settxt = ' end = ADDDATE(NOW(), INTERVAL '. $upd_end .' DAY)';
if ((isset($_POST['selection'])) and (trim($settxt) != ''))
{
$uid = (int) $_POST['selection'];
$query = '
UPDATE '.WEB_SERVICES_ACCESS_TABLE.'
SET '.$settxt.'
WHERE id = '.$uid.'; ';
pwg_query($query);
$template->assign_block_vars(
'update_result',
array(
'UPD_ELEMENT'=> $lang['ws_update_legend'].$lang['ws_success_upd'],
)
);
} else {
$template->assign_block_vars(
'update_result',
array(
'UPD_ELEMENT'=> $lang['ws_update_legend'].$lang['ws_failed_upd'],
)
);
}
}
// Next, Delete selected access
if (isset($_POST['wsX_submit']))
{
if ((isset($_POST['delete_confirmation']))
and (isset($_POST['selection'])))
{
$uid = (int) $_POST['selection'];
$query = 'DELETE FROM '.WEB_SERVICES_ACCESS_TABLE.'
WHERE id = '.$uid.'; ';
pwg_query($query);
$template->assign_block_vars(
'update_result',
array(
'UPD_ELEMENT'=> $lang['ws_delete_legend'].$lang['ws_success_upd'],
)
);
} else {
$template->assign_block_vars(
'update_result',
array(
'UPD_ELEMENT'=> $lang['Not selected / Not confirmed']
.$lang['ws_failed_upd'],
)
);
}
}
$ws_status = $conf['ws_status'];
$template->assign_vars(
array(
'L_CURRENT_STATUS' => ( $ws_status == true ) ?
$lang['ws_enable']:$lang['ws_disable'],
'STATUS_YES' => ( $ws_status == true ) ? '':'checked',
'STATUS_NO' => ( $ws_status == true ) ? 'checked':'',
'DEFLT_HIGH_YES' => '',
'DEFLT_HIGH_NO' => 'checked',
'DEFLT_NORMAL_YES' => '',
'DEFLT_NORMAL_NO' => 'checked',
'U_HELP' => PHPWG_ROOT_PATH.'popuphelp.php?page=web_service',
)
);
// Build where
$where = '';
$order = ' ORDER BY `id` DESC' ;
$query = '
SELECT *
FROM '.WEB_SERVICES_ACCESS_TABLE.'
WHERE 1=1 '
.$where.
' '
.$order.
';';
$result = pwg_query($query);
$acc_list = mysql_num_rows($result);
$result = pwg_query($query);
// +-----------------------------------------------------------------------+
// | template init |
// +-----------------------------------------------------------------------+
$template->set_filenames(
array(
'ws_checker' => 'admin/ws_checker.tpl'
)
);
$checked = 'checked="checked"';
$selected = 'selected="selected"';
$num=0;
if ( $acc_list > 0 )
{
$template->assign_block_vars(
'acc_list', array() );
}
// Access List
while ($row = mysql_fetch_array($result))
{
$num++;
$template->assign_block_vars(
'acc_list.access',
array(
'CLASS' => ($num % 2 == 1) ? 'row1' : 'row2',
'ID' => $row['id'],
'NAME' =>
(is_adviser()) ? '*********' : $row['name'],
'ACCESS' => $row['access'],
'START' => $row['start'],
'END' => $row['end'],
'FORCE' => $row['request'],
'HIGH' => $row['high'],
'NORMAL' => $row['normal'],
'LIMIT' => $row['limit'],
'COMMENT' => $row['comment'],
'SELECTED' => '',
)
);
}
$template->assign_block_vars(
'add_request',
array(
'VALUE'=> '',
'CONTENT' => '',
'SELECTED' => $selected,
)
);
foreach ($req_type_list as $value) {
$template->assign_block_vars(
'add_request',
array(
'VALUE'=> $value,
'CONTENT' => $lang['ws_'.$value],
'SELECTED' => '',
)
);
}
$columns = array (
'ID' => 'id',
'ws_KeyName' => 'name',
'ws_Access' => 'ws_access',
'ws_Start' => 'ws_start',
'ws_End' => 'ws_end',
'ws_Request' => 'ws_request',
'ws_High' => 'ws_high',
'ws_Normal' => 'ws_normal',
'ws_Limit' => 'ws_limit',
'ws_Comment' => 'ws_comment',
);
foreach ($conf['ws_allowed_limit'] as $value) {
$template->assign_block_vars(
'add_limit',
array(
'VALUE'=> $value,
'CONTENT' => $value,
'SELECTED' => ($conf['ws_allowed_limit'][0] == $value) ? $selected:'',
)
);
}
// Postponed Start Date
// By default 0, 1, 2, 3, 5, 7, 14 or 30 days
foreach ($conf['ws_postponed_start'] as $value) {
$template->assign_block_vars(
'add_start',
array(
'VALUE'=> $value,
'CONTENT' => $value,
'SELECTED' => ($conf['ws_postponed_start'][0] == $value) ? $selected:'',
)
);
}
// Durations (Allowed Web Services Period)
// By default 10, 5, 2, 1 year(s) or 6, 3, 1 month(s) or 15, 10, 7, 5, 1, 0 day(s)
foreach ($conf['ws_durations'] as $value) {
$template->assign_block_vars(
'add_end',
array(
'VALUE'=> $value,
'CONTENT' => $value,
'SELECTED' => ($conf['ws_durations'][3] == $value) ? $selected:'',
)
);
if ( $acc_list > 0 )
{
$template->assign_block_vars(
