aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorrvelices <rv-github@modusoptimus.com>2007-02-23 13:18:34 +0000
committerrvelices <rv-github@modusoptimus.com>2007-02-23 13:18:34 +0000
commitcb2408a82c9bc93bef177dc33a8981bc36800839 (patch)
tree85728267a379dd1b39ac089ab2021f000e6cb668 /include
parent6f03e29735ea395f31d09bbfd15a4e15eaf961e3 (diff)
Plugins:
- display author and and author url (if present) on plugin admin page - uniformized versions/authors... for all plugins in svn - security fix (html escape name, version, uri, author... to avoid javascript injection which could automatically simulate click on Install) - added confirmation for install/uninstall plugins Web services: - web service explorer now caches method details in order to avoid unnecessary web calls - web service explorer can now send parameters as arrays - web service explorer uses now prototype.js version 1.5 - small improvements - added and use function bad_request (sends http status code 400) git-svn-id: http://piwigo.org/svn/trunk@1852 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to '')
-rw-r--r--include/functions_html.inc.php17
-rw-r--r--include/functions_tag.inc.php61
-rw-r--r--include/section_init.inc.php39
-rw-r--r--include/ws_core.inc.php5
-rw-r--r--include/ws_functions.inc.php51
5 files changed, 114 insertions, 59 deletions
diff --git a/include/functions_html.inc.php b/include/functions_html.inc.php
index c0edf6ed0..74934cbf0 100644
--- a/include/functions_html.inc.php
+++ b/include/functions_html.inc.php
@@ -627,6 +627,23 @@ function page_forbidden($msg, $alternate_url=null)
}
/**
+ * exits the current script with 400 code
+ * @param string msg a message to display
+ * @param string alternate_url redirect to this url
+ */
+function bad_request($msg, $alternate_url=null)
+{
+ set_status_header(400);
+ if ($alternate_url==null)
+ $alternate_url = make_index_url();
+ redirect_html( $alternate_url,
+ '<div style="text-align:left; margin-left:5em;margin-bottom:5em;">
+<h1 style="text-align:left; font-size:36px;">Bad request</h1><br/>'
+.$msg.'</div>',
+ 5 );
+}
+
+/**
* exits the current script with 404 code when a page cannot be found
* @param string msg a message to display
* @param string alternate_url redirect to this url
diff --git a/include/functions_tag.inc.php b/include/functions_tag.inc.php
index 4f8c95563..c6dc01db6 100644
--- a/include/functions_tag.inc.php
+++ b/include/functions_tag.inc.php
@@ -271,4 +271,65 @@ SELECT id, name, url_name, count(*) counter
usort($tags, 'name_compare');
return $tags;
}
+
+/**
+ * return a list of tags corresponding to any of ids, url_names, names
+ *
+ * @param array ids
+ * @param array url_names
+ * @param array names
+ * @return array
+ */
+function find_tags($ids, $url_names=array(), $names=array() )
+{
+ $where_clauses = array();
+ if ( !empty($ids) )
+ {
+ $where_clauses[] = 'id IN ('.implode(',', $ids).')';
+ }
+ if ( !empty($url_names) )
+ {
+ $where_clauses[] =
+ 'url_name IN ('.
+ implode(
+ ',',
+ array_map(
+ create_function('$s', 'return "\'".$s."\'";'),
+ $url_names
+ )
+ )
+ .')';
+ }
+ if ( !empty($names) )
+ {
+ $where_clauses[] =
+ 'name IN ('.
+ implode(
+ ',',
+ array_map(
+ create_function('$s', 'return "\'".$s."\'";'),
+ $names
+ )
+ )
+ .')';
+ }
+ if (empty($where_clauses))
+ {
+ return array();
+ }
+
+ $query = '
+SELECT id, url_name, name
+ FROM '.TAGS_TABLE.'
