diff options
author | vdigital <vdigital@piwigo.org> | 2007-01-27 08:22:12 +0000 |
---|---|---|
committer | vdigital <vdigital@piwigo.org> | 2007-01-27 08:22:12 +0000 |
commit | 291edfc0c7aad59d0e172e66a9010a3bf736daa2 (patch) | |
tree | 34f7203f017057bcc8fe6fdec5c6e60b9e160b2a | |
parent | bce53b2851e9c0d8626dbb2295e44f10029837f3 (diff) |
Web Service ws_add_controls is closed to final
(Next steps:
- Merge functions_webserv.inc.php into ws_functions.inc.php
- Revise ws_checker
- Restrict Method need to be generic
- ...)
git-svn-id: http://piwigo.org/svn/trunk@1757 68402e56-0260-453c-a942-63ccdbb3a9ee
-rw-r--r-- | include/functions_webserv.inc.php | 9 | ||||
-rw-r--r-- | include/ws_functions.inc.php | 87 |
2 files changed, 73 insertions, 23 deletions
diff --git a/include/functions_webserv.inc.php b/include/functions_webserv.inc.php index aad1201a0..7961c63c8 100644 --- a/include/functions_webserv.inc.php +++ b/include/functions_webserv.inc.php @@ -129,7 +129,7 @@ function check_target($list) // FIXME Function which could already exist somewhere else
-function convert_catlist($cat_ids)
+function get_image_ids_for_cats($cat_ids)
{
$cat_list = implode(',', $cat_ids);
$ret_ids = array();
@@ -138,11 +138,6 @@ function convert_catlist($cat_ids) FROM '.IMAGE_CATEGORY_TABLE.'
WHERE category_id in ('.$cat_list.')
;';
- $result = pwg_query($query);
- while ($row = mysql_fetch_array($result))
- {
- $ret_ids[] = $row['image_id'];
- }
- return $ret_ids;
+ return $array_from_query($query, 'image_id');
}
?>
diff --git a/include/ws_functions.inc.php b/include/ws_functions.inc.php index e4eddd18e..ebab7485b 100644 --- a/include/ws_functions.inc.php +++ b/include/ws_functions.inc.php @@ -32,10 +32,10 @@ * usable for 99% of Web Service methods * * - Args - * $params: is where clauses - * $img_tbl: indicates if phpwebgallery_images is selected + * $method: is the requested method * $partner: is the key * $tbl_name: is the alias_name in the query (sometimes called correlation name) + * null if !getting picture informations * - Logic * Access_control is not active: Return * Key is incorrect: Return 0 = 1 (False condition for MySQL) @@ -45,26 +45,66 @@ * * The additionnal in-where-clause is return */ -function ws_add_controls( $params, $img_tbl=false, $partner='', $tbl_name='' ) +function ws_add_controls( $method, $tbl_name ) { - global $conf; + global $conf, $partner; if ( !$conf['ws_access_control'] ) { return ' 1 = 1 '; // No controls are requested } - // Step 1 - Found Partner + +// Is it an active Partner? $query = ' -SELECT FROM '.WEB_SERVICES_ACCESS_TABLE." - WHERE `name` = '$partner';"; +SELECT * FROM '.WEB_SERVICES_ACCESS_TABLE." + WHERE `name` = '$partner' + AND NOW() <= end; "; $result = pwg_query($query); - if ( mysql_num_rows( pwg_query($query) ) = 0 ) + if ( mysql_num_rows( $result ) = 0 ) { - return ' 0 = 1 '; // Unknown partner + return ' 0 = 1 '; // Unknown partner or Obsolate agreement + } + + $row = mysql_fetch_array($result); + +// Method / Request matching +// Generic is not ready +// For generic you can say... tags. or categories. or images. maybe? + $filter = $row['request']; + $request_method = substr($method, 0, strlen($filter)) ; + if ( $filter !== $filter_method ) + { + return ' 0 = 1'; // Unauthorized method request + } + +// Target restrict +// 3 cases: list, cat or tag +// Behind / we could found img-ids, cat-ids or tag-ids + $target = $row['access']; + list($type, $str_ids) = explode('/',$target); // Find type list + + $ids = explode( ',',$str_ids ); +// (array) 1,2,21,3,22,4,5,9-12,6,11,12,13,2,4,6, + $arr_ids = expand_id_list( $ids ); + $addings = implode(',', $arr_ids); +// (string) 1,2,3,4,5,6,9,10,11,12,13,21,22, + if ( $type = 'list') + { + return $tbl_name . 'id IN ( ' . $addings . ' ) '; + } + + if ( $type = 'cat' ) + { + $addings = implode(',', get_image_ids_for_cats($arr_ids)); + return $tbl_name . 'id IN ( ' . $addings . ' ) '; + } + + if ( $type = 'tag' ) + { + $addings = implode(',', get_image_ids_for_tags($arr_ids, 'OR')); + return $tbl_name . 'id IN ( ' . $addings . ' ) '; } - // Step 2 - Clauses / Request matching - // Restrict Request has to be redefined first - // Step 3 - Target restrict - return $addings; + // Unmanaged new type? + return ' 0 = 1 '; // ??? } /** @@ -190,6 +230,9 @@ function ws_std_get_urls($image_row) function ws_getVersion($params, &$service) { +// Needed for security reason... Maybe??? +// $where_clause[] = +// ws_add_controls( 'getVersion', null ); return PHPWG_VERSION; } @@ -249,9 +292,9 @@ SELECT id, name, image_order .implode(',', array_keys($cats) ) .')'; -// example of ws_add_controls call +// Mandatory // $where_clause[] = -// ws_add_controls call( $params, true, $partner, $tbl_name='i.' ); +// ws_add_controls( 'categories.getImages', 'i.' ); $order_by = ws_std_image_sql_order($params, 'i.'); if (empty($order_by)) @@ -371,6 +414,11 @@ function ws_categories_getList($params, &$service) $where[] = 'id NOT IN ('.$user['forbidden_categories'].')'; } +// To ONLY build external links maybe ??? +// $where_clause[] = +// ws_add_controls( 'categories.getList', null ); +// Making links in a Blog... + $query = ' SELECT id, name, uppercats, global_rank, max_date_last, count_images AS nb_images, count_categories AS nb_categories @@ -416,6 +464,9 @@ function ws_images_getInfo($params, &$service) { return new PwgError(WS_ERR_INVALID_PARAM, "Invalid image_id"); } +// Mandatory (No comment) +// $where_clause[] = +// ws_add_controls( 'images.getInfo', '' ); $query=' SELECT * FROM '.IMAGES_TABLE.' WHERE id='.$params['image_id']. @@ -648,7 +699,7 @@ function ws_tags_getImages($params, &$service) $image_ids = array(); $image_tag_map = array(); - + if ( !empty($tag_ids) ) { // build list of image ids with associated tags per image if ($params['tag_mode_and']) @@ -686,6 +737,10 @@ SELECT image_id, GROUP_CONCAT(tag_id) tag_ids '', true ); $where_clauses[] = 'id IN ('.implode(',',$image_ids).')'; +// Mandatory +// $where_clause[] = +// ws_add_controls( 'tags.getImages', '' ); + $order_by = ws_std_image_sql_order($params); if (empty($order_by)) { |