'acc_list.upd_end',
array(
'VALUE'=> $value,
'CONTENT' => $value,
'SELECTED' => ($conf['ws_durations'][3] == $value) ? $selected:'',
)
);
}
}
//----------------------------------------------------------- sending html code
$template->assign_var_from_handle('ADMIN_CONTENT', 'ws_checker');
?>
<?php
// +-----------------------------------------------------------------------+
// | PhpWebGallery - a PHP based picture gallery |
// | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net |
// | Copyright (C) 2003-2006 PhpWebGallery Team - http://phpwebgallery.net |
// +-----------------------------------------------------------------------+
// | branch : BSF (Best So Far)
// | file : $RCSfile$
// | last update : $Date$
// | last modifier : $Author$
// | revision : $Revision$
// +-----------------------------------------------------------------------+
// | This program is free software; you can redistribute it and/or modify |
// | it under the terms of the GNU General Public License as published by |
// | the Free Software Foundation |
// | |
// | This program is distributed in the hope that it will be useful, but |
// | WITHOUT ANY WARRANTY; without even the implied warranty of |
// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
// | General Public License for more details. |
// | |
// | You should have received a copy of the GNU General Public License |
// | along with this program; if not, write to the Free Software |
// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
// | USA. |
// +-----------------------------------------------------------------------+
// Next evolution...
// Out of parameter WS management
// The remainer objective is to check
// - Does Web Service working properly?
// - Does any access return something really?
// Give a way to check to the webmaster...
// These questions are one of module name explainations (checker).
if((!defined("PHPWG_ROOT_PATH")) or (!$conf['allow_web_services']))
{
die('Hacking attempt!');
}
include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
// +-----------------------------------------------------------------------+
// | Check Access and exit when user status is not ok |
// +-----------------------------------------------------------------------+
check_status(ACCESS_ADMINISTRATOR);
// accepted queries
$req_type_list = official_req();
//--------------------------------------------------------- update informations
// Is a new access required?
if (isset($_POST['wsa_submit']))
{
// Check $_post (Some values are commented - maybe a future use)
$add_partner = htmlspecialchars( $_POST['add_partner'], ENT_QUOTES);
$add_access = check_target( $_POST['add_access']) ;
$add_start = 0; // ( is_numeric($_POST['add_start']) ) ? $_POST['add_start']:0;
$add_end = ( is_numeric($_POST['add_end']) ) ? $_POST['add_end']:0;
$add_request = ( ctype_alpha($_POST['add_request']) ) ?
$_POST['add_request']:'';
$add_high = 'true'; // ( $_POST['add_high'] == 'true' ) ? 'true':'false';
$add_normal = 'true'; // ( $_POST['add_normal'] == 'true' ) ? 'true':'false';
$add_limit = ( is_numeric($_POST['add_limit']) ) ? $_POST['add_limit']:1;
$add_comment = htmlspecialchars( $_POST['add_comment'], ENT_QUOTES);
if ( strlen($add_partner) < 8 )
{
}
$query = '
INSERT INTO '.WEB_SERVICES_ACCESS_TABLE.'
( `name` , `access` , `start` , `end` , `request` ,
`high` , `normal` , `limit` , `comment` )
VALUES (' . "
'$add_partner', '$add_access',
ADDDATE( NOW(), INTERVAL $add_start DAY),
ADDDATE( NOW(), INTERVAL $add_end DAY),
'$add_request', '$add_high', '$add_normal', '$add_limit', '$add_comment' );";
pwg_query($query);
$template->assign_block_vars(
'update_result',
array(
'UPD_ELEMENT'=> $lang['ws_adding_legend'].$lang['ws_success_upd'],
)
);
}
// Next, Update selected access
if (isset($_POST['wsu_submit']))
{
$upd_end = ( is_numeric($_POST['upd_end']) ) ? $_POST['upd_end']:0;
$settxt = ' end = ADDDATE(NOW(), INTERVAL '. $upd_end .' DAY)';
if ((isset($_POST['selection'])) and (trim($settxt) != ''))
{
$uid = (int) $_POST['selection'];
$query = '
UPDATE '.WEB_SERVICES_ACCESS_TABLE.'
SET '.$settxt.'
