From 8effbe8e950aa660902620c1574c9c41e439be6f Mon Sep 17 00:00:00 2001 From: plegall Date: Thu, 7 Oct 2021 14:53:27 +0200 Subject: [PATCH] fixes #1356 pwg.images.uploadAsync, move auth code to inc/user.inc.php In order to avoid loading user context as "guest" and then wait to be in ws_images_uploadAsync function to authenticate and load a new user context. This way we deal with "automatic" authentication in the same place (as apache auth or url auth) and we use the more common user context loading mecanism. Making Community compatible is now much easier. To avoid duplicating too many lines of ws.php into inc/user.inc.php, I have moved the init of ws.php into inc/ws_init.inc.php --- include/user.inc.php | 16 +++++++ include/ws_functions/pwg.images.php | 17 ++----- include/ws_init.inc.php | 69 +++++++++++++++++++++++++++++ ws.php | 61 +------------------------ 4 files changed, 90 insertions(+), 73 deletions(-) create mode 100644 include/ws_init.inc.php diff --git a/include/user.inc.php b/include/user.inc.php index ce2f74c86..7719a1162 100644 --- a/include/user.inc.php +++ b/include/user.inc.php @@ -56,6 +56,22 @@ if (isset($_GET['auth'])) auth_key_login($_GET['auth']); } +if ( + defined('IN_WS') + and isset($_REQUEST['method']) + and 'pwg.images.uploadAsync' == $_REQUEST['method'] + and isset($_POST['username']) + and isset($_POST['password']) +) +{ + if (!try_log_user($_POST['username'], $_POST['password'], false)) + { + include_once(PHPWG_ROOT_PATH.'include/ws_init.inc.php'); + $service->sendResponse(new PwgError(999, 'Invalid username/password')); + exit(); + } +} + $user = build_user( $user['id'], ( defined('IN_ADMIN') and IN_ADMIN ) ? false : true // use cache ? ); diff --git a/include/ws_functions/pwg.images.php b/include/ws_functions/pwg.images.php index 302db82d6..ca26b5454 100644 --- a/include/ws_functions/pwg.images.php +++ b/include/ws_functions/pwg.images.php @@ -1473,26 +1473,15 @@ function ws_images_uploadAsync($params, &$service) { global $conf, $user, $logger; + // the username/password parameters have been used in include/user.inc.php + // to authenticate the request (a much better time/place than here) + // additional check for some parameters if (!preg_match('/^[a-fA-F0-9]{32}$/', $params['original_sum'])) { return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid original_sum'); } - if (!try_log_user($params['username'], $params['password'], false)) - { - return new PwgError(999, 'Invalid username/password'); - } - - // build $user - // include(PHPWG_ROOT_PATH.'include/user.inc.php'); - $user = build_user($user['id'], false); - - if (!is_admin()) - { - return new PwgError(401, 'Admin status is required.'); - } - if ($params['image_id'] > 0) { $query=' diff --git a/include/ws_init.inc.php b/include/ws_init.inc.php new file mode 100644 index 000000000..444d87b29 --- /dev/null +++ b/include/ws_init.inc.php @@ -0,0 +1,69 @@ +setHandler($requestFormat, $handler); +} + +if (!is_null($responseFormat)) +{ + $encoder = null; + switch ($responseFormat) + { + case 'rest': + include_once(PHPWG_ROOT_PATH.'include/ws_protocols/rest_encoder.php'); + $encoder = new PwgRestEncoder(); + break; + case 'php': + include_once(PHPWG_ROOT_PATH.'include/ws_protocols/php_encoder.php'); + $encoder = new PwgSerialPhpEncoder(); + break; + case 'json': + include_once(PHPWG_ROOT_PATH.'include/ws_protocols/json_encoder.php'); + $encoder = new PwgJsonEncoder(); + break; + case 'xmlrpc': + include_once(PHPWG_ROOT_PATH.'include/ws_protocols/xmlrpc_encoder.php'); + $encoder = new PwgXmlRpcEncoder(); + break; + } + $service->setEncoder($responseFormat, $encoder); +} + +set_make_full_url(); \ No newline at end of file diff --git a/ws.php b/ws.php index 848174048..7fd7b8a8f 100644 --- a/ws.php +++ b/ws.php @@ -17,65 +17,8 @@ if ( !$conf['allow_web_services'] ) page_forbidden('Web services are disabled'); } -include_once(PHPWG_ROOT_PATH.'include/ws_core.inc.php'); +include_once(PHPWG_ROOT_PATH.'include/ws_init.inc.php'); -add_event_handler('ws_add_methods', 'ws_addDefaultMethods'); -add_event_handler('ws_invoke_allowed', 'ws_isInvokeAllowed', EVENT_HANDLER_PRIORITY_NEUTRAL, 3); - -$requestFormat = 'rest'; -$responseFormat = null; - -if ( isset($_GET['format']) ) -{ - $responseFormat = $_GET['format']; -} - -if ( !isset($responseFormat) and isset($requestFormat) ) -{ - $responseFormat = $requestFormat; -} - -$service = new PwgServer(); - -if (!is_null($requestFormat)) -{ - $handler = null; - switch ($requestFormat) - { - case 'rest': - include_once(PHPWG_ROOT_PATH.'include/ws_protocols/rest_handler.php'); - $handler = new PwgRestRequestHandler(); - break; - } - $service->setHandler($requestFormat, $handler); -} - -if (!is_null($responseFormat)) -{ - $encoder = null; - switch ($responseFormat) - { - case 'rest': - include_once(PHPWG_ROOT_PATH.'include/ws_protocols/rest_encoder.php'); - $encoder = new PwgRestEncoder(); - break; - case 'php': - include_once(PHPWG_ROOT_PATH.'include/ws_protocols/php_encoder.php'); - $encoder = new PwgSerialPhpEncoder(); - break; - case 'json': - include_once(PHPWG_ROOT_PATH.'include/ws_protocols/json_encoder.php'); - $encoder = new PwgJsonEncoder(); - break; - case 'xmlrpc': - include_once(PHPWG_ROOT_PATH.'include/ws_protocols/xmlrpc_encoder.php'); - $encoder = new PwgXmlRpcEncoder(); - break; - } - $service->setEncoder($responseFormat, $encoder); -} - -set_make_full_url(); $service->run(); @@ -540,7 +483,7 @@ function ws_addDefaultMethods( $arr )
You can update an existing photo if you define an existing image_id.
Requires admin credentials.', $ws_functions_root . 'pwg.images.php', - array('post_only'=>true) + array('admin_only'=>true, 'post_only'=>true) ); $service->addMethod(