diff options
| author | rvelices <rv-github@modusoptimus.com> | 2007-02-23 13:18:34 +0000 |
|---|---|---|
| committer | rvelices <rv-github@modusoptimus.com> | 2007-02-23 13:18:34 +0000 |
| commit | cb2408a82c9bc93bef177dc33a8981bc36800839 (patch) | |
| tree | 85728267a379dd1b39ac089ab2021f000e6cb668 /include | |
| parent | 6f03e29735ea395f31d09bbfd15a4e15eaf961e3 (diff) | |
Plugins:
- display author and and author url (if present) on plugin admin page
- uniformized versions/authors... for all plugins in svn
- security fix (html escape name, version, uri, author... to avoid javascript injection which could automatically simulate click on Install)
- added confirmation for install/uninstall plugins
Web services:
- web service explorer now caches method details in order to avoid unnecessary web calls
- web service explorer can now send parameters as arrays
- web service explorer uses now prototype.js version 1.5
- small improvements
- added and use function bad_request (sends http status code 400)
git-svn-id: http://piwigo.org/svn/trunk@1852 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'include')
| -rw-r--r-- | include/functions_html.inc.php | 17 | ||||
| -rw-r--r-- | include/functions_tag.inc.php | 61 | ||||
| -rw-r--r-- | include/section_init.inc.php | 39 | ||||
| -rw-r--r-- | include/ws_core.inc.php | 5 | ||||
| -rw-r--r-- | include/ws_functions.inc.php | 51 |
5 files changed, 114 insertions, 59 deletions
diff --git a/include/functions_html.inc.php b/include/functions_html.inc.php index c0edf6ed0..74934cbf0 100644 --- a/include/functions_html.inc.php +++ b/include/functions_html.inc.php @@ -627,6 +627,23 @@ function page_forbidden($msg, $alternate_url=null) } /** + * exits the current script with 400 code + * @param string msg a message to display + * @param string alternate_url redirect to this url + */ +function bad_request($msg, $alternate_url=null) +{ + set_status_header(400); + if ($alternate_url==null) + $alternate_url = make_index_url(); + redirect_html( $alternate_url, + '<div style="text-align:left; margin-left:5em;margin-bottom:5em;"> +<h1 style="text-align:left; font-size:36px;">Bad request</h1><br/>' +.$msg.'</div>', + 5 ); +} + +/** * exits the current script with 404 code when a page cannot be found * @param string msg a message to display * @param string alternate_url redirect to this url diff --git a/include/functions_tag.inc.php b/include/functions_tag.inc.php index 4f8c95563..c6dc01db6 100644 --- a/include/functions_tag.inc.php +++ b/include/functions_tag.inc.php @@ -271,4 +271,65 @@ SELECT id, name, url_name, count(*) counter usort($tags, 'name_compare'); return $tags; } + +/** + * return a list of tags corresponding to any of ids, url_names, names + * + * @param array ids + * @param array url_names + * @param array names + * @return array + */ +function find_tags($ids, $url_names=array(), $names=array() ) +{ + $where_clauses = array(); + if ( !empty($ids) ) + { + $where_clauses[] = 'id IN ('.implode(',', $ids).')'; + } + if ( !empty($url_names) ) + { + $where_clauses[] = + 'url_name IN ('. + implode( + ',', + array_map( + create_function('$s', 'return "\'".$s."\'";'), + $url_names + ) + ) + .')'; + } + if ( !empty($names) ) + { + $where_clauses[] = + 'name IN ('. + implode( + ',', + array_map( + create_function('$s', 'return "\'".$s."\'";'), + $names + ) + ) + .')'; + } + if (empty($where_clauses)) + { + return array(); + } + + $query = ' +SELECT id, url_name, name + FROM '.TAGS_TABLE.' + WHERE '. implode( ' + OR ', $where_clauses); + + $result = pwg_query($query); + $tags = array(); + while ($row = mysql_fetch_assoc($result)) + { + array_push($tags, $row); + } + return $tags; +} ?>
\ No newline at end of file diff --git a/include/section_init.inc.php b/include/section_init.inc.php index 21396955d..4239ebd93 100644 --- a/include/section_init.inc.php +++ b/include/section_init.inc.php @@ -4,7 +4,6 @@ // | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net | // | Copyright (C) 2003-2007 PhpWebGallery Team - http://phpwebgallery.net | // +-----------------------------------------------------------------------+ -// | branch : BSF (Best So Far) // | file : $Id$ // | last update : $Date$ // | last modifier : $Author$ @@ -119,7 +118,7 @@ if (script_basename() == 'picture') // basename without file extention } else { - die('Fatal: picture identifier is missing'); + bad_request('picture identifier is missing'); } } } @@ -159,7 +158,7 @@ else if (0 === strpos(@$tokens[$next_token], 'tag')) } else { - array_push($requested_tag_url_names, "'".$tokens[$i]."'"); + array_push($requested_tag_url_names, $tokens[$i]); } $i++; } @@ -167,32 +166,10 @@ else if (0 === strpos(@$tokens[$next_token], 'tag')) if ( empty($requested_tag_ids) && empty($requested_tag_url_names) ) { - die('Fatal: at least one tag required'); - } - // tag infos - $query = ' -SELECT name, url_name, id - FROM '.TAGS_TABLE.' - WHERE '; - if ( !empty($requested_tag_ids) ) - { - $query.