WHERE id = '.$uid.'; ';
pwg_query($query);
$template->assign_block_vars(
'update_result',
array(
'UPD_ELEMENT'=> $lang['ws_update_legend'].$lang['ws_success_upd'],
)
);
} else {
$template->assign_block_vars(
'update_result',
array(
'UPD_ELEMENT'=> $lang['ws_update_legend'].$lang['ws_failed_upd'],
)
);
}
}
// Next, Delete selected access
if (isset($_POST['wsX_submit']))
{
if ((isset($_POST['delete_confirmation']))
and (isset($_POST['selection'])))
{
$uid = (int) $_POST['selection'];
$query = 'DELETE FROM '.WEB_SERVICES_ACCESS_TABLE.'
WHERE id = '.$uid.'; ';
pwg_query($query);
$template->assign_block_vars(
'update_result',
array(
'UPD_ELEMENT'=> $lang['ws_delete_legend'].$lang['ws_success_upd'],
)
);
} else {
$template->assign_block_vars(
'update_result',
array(
'UPD_ELEMENT'=> $lang['Not selected / Not confirmed']
.$lang['ws_failed_upd'],
)
);
}
}
$template->assign_vars(
array(
'DEFLT_HIGH_YES' => '',
'DEFLT_HIGH_NO' => 'checked',
'DEFLT_NORMAL_YES' => '',
'DEFLT_NORMAL_NO' => 'checked',
'U_HELP' => PHPWG_ROOT_PATH.'popuphelp.php?page=web_service',
)
);
// Build where
$where = '';
$order = ' ORDER BY `id` DESC' ;
$query = '
SELECT *
FROM '.WEB_SERVICES_ACCESS_TABLE.'
WHERE 1=1 '
.$where.
' '
.$order.
';';
$result = pwg_query($query);
$acc_list = mysql_num_rows($result);
$result = pwg_query($query);
// +-----------------------------------------------------------------------+
// | template init |
// +-----------------------------------------------------------------------+
$template->set_filenames(
array(
'ws_checker' => 'admin/ws_checker.tpl'
)
);
$selected = 'selected="selected"';
$num=0;
if ( $acc_list > 0 )
{
$template->assign_block_vars(
'acc_list', array() );
}
// Access List
while ($row = mysql_fetch_array($result))
{
$num++;
$template->assign_block_vars(
'acc_list.access',
array(
'CLASS' => ($num % 2 == 1) ? 'row1' : 'row2',
'ID' => $row['id'],
'NAME' =>
(is_adviser()) ? '*********' : $row['name'],
'ACCESS' => $row['access'],
'START' => $row['start'],
'END' => $row['end'],
'FORCE' => $row['request'],
'HIGH' => $row['high'],
'NORMAL' => $row['normal'],
'LIMIT' => $row['limit'],
'COMMENT' => $row['comment'],
'SELECTED' => '',
)
);
}
$template->assign_block_vars(
'add_request',
array(
'VALUE'=> '',
'CONTENT' => '',
'SELECTED' => $selected,
)
);
foreach ($req_type_list as $value) {
$template->assign_block_vars(
'add_request',
array(
'VALUE'=> $value,
'CONTENT' => $lang['ws_'.$value],
'SELECTED' => '',
)
);
}
foreach ($conf['ws_allowed_limit'] as $value) {
$template->assign_block_vars(
'add_limit',
array(
'VALUE'=> $value,
'CONTENT' => $value,
'SELECTED' => ($conf['ws_allowed_limit'][0] == $value) ? $selected:'',
)
);
}
// Postponed Start Date
// By default 0, 1, 2, 3, 5, 7, 14 or 30 days
foreach ($conf['ws_postponed_start'] as $value) {
$template->assign_block_vars(
'add_start',
array(
'VALUE'=> $value,
'CONTENT' => $value,
'SELECTED' => ($conf['ws_postponed_start'][0] == $value) ? $selected:'',
)
);
}
// Durations (Allowed Web Services Period)
// By default 10, 5, 2, 1 year(s) or 6, 3, 1 month(s) or 15, 10, 7, 5, 1, 0 day(s)
foreach ($conf['ws_durations'] as $value) {
$template->assign_block_vars(
'add_end',
array(
'VALUE'=> $value,
'CONTENT' => $value,
'SELECTED' => ($conf['ws_durations'][3] == $value) ? $selected:'',
)
);
if ( $acc_list > 0 )
{
$template->assign_block_vars(
'acc_list.upd_end',
array(
'VALUE'=> $value,
'CONTENT' => $value,
'SELECTED' => ($conf['ws_durations'][3] == $value) ? $selected:'',
)
);
}
}
//----------------------------------------------------------- sending html code
$template->assign_var_from_handle('ADMIN_CONTENT', 'ws_checker');
?>
language/en_UK.iso-8859-1/admin.lang.php
-1
View File
@@ -499,7 +499,6 @@ $lang['Elements_not_linked'] = 'Not linked elements';
$lang['web_services'] = 'Web services ';
$lang['title_wscheck'] = ' Access management ';
$lang['ws_set_status'] = ' Environment ';
$lang['ws_status'] = ' Status ';
$lang['ws_enable'] = ' Enable ';
$lang['ws_disable'] = ' Disable ';
$lang['ws set to'] = ' Environment temporary set ';
language/fr_FR.iso-8859-1/admin.lang.php
-1
View File
@@ -498,7 +498,6 @@ $lang['Elements_not_linked'] = 'El
