mirror of
https://github.com/Piwigo/Piwigo.git
synced 2026-06-02 04:15:05 +02:00
issue #1953 improved privacy on searches and associate each search to its creator
* remove temporary functions ws_gallery_getSearch and ws_gallery_updateSearch * split get_search_array into sub-functions to use them in web API * use search_uuid as search_id instead of the numeric search.id : better privacy * only the creator of the search can update it * if a visitors tries to open the search of another user, it (the search) gets forked into a new search
This commit is contained in:
plegall
@@ -10,6 +10,45 @@
|
||||
* @package functions\search
|
||||
*/
|
||||
|
||||
function get_search_id_pattern($candidate)
|
||||
{
|
||||
$clause_pattern = null;
|
||||
if (preg_match('/^psk-\d{8}-[a-z0-9]{10}$/i', $candidate))
|
||||
{
|
||||
$clause_pattern = 'search_uuid = \'%s\'';
|
||||
}
|
||||
elseif (preg_match('/^\d+$/', $candidate))
|
||||
{
|
||||
$clause_pattern = 'id = %u';
|
||||
}
|
||||
|
||||
return $clause_pattern;
|
||||
}
|
||||
|
||||
function get_search_info($candidate)
|
||||
{
|
||||
// $candidate might be a search.id or a search_uuid
|
||||
$clause_pattern = get_search_id_pattern($candidate);
|
||||
|
||||
if (empty($clause_pattern))
|
||||
{
|
||||
die('Invalid search identifier');
|
||||
}
|
||||
|
||||
$query = '
|
||||
SELECT *
|
||||
FROM '.SEARCH_TABLE.'
|
||||
WHERE '.sprintf($clause_pattern, $candidate).'
|
||||
;';
|
||||
$searches = query2array($query);
|
||||
|
||||
if (count($searches) > 0)
|
||||
{
|
||||
return $searches[0];
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns search rules stored into a serialized array in "search"
|
||||
@@ -20,24 +59,24 @@
|
||||
*/
|
||||
function get_search_array($search_id)
|
||||
{
|
||||
if (!is_numeric($search_id))
|
||||
{
|
||||
die('Search id must be an integer');
|
||||
}
|
||||
global $user;
|
||||
|
||||
$query = '
|
||||
SELECT rules
|
||||
FROM '.SEARCH_TABLE.'
|
||||
WHERE id = '.$search_id.'
|
||||
;';
|
||||
$rules_list = query2array($query);
|
||||
$search = get_search_info($search_id);
|
||||
|
||||
if (count($rules_list) == 0)
|
||||
if (empty($search))
|
||||
{
|
||||
bad_request('this search identifier does not exist');
|
||||
}
|
||||
else
|
||||
{
|
||||
if (!empty($search['created_by']) and $search['created_by'] != $user['user_id'])
|
||||
{
|
||||
// we need to fork this search
|
||||
save_search_and_redirect(unserialize($search['rules']), $search['id']);
|
||||
}
|
||||
}
|
||||
|
||||
return unserialize($rules_list[0]['rules']);
|
||||
return unserialize($search['rules']);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -1614,4 +1653,54 @@ function split_allwords($raw_allwords)
|
||||
return $words;
|
||||
}
|
||||
|
||||
function get_available_search_uuid()
|
||||
{
|
||||
$candidate = 'psk-'.date('Ymd').'-'.generate_key(10);
|
||||
|
||||
$query = '
|
||||
SELECT
|
||||
COUNT(*)
|
||||
FROM '.SEARCH_TABLE.'
