aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/ws_core.inc.php16
-rw-r--r--include/ws_functions.inc.php188
-rw-r--r--ws.php120
3 files changed, 104 insertions, 220 deletions
diff --git a/include/ws_core.inc.php b/include/ws_core.inc.php
index 3bb69a828..704e383ea 100644
--- a/include/ws_core.inc.php
+++ b/include/ws_core.inc.php
@@ -324,7 +324,9 @@ Request format: ".@$this->_requestFormat." Response format: ".@$this->_responseF
* @param description string - a description of the method.
* @param include_file string - a file to be included befaore the callback is executed
* @param options array
- * @option bool hidden (hidden) - if true, this method won't be visible by reflection.getMethodList
+ * @option bool hidden (optional) - if true, this method won't be visible by reflection.getMethodList
+ * @option bool admin_only (optional)
+ * @option bool post_only (optional)
*/
function addMethod($methodName, $callback, $params=array(), $description='', $include_file='', $options=array())
{
@@ -388,7 +390,7 @@ Request format: ".@$this->_requestFormat." Response format: ".@$this->_responseF
return isset($signature) ? $signature : array();
}
- /*static*/ function isPost()
+ static function isPost()
{
return isset($HTTP_RAW_POST_DATA) or !empty($_POST);
}
@@ -510,6 +512,16 @@ Request format: ".@$this->_requestFormat." Response format: ".@$this->_responseF
{
return new PwgError(WS_ERR_INVALID_METHOD, 'Method name is not valid');
}
+
+ if ( isset($method['options']['post_only']) and $method['options']['post_only'] and !self::isPost() )
+ {
+ return new PwgError(405, 'This method requires HTTP POST');
+ }
+
+ if ( isset($method['options']['admin_only']) and $method['options']['admin_only'] and !is_admin() )
+ {
+ return new PwgError(401, 'Access denied');
+ }
// parameter check and data correction
$signature = $method['signature'];
diff --git a/include/ws_functions.inc.php b/include/ws_functions.inc.php
index d2a920772..55bd60863 100644
--- a/include/ws_functions.inc.php
+++ b/include/ws_functions.inc.php
@@ -208,11 +208,6 @@ function ws_std_get_tag_xml_attributes()
function ws_getMissingDerivatives($params, $service)
{
- if (!is_admin())
- {
- return new PwgError(403, 'Forbidden');
- }
-
if ( empty($params['types']) )
{
$types = array_keys(ImageStdParams::get_defined_type_map());
@@ -319,11 +314,6 @@ function ws_getVersion($params, $service)
*/
function ws_getInfos($params, $service)
{
- if (!is_admin())
- {
- return new PwgError(403, 'Forbidden');
- }
-
$infos['version'] = PHPWG_VERSION;
$query = 'SELECT COUNT(*) FROM '.IMAGES_TABLE.';';
@@ -383,10 +373,6 @@ function ws_getInfos($params, $service)
function ws_caddie_add($params, $service)
{
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
global $user;
$query = '
SELECT id
@@ -880,11 +866,6 @@ SELECT id, path, representative_ext
*/
function ws_categories_getAdminList($params, $service)
{
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
$query = '
SELECT
category_id,
@@ -948,11 +929,6 @@ SELECT
*/
function ws_images_addComment($params, $service)
{
- if (!$service->isPost())
- {
- return new PwgError(405, "This method requires HTTP POST");
- }
-
$query = '
SELECT DISTINCT image_id
FROM '.IMAGE_CATEGORY_TABLE.' INNER JOIN '.CATEGORIES_TABLE.' ON category_id=id
@@ -1294,14 +1270,6 @@ SELECT * FROM '.IMAGES_TABLE.'
function ws_images_setPrivacyLevel($params, $service)
{
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
- if (!$service->isPost())
- {
- return new PwgError(405, "This method requires HTTP POST");
- }
global $conf;
if ( !in_array($params['level'], $conf['available_permission_levels']) )
{
@@ -1324,16 +1292,6 @@ UPDATE '.IMAGES_TABLE.'
function ws_images_setRank($params, $service)
{
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
- if (!$service->isPost())
- {
- return new PwgError(405, "This method requires HTTP POST");
- }
-
// does the image really exist?