$lang['web_services'] = 'Services Web ';
$lang['title_wscheck'] = ' Gestion des accès ';
$lang['ws_set_status'] = ' Environnement ';
$lang['ws_status'] = ' Statut ';
$lang['ws_enable'] = ' Actif ';
$lang['ws_disable'] = ' Inactif ';
$lang['ws set to'] = ' Modifier temporairement l\'environnement en ';
template/yoga/admin/ws_checker.tpl
+12 -40
View File
@@ -13,37 +13,6 @@
</ul>
<!-- END update_result -->
<!-- Set Web Services : Open/Disable -->
<form method="post" name="ws_status" action="{F_STATUS_ACTION}">
<!-- Current status -->
<fieldset>
<legend>{lang:ws_set_status} : <strong>{L_CURRENT_STATUS}</strong></legend>
<table>
<tr>
<td width="70%">
{lang:ws set to} &nbsp; &nbsp; &nbsp;
<label><input type="radio" name="ws_status" value="true"
{STATUS_YES} /> {lang:ws_enable}
</label> &nbsp; &nbsp; &nbsp;
<label><input type="radio" name="ws_status" value="false"
{STATUS_NO} /> {lang:ws_disable}
</label>
</td>
<td width="4%">
&nbsp;
</td>
<td>
<input type="submit" value="{lang:submit}"
style="width: 10em; padding-top: 3px;"
name="wss_submit" {TAG_INPUT_ENABLED} />
</td>
</tr>
</table>
</fieldset>
</form>
<!-- Add Access -->
<form method="post" name="adding_access" action="{F_STATUS_ACTION}">
<!-- Current Default -->
@@ -114,6 +83,7 @@
</tr>
<!-- Open service is postponed by n days -->
<!-- In comment currently
<tr>
<td>
<label for="add_start">{lang:Postponed availability in days}</label>
@@ -129,7 +99,7 @@
<!-- END add_start -->
</select>
</td>
</tr>
</tr> -->
<!-- Opened service only for n days -->
<tr>
@@ -150,6 +120,7 @@
</tr>
<!-- High resolution information will be returned -->
<!-- In comment currently
<tr>
<td>
<label for="add_High">{lang:ws_High}</label>
@@ -165,9 +136,10 @@
value="false" {DEFLT_HIGH_NO} /> {lang:no}
</label>
</td>
</tr>
</tr> -->
<!-- Normal size information will be returned -->
<!-- In comment currently
<tr>
<td>
<label for="add_Normal">{lang:ws_Normal}</label>
@@ -183,7 +155,7 @@
value="false" {DEFLT_NORMAL_NO} /> {lang:no}
</label>
</td>
</tr>
</tr> -->
<!-- Idendify your partner (name / website / phone) as you want -->
<tr>
@@ -228,11 +200,11 @@
<th>&nbsp;</th>
<th>{lang:ws_KeyName}</th>
<th>{lang:ws_Access}</th>
<th>{lang:ws_Start}</th>
<!-- <th>{lang:ws_Start}</th> -->
<th>{lang:ws_End}</th>
<th>{lang:ws_Request}</th>
<th>{lang:ws_High}</th>
<th>{lang:ws_Normal}</th>
<!-- <th>{lang:ws_High}</th> -->
<!-- <th>{lang:ws_Normal}</th> -->
<th>{lang:ws_Limit}</th>
<th>{lang:ws_Comment}</th>
</tr>
@@ -244,11 +216,11 @@
</td>
<td><label for="selection-{acc_list.access.ID}">{acc_list.access.NAME}</label></td>
<td>{acc_list.access.ACCESS}</td>
<td>{acc_list.access.START}</td>
<!-- <td>{acc_list.access.START}</td> -->
<td>{acc_list.access.END}</td>
<td>{acc_list.access.FORCE}</td>
<td>{acc_list.access.HIGH}</td>
<td>{acc_list.access.NORMAL}</td>
<!-- <td>{acc_list.access.HIGH}</td> -->
<!-- <td>{acc_list.access.NORMAL}</td> -->
<td>{acc_list.access.LIMIT}</td>
<td>{acc_list.access.COMMENT}</td>
</tr>
web_service.php
-641
View File
@@ -1,641 +0,0 @@
<?php
// +-----------------------------------------------------------------------+
// | PhpWebGallery - a PHP based picture gallery |
// | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net |
// | Copyright (C) 2003-2006 PhpWebGallery Team - http://phpwebgallery.net |
// +-----------------------------------------------------------------------+
// | branch : BSF (Best So Far)
// | file : $RCSfile$
// | last update : $Date: 2006-12-15 23:16:37 +0200 (ven., 15 dec. 2006) $
// | last modifier : $Author: vdigital $
// | revision : $Revision: 1658 $
// +-----------------------------------------------------------------------+
// | This program is free software; you can redistribute it and/or modify |
// | it under the terms of the GNU General Public License as published by |
// | the Free Software Foundation |
// | |
// | This program is distributed in the hope that it will be useful, but |
// | WITHOUT ANY WARRANTY; without even the implied warranty of |
// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
// | General Public License for more details. |
// | |