= 'id IN ('.implode(',', $requested_tag_ids ).')'; - } - if ( !empty($requested_tag_url_names) ) - { - if ( !empty($requested_tag_ids) ) - { - $query.= ' OR '; - } - $query.= 'url_name IN ('.implode(',', $requested_tag_url_names ).')'; - } - $result = pwg_query($query); - $tag_infos = array(); - while ($row = mysql_fetch_assoc($result)) - { - $tag_infos[ $row['id'] ] = $row; - array_push($page['tags'], $row );//we loose given tag order; is it important? + bad_request('at least one tag required'); } + + $page['tags'] = find_tags($requested_tag_ids, $requested_tag_url_names); if ( empty($page['tags']) ) { page_not_found('Requested tag does not exist', get_root_url().'tags.php' ); @@ -228,10 +205,10 @@ else if ('search' == @$tokens[$next_token]) $page['section'] = 'search'; $next_token++; - preg_match('/(\d+)/', $tokens[$next_token], $matches); + preg_match('/(\d+)/', @$tokens[$next_token], $matches); if (!isset($matches[1])) { - die('Fatal: search identifier is missing'); + bad_request('search identifier is missing'); } $page['search'] = $matches[1]; $next_token++; @@ -254,7 +231,7 @@ else if ('list' == @$tokens[$next_token]) { if (!preg_match('/^\d+(,\d+)*$/', $tokens[$next_token])) { - die('wrong format on list GET parameter'); + bad_request('wrong format on list GET parameter'); } foreach (explode(',', $tokens[$next_token]) as $image_id) { diff --git a/include/ws_core.inc.php b/include/ws_core.inc.php index a3e8c7770..915e7e147 100644 --- a/include/ws_core.inc.php +++ b/include/ws_core.inc.php @@ -464,6 +464,10 @@ Response format: ".@$this->_responseFormat." encoder:".$this->_responseEncoder." { $flags |= WS_PARAM_OPTIONAL; } + if ( $flags & WS_PARAM_FORCE_ARRAY ) + { + $flags |= WS_PARAM_ACCEPT_ARRAY; + } $options['flags'] = $flags; $params[$param] = $options; } @@ -604,6 +608,7 @@ Response format: ".@$this->_responseFormat." encoder:".$this->_responseEncoder." $param_data = array( 'name' => $name, 'optional' => ($options['flags']&WS_PARAM_OPTIONAL)?true:false, + 'acceptArray' => ($options['flags']&WS_PARAM_ACCEPT_ARRAY)?true:false, ); if (isset($options['default'])) { diff --git a/include/ws_functions.inc.php b/include/ws_functions.inc.php index 8af08204c..c68d5d195 100644 --- a/include/ws_functions.inc.php +++ b/include/ws_functions.inc.php @@ -269,8 +269,11 @@ function ws_std_get_image_xml_attributes() */ function ws_getVersion($params, &$service) { -// TODO = Version availability is under control of $conf['show_version'] - return PHPWG_VERSION; + global $conf; + if ($conf['show_version']) + return PHPWG_VERSION; + else + return new PwgError(403, 'Forbidden'); } @@ -336,14 +339,15 @@ SELECT id, name, image_order $where_clauses[] = ws_addControls( 'categories.getImages', $params, 'i.' ); $order_by = ws_std_image_sql_order($params, 'i.'); - if (empty($order_by)) - {// TODO check for category order by (image_order) - $order_by = $conf['order_by']; - } - else + if ( empty($order_by) + and count($params['cat_id'])==1 + and isset($cats[ $params['cat_id'][0] ]['image_order']) + ) { - $order_by = 'ORDER BY '.$order_by; + $order_by = $cats[ $params['cat_id'][0] ]['image_order']; } + $order_by = empty($order_by) ? $conf['order_by'] : 'ORDER BY '.$order_by; + $query = ' SELECT i.*, GROUP_CONCAT(category_id) cat_ids FROM '.IMAGES_TABLE.' i @@ -499,6 +503,10 @@ ORDER BY global_rank'; */ function ws_images_addComment($params, &$service) { + if (!$service->isPost()) + { + return new PwgError(405, "This method requires HTTP POST"); + } $params['image_id'] = (int)$params['image_id']; $query = ' SELECT DISTINCT image_id @@ -579,7 +587,7 @@ LIMIT 1;'; $image_row = mysql_fetch_assoc(pwg_query($query)); if ($image_row==null) { - return new PwgError(999, "image_id not found"); + return new PwgError(404, "image_id not found"); } $image_row = array_merge( $image_row, ws_std_get_urls($image_row) ); @@ -859,7 +867,7 @@ function ws_session_login($params, &$service) if (!$service->isPost()) { - return new PwgError(400, "This method requires POST"); + return new PwgError(405, "This method requires HTTP POST"); } if (try_log_user($params['username'], $params['password'],false)) { @@ -942,32 +950,19 @@ function ws_tags_getImages($params, &$service) { @include_once(PHPWG_ROOT_PATH.'include/functions_picture.inc.php'); global $conf; - + // first build all the tag_ids we are interested in - $tag_ids = array(); - $tags = get_available_tags(); + $params['tag_id'] = array_map( 'intval',$params['tag_id'] ); + $tags = find_tags($params['tag_id'], $params['tag_url_name'], $params['tag_name']); $tags_by_id = array(); - for( $i=0; $i<count($tags); $i++ ) - { - $tags[$i]['id']=(int)$tags[$i]['id']; - } foreach( $tags as $tag ) { + $tags['id'] = (int)$tag['id']; $tags_by_id[ $tag['id'] ] = $tag; - if ( - in_array($tag['name'], $params['tag_name']) - or - in_array($tag['url_name'], $params['tag_url_name']) - or - in_array($tag['id'], $params['tag_id']) - ) - { - $tag_ids[] = $tag['id']; - } } unset($tags); + $tag_ids = array_keys($tags_by_id); - $tag_ids = array_unique( $tag_ids ); $image_ids = array(); $image_tag_map = array(); |