$query='
SELECT COUNT(*)
@@ -1418,16 +1376,6 @@ function ws_images_add_chunk($params, $service)
// type {thumb, file, high}
// position
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
- if (!$service->isPost())
- {
- return new PwgError(405, "This method requires HTTP POST");
- }
-
foreach ($params as $param_key => $param_value) {
if ('data' == $param_key) {
continue;
@@ -1576,10 +1524,6 @@ function ws_images_addFile($params, $service)
// sum -> not used currently (Piwigo 2.4)
global $conf;
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
//
// what is the path and other infos about the photo?
@@ -1662,10 +1606,6 @@ SELECT
function ws_images_add($params, $service)
{
global $conf, $user;
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
foreach ($params as $param_key => $param_value) {
ws_logfile(
@@ -1816,15 +1756,6 @@ SELECT id, name, permalink
function ws_images_addSimple($params, $service)
{
global $conf;
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
- if (!$service->isPost())
- {
- return new PwgError(405, "This method requires HTTP POST");
- }
if (!isset($_FILES['image']))
{
@@ -1938,18 +1869,6 @@ SELECT id, name, permalink
function ws_rates_delete($params, $service)
{
- global $conf;
-
- if (!$service->isPost())
- {
- return new PwgError(405, 'This method requires HTTP POST');
- }
-
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
$query = '
DELETE FROM '.RATE_TABLE.'
WHERE user_id='.$params['user_id'];
@@ -1974,12 +1893,6 @@ DELETE FROM '.RATE_TABLE.'
*/
function ws_session_login($params, $service)
{
- global $conf;
-
- if (!$service->isPost())
- {
- return new PwgError(405, "This method requires HTTP POST");
- }
if (try_log_user($params['username'], $params['password'],false))
{
return true;
@@ -2056,11 +1969,6 @@ function ws_tags_getList($params, $service)
*/
function ws_tags_getAdminList($params, $service)
{
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
$tags = get_all_tags();
return array(
'tags' => new PwgNamedArray(
@@ -2228,11 +2136,6 @@ function ws_categories_add($params, $service)
function ws_tags_add($params, $service)
{
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
$creation_output = create_tag($params['name']);
@@ -2251,11 +2154,6 @@ function ws_images_exist($params, $service)
global $conf;
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
$split_pattern = '/[\s,;\|]/';
if ('md5sum' == $conf['uniqueness_mode'])
@@ -2328,11 +2226,6 @@ function ws_images_checkFiles($params, $service)
{
ws_logfile(__FUNCTION__.', input : '.var_export($params, true));
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
// input parameters
//
// image_id
@@ -2394,15 +2287,6 @@ SELECT
function ws_images_setInfo($params, $service)
{
global $conf;
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
- if (!$service->isPost())
- {
- return new PwgError(405, "This method requires HTTP POST");
- }
include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
@@ -2534,15 +2418,6 @@ SELECT *
function ws_images_delete($params, $service)
{
global $conf;
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
- if (!$service->isPost())
- {
- return new PwgError(405, "This method requires HTTP POST");
- }
if (get_pwg_token() != $params['pwg_token'])
{
@@ -2726,15 +2601,6 @@ SELECT
function ws_categories_setInfo($params, $service)
{
global $conf;
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
- if (!$service->isPost())
- {
- return new PwgError(405, "This method requires HTTP POST");
- }
// category_id
// name
@@ -2774,16 +2640,6 @@ function ws_categories_setRepresentative($params, $service)
{
global $conf;
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
- if (!$service->isPost())
- {
- return new PwgError(405, "This method requires HTTP POST");
- }
-
// category_id
// image_id
@@ -2831,15 +2687,6 @@ UPDATE '.USER_CACHE_CATEGORIES_TABLE.'