// | You should have received a copy of the GNU General Public License |
// | along with this program; if not, write to the Free Software |
// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
// | USA. |
// +-----------------------------------------------------------------------+
define('PHPWG_ROOT_PATH','./');
include_once( PHPWG_ROOT_PATH.'include/common.inc.php' );
if ( !$conf['allow_web_services'] )
{
die('Hacking attempt!');
}
// Full call syntax sample:
//-----------------------------------------------------------------------------
// web_service.php?key=123456789012
// &pos=5&acc=cat/23,25-32&req=landscape&lim=5&tpl=myxml
// &pos=is position defined by caller to substring, see key below, (default 0)
// key=substr(md5(partner_id),&pos,12)
// &acc=cat/23,25-35 or list/1-125,136,141-162 or tag/27,45,54-55
// (the specified access list will be respected
// ONLY if access is not specified in web_services access table)
// req=any request (except if limited to a specific one in ws access table)
// lim=number (returned picture count and limited it self by ws access table)
// the tpl file must exist in ./template/"default template"/xml/
// tpl=myxml (xml/myxml.tpl will be used, by default: xml/default.tpl)
// All are facultative EXCEPT key
//
// Check call process (Keyed call)
//
if (!isset($_GET['key']))
{
die('Hacking attempt!');
}
if ( strlen($_GET['key']) < 12 )
{
die('Invalid key (Length issue)!');
}
// Is service active (Temporary it could be inactive / Online parameter)
//
$query = '
SELECT value FROM '.CONFIG_TABLE.'
WHERE param = \'ws_status\'
;';
$active = mysql_fetch_array(pwg_query($query));
if ( $active['value']=='false' )
{
die('Web service is temporary inactive');
}
// Look for partner_key
//
$key = $_GET['key'];
$key = ( strlen($key) > 20 ) ? substr($key,0,20) : $key;
$len = strlen($key);
$hash = 0;
if (isset($_GET['pos']))
{
$hash = (!is_numeric($_GET['pos'])) ? 0 : $_GET['pos'];
$hash = (int) $hash;
$hash = $hash % 12;
}
$query = '
SELECT `id`, `name`, `access`, `start`, `end`, `request`,
`high`, `normal`, `limit`, `comment`
FROM '.WEB_SERVICES_ACCESS_TABLE.'
;';
$result = pwg_query($query);
while ($row = mysql_fetch_array($result))
{
if ( substr( md5($row['name']),$hash,$len) == $key )
{
$len = 0;
$def = $row;
continue;
}
}
if ( $len > 0 )
{
die('Invalid key!');
}
// $def = Web service already defined partner access
//
// Now, the partner will get a reply in time
//
$stat_id = 'Web Service';
if (isset($_SERVER["HTTP_REFERER"]) and
!eregi($_SERVER["HTTP_HOST"],$_SERVER["HTTP_REFERER"]))
{
$stats_id = substr($_SERVER["HTTP_REFERER"],7);
$pos = strpos($stats_id,'/');
$stats_id = ( $pos>0 ) ? substr($stats_id,0,$pos) : $stats_id;
}
// Check keywords
// Key and pos are correct
// &acc=cat/23,25-32&req=landscape&lim=5&tpl=myxml
// Requested id list and authorized id list
// Both may empty
// Both can be build on differents basis cat/tag/list
// Both have to be convert in id list format
$req_access ='';
if (isset($_GET['pos']))
{
$req_access = check_target($_GET['acc']);
}
// on one hand $req_access, requested ids
$req_type = explode('/',$req_access);
$req_ids = explode( ',',$req_type[1] );
$req_list = expand_id_list( $req_ids );
if ($req_type[0]=='cat')
{
$req_list = convert_catlist($req_list);
}
if ($req_type[0]=='tag')
{
$req_list = get_image_ids_for_tags($req_list);
}
// echo $def['name'].'<br />';
// on the other hand $def['access'], authorized default ids
$def_type = explode('/',$def['access']);
$def_ids = explode( ',',$def_type[1] );
$def_list = expand_id_list( $def_ids );
if ($def_type[0]=='cat')
{
$def_list = convert_catlist($def_list);
}
if ($def_type[0]=='tag')
{
$def_list = get_image_ids_for_tags($def_list);
}
// could be no necessary, a surplus but we are obliged to
// Filter on forbidden_categories (default can have change from creation time)
$list = implode(',',$def_list);
$ret_ids = array();
$query = '
SELECT DISTINCT image_id
FROM '.IMAGE_CATEGORY_TABLE.'
WHERE
'.get_sql_condition_FandF
(
array
(
'forbidden_categories' => 'category_id',
'visible_categories' => 'category_id',
'visible_images' => 'image_id'
),
'', true
).'
AND image_id IN ('.$list.')