|
||||
WHERE search_uuid = \''.$candidate.'\'
|
||||
;';
|
||||
list($counter) = pwg_db_fetch_row(pwg_query($query));
|
||||
if (0 == $counter)
|
||||
{
|
||||
return $candidate;
|
||||
}
|
||||
else
|
||||
{
|
||||
return get_available_search_uuid();
|
||||
}
|
||||
}
|
||||
|
||||
function save_search_and_redirect($rules, $forked_from=null)
|
||||
{
|
||||
global $user;
|
||||
|
||||
list($dbnow) = pwg_db_fetch_row(pwg_query('SELECT NOW()'));
|
||||
$search_uuid = get_available_search_uuid();
|
||||
|
||||
single_insert(
|
||||
SEARCH_TABLE,
|
||||
array(
|
||||
'rules' => pwg_db_real_escape_string(serialize($rules)),
|
||||
'created_on' => $dbnow,
|
||||
'created_by' => $user['user_id'],
|
||||
'search_uuid' => $search_uuid,
|
||||
'last_seen' => $dbnow,
|
||||
'forked_from' => $forked_from,
|
||||
)
|
||||
);
|
||||
|
||||
redirect(
|
||||
make_index_url(
|
||||
array(
|
||||
'section' => 'search',
|
||||
'search' => $search_uuid,
|
||||
)
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
?>
|
||||
|
||||
@@ -648,10 +648,14 @@ function parse_section_url( $tokens, &$next_token)
|
||||
$page['section'] = 'search';
|
||||
$next_token++;
|
||||
|
||||
preg_match('/(\d+)/', @$tokens[$next_token], $matches);
|
||||
preg_match('/^(psk-\d{8}-[a-zA-Z0-9]{10})$/', @$tokens[$next_token], $matches);
|
||||
if (!isset($matches[1]))
|
||||
{
|
||||
bad_request('search identifier is missing');
|
||||
preg_match('/(\d+)/', @$tokens[$next_token], $matches);
|
||||
if (!isset($matches[1]))
|
||||
{
|
||||
bad_request('search identifier is missing');
|
||||
}
|
||||
}
|
||||
$page['search'] = $matches[1];
|
||||
$next_token++;
|
||||
|
||||
@@ -362,6 +362,7 @@ else
|
||||
include_once( PHPWG_ROOT_PATH .'include/functions_search.inc.php' );
|
||||
|
||||
$search_result = get_search_results($page['search'], @$page['super_order_by'] );
|
||||
|
||||
//save the details of the query search
|
||||
if ( isset($search_result['qs']) )
|
||||
{
|
||||
|
||||
@@ -699,24 +699,28 @@ SELECT *
|
||||
*/
|
||||
function ws_images_filteredSearch_update($params, $service)
|
||||
{
|
||||
// echo json_encode($params); exit();
|
||||
global $user;
|
||||
|
||||
include_once(PHPWG_ROOT_PATH.'include/functions_search.inc.php');
|
||||
|
||||
// * check the search exists
|
||||
$query = '
|
||||
SELECT id
|
||||
FROM '.SEARCH_TABLE.'
|
||||
WHERE id = '.$params['search_id'].'
|
||||
;';
|
||||
if (empty(get_search_id_pattern($params['search_id'])))
|
||||
{
|
||||
return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid search_id input parameter.');
|
||||
}
|
||||
|
||||
if (count(query2array($query)) == 0)
|
||||
$search_info = get_search_info($params['search_id']);
|
||||
if (empty($search_info))
|
||||
{
|
||||
return new PwgError(WS_ERR_INVALID_PARAM, 'This search does not exist.');
|
||||
}
|
||||
|
||||
$search = array('mode' => 'AND');
|
||||
if (!empty($search_info['created_by']) and $search_info['created_by'] != $user['user_id'])
|
||||
{
|
||||
return new PwgError(WS_ERR_INVALID_PARAM, 'This search was created by another user.');
|
||||
}
|
||||
|
||||
// TODO we should check that this search is updated by the user who created the search.
|
||||
$search = array('mode' => 'AND');
|
||||
|
||||
// * check all parameters
|
||||
if (isset($params['allwords']))
|
||||
@@ -848,7 +852,7 @@ SELECT id
|
||||
UPDATE '.SEARCH_TABLE.'
|
||||
SET rules = \''.pwg_db_real_escape_string(serialize($search)).'\'
|
||||
, last_seen = NOW()
|
||||
WHERE id = '.$params['search_id'].'
|
||||
WHERE id = '.$search_info['id'].'
|
||||
;';
|
||||
pwg_query($query);
|
||||
}
|
||||
|
||||
@@ -1083,43 +1083,4 @@ SELECT
|
||||
'summary' => $search_summary
|
||||
);
|
||||
}
|
||||
|
||||
function ws_gallery_getSearch($param, &$service)
|
||||
{
|
||||
// return $param;
|
||||
if (is_null($param['search_id']))
|
||||
{
|
||||
// Créer une recherche
|
||||
return new PwgError(404, 'Search id is null');
|
||||
}
|
||||
include_once(PHPWG_ROOT_PATH.'include/functions_search.inc.php');
|
||||
|
||||
if (get_search_array($param['search_id']) == false)
|
||||
{
|
||||
return new PwgError(1404, 'Search associated to id '.$param['search_id'].' not found');
|
||||
}
|
||||
|
||||
return get_search_array($param['search_id']);
|
||||
}
|
||||
|
||||
function ws_gallery_updateSearch($param, &$service)
|
||||
{
|
||||
// return $param;
|
||||
if (is_null($param['search_id']))
|
||||
{
|
||||
// Créer une recherche
|
||||
return new PwgError(404, 'Search id is null');
|
||||
}
|
||||
include_once(PHPWG_ROOT_PATH.'include/functions_search.inc.php');
|
||||
|
||||
if (get_search_array($param['search_id']) == false)
|
||||
{
|
||||
return new PwgError(404, 'Search associated to id '.$param['search_id'].' not found');
|
||||
}
|
||||
|
||||
$tmp = get_search_array($param['search_id']);
|
||||
|
||||
// return 'search #'.$param['search_id'].' updated';
|
||||
return $param;
|
||||
}
|
||||
?>
|
||||
|
||||
Reference in New Issue
Block a user