+ WHERE '. implode( '
+ OR ', $where_clauses);
+
+ $result = pwg_query($query);
+ $tags = array();
+ while ($row = mysql_fetch_assoc($result))
+ {
+ array_push($tags, $row);
+ }
+ return $tags;
+}
?> \ No newline at end of file
diff --git a/include/section_init.inc.php b/include/section_init.inc.php
index 21396955d..4239ebd93 100644
--- a/include/section_init.inc.php
+++ b/include/section_init.inc.php
@@ -4,7 +4,6 @@
// | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net |
// | Copyright (C) 2003-2007 PhpWebGallery Team - http://phpwebgallery.net |
// +-----------------------------------------------------------------------+
-// | branch : BSF (Best So Far)
// | file : $Id$
// | last update : $Date$
// | last modifier : $Author$
@@ -119,7 +118,7 @@ if (script_basename() == 'picture') // basename without file extention
}
else
{
- die('Fatal: picture identifier is missing');
+ bad_request('picture identifier is missing');
}
}
}
@@ -159,7 +158,7 @@ else if (0 === strpos(@$tokens[$next_token], 'tag'))
}
else
{
- array_push($requested_tag_url_names, "'".$tokens[$i]."'");
+ array_push($requested_tag_url_names, $tokens[$i]);
}
$i++;
}
@@ -167,32 +166,10 @@ else if (0 === strpos(@$tokens[$next_token], 'tag'))
if ( empty($requested_tag_ids) && empty($requested_tag_url_names) )
{
- die('Fatal: at least one tag required');
- }
- // tag infos
- $query = '
-SELECT name, url_name, id
- FROM '.TAGS_TABLE.'
- WHERE ';
- if ( !empty($requested_tag_ids) )
- {
- $query.= 'id IN ('.implode(',', $requested_tag_ids ).')';
- }
- if ( !empty($requested_tag_url_names) )
- {
- if ( !empty($requested_tag_ids) )
- {
- $query.= ' OR ';
- }
- $query.= 'url_name IN ('.implode(',', $requested_tag_url_names ).')';
- }
- $result = pwg_query($query);
- $tag_infos = array();
- while ($row = mysql_fetch_assoc($result))
- {
- $tag_infos[ $row['id'] ] = $row;
- array_push($page['tags'], $row );//we loose given tag order; is it important?
+ bad_request('at least one tag required');
}
+
+ $page['tags'] = find_tags($requested_tag_ids, $requested_tag_url_names);
if ( empty($page['tags']) )
{
page_not_found('Requested tag does not exist', get_root_url().'tags.php' );
@@ -228,10 +205,10 @@ else if ('search' == @$tokens[$next_token])
$page['section'] = 'search';
$next_token++;
- preg_match('/(\d+)/', $tokens[$next_token], $matches);
+ preg_match('/(\d+)/', @$tokens[$next_token], $matches);
if (!isset($matches[1]))
{
- die('Fatal: search identifier is missing');
+ bad_request('search identifier is missing');
}
$page['search'] = $matches[1];
$next_token++;
@@ -254,7 +231,7 @@ else if ('list' == @$tokens[$next_token])
{
if (!preg_match('/^\d+(,\d+)*$/', $tokens[$next_token]))
{
- die('wrong format on list GET parameter');
+ bad_request('wrong format on list GET parameter');
}
foreach (explode(',', $tokens[$next_token]) as $image_id)
{
diff --git a/include/ws_core.inc.php b/include/ws_core.inc.php
index a3e8c7770..915e7e147 100644
--- a/include/ws_core.inc.php
+++ b/include/ws_core.inc.php
@@ -464,6 +464,10 @@ Response format: ".@$this->_responseFormat." encoder:".$this->_responseEncoder."
{
$flags |= WS_PARAM_OPTIONAL;
}
+ if ( $flags & WS_PARAM_FORCE_ARRAY )
+ {
+ $flags |= WS_PARAM_ACCEPT_ARRAY;
+ }
$options['flags'] = $flags;
$params[$param] = $options;
}
@@ -604,6 +608,7 @@ Response format: ".@$this->_responseFormat." encoder:".$this->_responseEncoder."