;';
$result = pwg_query($query);
while ($row = mysql_fetch_array($result))
{
$ret_ids[] = $row['image_id'];
}
$def_ids = $ret_ids;
// Notice: Filtering on forbidden_categories (from requested id list)
// is completely superfluous (see few lines below).
$req_ids = $req_list;
// if no requested ids then is the complete default
if (count($req_ids)==0)
{
$req_ids = $def_ids;
}
// Removing requested ids not in authorized access list
// if requested ids they must be in the complete default and only those
// will be assumed. (Including forbidden... )
$final = array();
foreach ( $req_ids as $req_id )
{
if ( in_array($req_id, $def_ids) )
{
$final[] = $req_id;
}
}
$final = array_unique ($final);
sort ($final);
// 77f1180bd215a0edf66939
// web_service.php?key=77f1180bd215&pos=3&acc=list/41,73,142,178,190,204,235-238&req=recent&lim=1&tpl=myxml
$request = (isset($_GET['req']))? $_GET['req']:$def['request'];
// if type of request is different from the authorized type then force it
if ( $def['request'] !== '' and $request !== $def['request'] )
{
$request = $def['request'];
}
// if it is not an official request then force it
// (remark that default request can no longer exist
// (later an Upgrade, or a remove) so...
$official = official_req();
if ( !in_array($request, $official ) )
{
$request = $official[0]; // default request is the first one
}
// limit belong default (remember $def['limit'] is always set)
$limit = (isset($_GET['limit']))? $_GET['limit']:$def['limit'];
$limit = (is_numeric($limit))? $limit:$def['limit'];
$limit = ( $limit < $def['limit'] ) ? $limit:$def['limit'];
// XML template
$tplfile = (isset($_GET['tpl']))? $_GET['tpl']:'default';
// FIXME additional controls are maybe needed on $tplfile
trigger_action('loc_begin_'.$request);
$template->set_filenames(array( $tplfile => 'XML/'. $tplfile .'.tpl'));
// Generate the request
include(PHPWG_ROOT_PATH. 'services/' .$request. '.php');
// +-----------------------------------------------------------------------+
// | XML/xhtml code display |
// +-----------------------------------------------------------------------+
header('Content-Type: text/xml; charset=UTF-8');
//header('Content-Type: text/html; charset='.$lang_info['charset']);
$template->parse($tplfile);
// echo '<strong>Trace temporaire<strong><br />';
// echo '$final:<br />' . var_dump($final);
//
die('');
// FIXME// FIXME// FIXME// FIXME// FIXME// FIXME// FIXME// FIXME
//------------------------------------------------------------ log informations
pwg_log($request, $stats_id, $tplfile); // or something like that
// Check requested XML template
//
// Generate query
//
// Generate XML
//
// Log it
//
// Old code below
//------------ Main security strategy ---------------------
$partner_id = 'default';
// Security considerations: HTTP_REFERER and FOPEN
// 1 - FOPEN doesn't update current HTTP_REFERER
// 2 - HTTP_REFERER may be hidden/altered for lot of reasons.
// 3 - By this process, you can log HTTP_REFERER of your partner (not yours).
// 4 - Logging HTTP_REFERER needs declarative procedures in some countries.
// 5 - Following those links can be considered as risky.
// 6 - You can turn off, referer logging by $conf['ws-refback'] = false;
// 7 - In the other hand, your partner may give his key to another web site.
// Above all, this information is just an indication.
// $conf['ws-refback'] : Default value is false.
if (isset($_SERVER["HTTP_REFERER"]) and
!eregi($_SERVER["HTTP_HOST"],$_SERVER["HTTP_REFERER"]))
{
$partner_id = substr($_SERVER["HTTP_REFERER"],7);
$pos = strpos($partner_id,'/');
$partner_id = ( $pos>0 ) ? substr($partner_id,0,$pos) : $partner_id;
}
// $partner_id = Is used to check prohibited REFER site (but not only)
// example: www.prohibited-access.be
if ( isset($conf['ws-refback']) and $conf['ws-refback'])
{
$log_id = $partner_id;
}
else
{
$log_id = ''; // Would be set in time by process end
}
// $log_id = History log information
// examples: forum.phpwebgallery.net
// phpwebgallery.net
// demo.phpwebgallery.net
//
$partner_id = strtolower($partner_id);
// Prohibited REFER: $partner_id is compared (strtolower).
//
//----------------------------- Is a prohibited refer?
if ( $partner_id !== 'default' )
{
// Is Referer a prohibited site?
// Compare requestor site to web service key table
// Found and limit = 0 => die
foreach ( $conf['ws_keys'] as $key => $vkey )
{
if ( strtolower($vkey['id']) == $partner_id and $vkey['limit'] == 0 )
{
pwg_log( 'WS Prohibited', 'Req.:'.$type, 'From: ws_keys['.$key.']' );
die($lang['access_forbiden']);
}
}
}
//----------------------------- Which access he will use?
$access = check_ws_access( $conf['ws_keys'] );
// given key arg is compared asis (Take care of upper/lower case).
parse_str($access['force'], $force);
// $force contains all forced arguments
// get requested arguments and apply limits
$force['limit'] = ( isset($access['limit']) ) ? $access['limit'] :
$conf['ws_limit'] ;
$arg = force_arg_ws_limit( $force, $conf['ws_limit'] );
// $arg contains all retain query arguments
// Warning about $arg !!! Warning !!! Warning !!! Warning !!! Warning !!!
// specially to MOD developpers :
// FOR SECURITY REASON NEVER USE extract() AGAINST $arg
// ( $arg is like $_GET )
if ( is_numeric(isset($arg['cat'])) )
{
$arg['cat']=floor($arg['cat']);
}
else
{
unset($arg['cat']);
}
// AND category_id is concatenated if requested or forced
$cat_criterion = '';
if ( isset($arg['cat']) and ($arg['cat']) > 0 )
{
$cat_criterion = ' AND ic.`category_id` ='.$arg['cat'].' ';
}
//-------------------------------------------- SQL Query statement building
// Has to be tested against a LARGE configuration
// for performance consideration
// and maybe rewrite in some cases.
// All below has to be check to respect code writing rule convention
$query='
SELECT DISTINCT (i.`id`),
i.`path` , i.`file` , i.`date_available` ,
i.`date_creation`, i.`tn_ext` , i.`name` ,
i.`filesize` , i.`storage_category_id` , i.`average_rate`,
i.`comment` , i.`author` , i.`hit` ,i.`width` ,
i.`height`
FROM `'.IMAGES_TABLE.'` AS i
INNER JOIN `'.IMAGE_CATEGORY_TABLE.'`
AS ic ON i.`id` = ic.`image_id`
INNER JOIN `'.CATEGORIES_TABLE.'`
AS c ON c.`id` = ic.`category_id`
WHERE c.`status` = \'public\'
AND i.`width` > 0
AND i.`height` > 0
AND i.`representative_ext` IS NULL
'.$cat_criterion.'
'.get_sql_condition_FandF
(
array
(
'forbidden_categories' => 'c.id',
'visible_categories' => 'c.id',
'visible_images' => 'i.id'
),
'AND'
);
// AND c.`agreed_ws` = \'true\' (Obsolete specification replaced by force)
$list = ( isset($arg['list']) ) ? $arg['list'] : '';
$type = $arg['type'];
switch($type)
{
case ($type === 'random' or $type === 'listcat'): /* Random order */
$query .= ' ORDER BY RAND() DESC ';
break;
case ($type === 'list'): /* list on MBt & z0rglub request */
$query .= ' AND i.`id` IN ('.$list.') ';
break;
case $type === 'maxviewed': /* hit > 0 and hit desc order */
$query .= ' AND i.`hit` > 0
ORDER BY i.`hit` DESC, RAND() DESC ';
break;
case $type === 'recent': /* recent = Date_available desc order */
$query .= ' ORDER BY i.`date_available` DESC, RAND() DESC ';
break;
case $type === 'highrated': /* avg_rate > 0 and desc order */
// French Joke : Cette requete s'appelle officieusement l' "ail_gratte"
$query .= ' AND i.`average_rate` > 0
ORDER BY i.`average_rate` DESC, RAND() DESC ';
break;
case $type === 'oldest': /* Date_available asc order */
$query .= ' ORDER BY i.`date_available` ASC, RAND() DESC ';
break;
case $type === 'lessviewed': /* hit asc order */
// French Joke : Cette requete s'appelle officieusement la "lessive"
$query .= ' ORDER BY i.`hit` ASC, RAND() DESC ';
break;
case $type === 'lowrated': /* avg_rate asc order */
$query .= ' AND i.`average_rate` IS NOT NULL
ORDER BY i.`average_rate` ASC, RAND() DESC ';
break;
case $type === 'undescribed': /* description missing */
// US/UK Joke : This request is unofficially named 'indiscribable' horror
$query .= ' AND i.`comment` IS NULL
ORDER BY RAND() DESC ';
break;
case $type === 'unnamed': /* new name missing */
$query .= ' AND i.`comment` IS NULL
ORDER BY RAND() DESC ';
break;
case $type === 'portraits': /* width < height (portrait oriented) */
$query .= ' AND `width` < (`height` * 0.95)
ORDER BY RAND() DESC ';
break;
case $type === 'landscapes': /* width > height (landscape oriented) */
$query .= ' AND `width` > (`height` * 1.05)
ORDER BY RAND() DESC ';
break;
case $type === 'squares': /* width ~ height (square form) */
$query .= ' AND `width` BETWEEN (`height` * 0.95)
AND (`height` * 1.05)
ORDER BY RAND() DESC ';
break;
default: /* Just say: Goodbye !!! */
die($lang['access_forbiden']);
} /* End switch */
$query .= ' LIMIT 0 , '.$arg['limit'].';';
$result = pwg_query( $query );
$attributes = array( 'width', 'height', 'author', 'date_creation',
'date_available', 'hit', 'filesize');
$xml = '<items> ';
$hr_nbr = 0; $ns_nbr = 0; $tn_nbr = 0;
if ( $log_id == '')
{
foreach ( $conf['ws_keys'] as $key => $vkey )
{
if ( $vkey['id'] == $access['id'] )
{
$log_id = 'R:#'.$key;
break;
}
}
}
while ( $row = mysql_fetch_array( $result ) )
{
$tn_nbr++;
$item = '<item ';
$path = strtolower(strtok($_SERVER['SERVER_PROTOCOL'],
'/')).'://'.$_SERVER['HTTP_HOST'].substr($_SERVER['PHP_SELF'],0,-16).