$param_data = array(
'name' => $name,
'optional' => ($options['flags']&WS_PARAM_OPTIONAL)?true:false,
+ 'acceptArray' => ($options['flags']&WS_PARAM_ACCEPT_ARRAY)?true:false,
);
if (isset($options['default']))
{
diff --git a/include/ws_functions.inc.php b/include/ws_functions.inc.php
index 8af08204c..c68d5d195 100644
--- a/include/ws_functions.inc.php
+++ b/include/ws_functions.inc.php
@@ -269,8 +269,11 @@ function ws_std_get_image_xml_attributes()
*/
function ws_getVersion($params, &$service)
{
-// TODO = Version availability is under control of $conf['show_version']
- return PHPWG_VERSION;
+ global $conf;
+ if ($conf['show_version'])
+ return PHPWG_VERSION;
+ else
+ return new PwgError(403, 'Forbidden');
}
@@ -336,14 +339,15 @@ SELECT id, name, image_order
$where_clauses[] = ws_addControls( 'categories.getImages', $params, 'i.' );
$order_by = ws_std_image_sql_order($params, 'i.');
- if (empty($order_by))
- {// TODO check for category order by (image_order)
- $order_by = $conf['order_by'];
- }
- else
+ if ( empty($order_by)
+ and count($params['cat_id'])==1
+ and isset($cats[ $params['cat_id'][0] ]['image_order'])
+ )
{
- $order_by = 'ORDER BY '.$order_by;
+ $order_by = $cats[ $params['cat_id'][0] ]['image_order'];
}
+ $order_by = empty($order_by) ? $conf['order_by'] : 'ORDER BY '.$order_by;
+
$query = '
SELECT i.*, GROUP_CONCAT(category_id) cat_ids
FROM '.IMAGES_TABLE.' i
@@ -499,6 +503,10 @@ ORDER BY global_rank';
*/
function ws_images_addComment($params, &$service)
{
+ if (!$service->isPost())
+ {
+ return new PwgError(405, "This method requires HTTP POST");
+ }
$params['image_id'] = (int)$params['image_id'];
$query = '
SELECT DISTINCT image_id
@@ -579,7 +587,7 @@ LIMIT 1;';
$image_row = mysql_fetch_assoc(pwg_query($query));
if ($image_row==null)
{
- return new PwgError(999, "image_id not found");
+ return new PwgError(404, "image_id not found");
}
$image_row = array_merge( $image_row, ws_std_get_urls($image_row) );
@@ -859,7 +867,7 @@ function ws_session_login($params, &$service)
if (!$service->isPost())
{
- return new PwgError(400, "This method requires POST");
+ return new PwgError(405, "This method requires HTTP POST");
}
if (try_log_user($params['username'], $params['password'],false))
{
@@ -942,32 +950,19 @@ function ws_tags_getImages($params, &$service)
{
@include_once(PHPWG_ROOT_PATH.'include/functions_picture.inc.php');
global $conf;
-
+
// first build all the tag_ids we are interested in
- $tag_ids = array();
- $tags = get_available_tags();
+ $params['tag_id'] = array_map( 'intval',$params['tag_id'] );
+ $tags = find_tags($params['tag_id'], $params['tag_url_name'], $params['tag_name']);
$tags_by_id = array();
- for( $i=0; $i<count($tags); $i++ )
- {
- $tags[$i]['id']=(int)$tags[$i]['id'];
- }
foreach( $tags as $tag )
{
+ $tags['id'] = (int)$tag['id'];
$tags_by_id[ $tag['id'] ] = $tag;
- if (
- in_array($tag['name'], $params['tag_name'])
- or
- in_array($tag['url_name'], $params['tag_url_name'])
- or
- in_array($tag['id'], $params['tag_id'])
- )
- {
- $tag_ids[] = $tag['id'];
- }
}
unset($tags);
+ $tag_ids = array_keys($tags_by_id);
- $tag_ids = array_unique( $tag_ids );
$image_ids = array();
$image_tag_map = array();