substr($row['path'],1);
if ( isset($access['pwg_n']) and $access['pwg_n'] )
{
$ns_nbr++;
$item .= ' src="'.$path.'"';
}
else
{
unset($attributes['width']);
unset($attributes['height']);
unset($attributes['filesize']);
}
foreach ( $attributes as $attribute )
{
if ( isset($row{$attribute}) )
{
$item.= ' '.$attribute.'="'.$row{$attribute}.'"';
}
}
if ( isset($row['comment']) )
{
$item .= ' description="'.$row['comment'].'"';
}
$tnsrc = get_thumbnail_src( $path, $row['tn_ext'] );
$item .= ' tnsrc="'.$tnsrc.'"';
$tnsize = @getimagesize($tnsrc);
$item .= ' tnwidth="'.$tnsize[0].'"';
$item .= ' tnheight="'.$tnsize[1].'"';
if ( isset($access['pwg_h']) and $access['pwg_h'] )
{
$high = dirname( $path ).'/pwg_high/'.$row['file'];
$hrsize = @getimagesize($high);
if ( $hrsize[0] > 0 )
{
$hr_nbr++;
$item .= ' hrsrc="'.$high.'"';
$item .= ' hrwidth="'.$hrsize[0].'"';
$item .= ' hrheight="'.$hrsize[1].'"';
}
}
$xml .= $item.' />';
//-------------------------------------- picture ----- log informations
// request_type ( R:#id_requester ), real_category_id [ request_number ], image_file_name );
pwg_log( $type.'('.$log_id.')', $row['storage_category_id'].'['.$tn_nbr.']', $row['file'] );
}
$xml .= ' </items>';
echo $xml; // Send XML
//---------------------------------------- service ----- log informations
$size = 'tn('.$tn_nbr.')'; // thumbnails
if ( $ns_nbr > 0 )
{
$size = '('.$ns_nbr.')'; // pictures
}
if ( $hr_nbr > 0 )
{
$size = 'HR('.$hr_nbr.'/'.$tn_nbr.')'; // high res.
}
//pwg_log( 'Web service', 'Req.:'.$type, 'From:'.$log_id );
/*-- Web Service function
Which access is correct for this resquest?
Compare requestor key to web service key table
If 'defined' => use that one
If not => use default access
If no 'defined' default => exit
'defined' : Obviously check period and not only defined access
Return corresponding access (= an entry from web service key table)
--*/
function check_ws_access( $ws_keys )
{
$partnr = ( isset($_GET['key']) ) ? $_GET['key'] : 'default';
foreach ( $ws_keys as $key => $access )
{
if ( $access['id'] == $partnr )
{
break;
}
}
if ( $access['id'] !== $partnr ) // Not found? =default.
{
$access = $ws_keys[0];
if ( $access['id'] !== 'default' ) // Check if it's really default
{ // definition
die($lang['access_forbiden']); // No default access
}
}
// Checking Dates...
// Take care of that: my partner can be out of dates
// but via default... Answer is NO.
// With out of date period, a partner can be seen as prohibited partner
// if you want to authorise him/her change $conf['ws_keys']
// Tests are done with server local time...
if (isset($access['end']) and date('Y-m-d H:i:s')>$access['end'])
{ //-- Access ended?
die($lang['access_forbiden']); //-- BTW prohibited
}
if (isset($access['start']) and date('Y-m-d H:i:s')<$access['start'])
{ //-- Access started?
die($lang['access_forbiden']);
}
return $access;
}
/*-- Web Sevice function
Force global arguments to ensure access restriction
( access defined in web service key table )
Considering the default limit as well and prohibited site case
Return overided request ( overided $_GET )
--*/
function force_arg_ws_limit( $use, $default )
{
if ( $use['limit'] < 1 )
{ //-- Access deny
die($lang['access_forbiden']);
}
$arg = $_GET; // what is required?
if (!isset($arg['limit']))
{
$arg['limit']=$use['limit'];
}
if (!is_numeric($arg['limit']))
{
$arg['limit']=$use['limit'];
}
// ----------- use force arg if they are some
foreach ( $use as $kuse => $vuse )
{
if ( $kuse !== 'limit' )
{
$arg[$kuse] = $vuse;
}
}
$arg['limit'] = floor(min($arg['limit'], $use['limit']));
return $arg;
}
?>