function ws_categories_delete($params, $service)
{
global $conf;
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
- if (!$service->isPost())
- {
- return new PwgError(405, "This method requires HTTP POST");
- }
if (get_pwg_token() != $params['pwg_token'])
{
@@ -2903,16 +2750,6 @@ function ws_categories_move($params, $service)
{
global $conf, $page;
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
- if (!$service->isPost())
- {
- return new PwgError(405, "This method requires HTTP POST");
- }
-
if (get_pwg_token() != $params['pwg_token'])
{
return new PwgError(403, 'Invalid security token');
@@ -3035,11 +2872,6 @@ function ws_images_checkUpload($params, $service)
{
global $conf;
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
include_once(PHPWG_ROOT_PATH.'admin/include/functions_upload.inc.php');
$ret['message'] = ready_for_upload_message();
$ret['ready_for_upload'] = true;
@@ -3056,11 +2888,6 @@ function ws_plugins_getList($params, $service)
{
global $conf;
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
include_once(PHPWG_ROOT_PATH.'admin/include/plugins.class.php');
$plugins = new plugins();
$plugins->sort_fs_plugins('name');
@@ -3094,11 +2921,6 @@ function ws_plugins_performAction($params, &$service)
{
global $template;
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
if (get_pwg_token() != $params['pwg_token'])
{
return new PwgError(403, 'Invalid security token');
@@ -3128,11 +2950,6 @@ function ws_themes_performAction($params, $service)
{
global $template;
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
if (get_pwg_token() != $params['pwg_token'])
{
return new PwgError(403, 'Invalid security token');
@@ -3305,11 +3122,6 @@ function ws_extensions_checkupdates($params, $service)
include_once(PHPWG_ROOT_PATH.'admin/include/updates.class.php');
$update = new updates();
- if (!is_admin())
- {
- return new PwgError(401, 'Access denied');
- }
-
$result = array();
if (!isset($_SESSION['need_update']))
diff --git a/ws.php b/ws.php
index 318ddd16a..e04c19f44 100644
--- a/ws.php
+++ b/ws.php
@@ -135,7 +135,9 @@ function ws_addDefaultMethods( $arr )
'pwg.getInfos',
'ws_getInfos',
null,
- '<b>Admin only.</b> Returns general informations.'
+ '<b>Admin only.</b> Returns general informations.',
+ null,
+ array('admin_only'=>true)
);
$service->addMethod(
@@ -145,7 +147,9 @@ function ws_addDefaultMethods( $arr )
'image_id'=> array('flags'=>WS_PARAM_FORCE_ARRAY,
'type'=>WS_TYPE_ID),
),
- '<b>Admin only.</b> Adds elements to the caddie. Returns the number of elements added.'
+ '<b>Admin only.</b> Adds elements to the caddie. Returns the number of elements added.',
+ null,
+ array('admin_only'=>true)
);
$service->addMethod(
@@ -204,7 +208,9 @@ function ws_addDefaultMethods( $arr )
'prev_page' => array('default'=>null,
'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE),
), $f_params),
- '<b>Admin only.</b> Returns a list of derivatives to build.'
+ '<b>Admin only.</b> Returns a list of derivatives to build.',
+ null,
+ array('admin_only'=>true)
);
$service->addMethod(
@@ -216,7 +222,9 @@ function ws_addDefaultMethods( $arr )
'content' => array(),
'key' => array(),
),
- '<b>POST only.</b> Adds a comment to an image.'
+ '<b>POST only.</b> Adds a comment to an image.',
+ null,
+ array('post_only'=>true)
);
$service->addMethod(
@@ -268,7 +276,9 @@ function ws_addDefaultMethods( $arr )
'level' => array('maxValue'=>max($conf['available_permission_levels']),
'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE),
),
- '<b>Admin & POST only.</b> Sets the privacy levels for the images.'
+ '<b>Admin & POST only.</b> Sets the privacy levels for the images.',
+ null,
+ array('admin_only'=>true, 'post_only'=>true)
);
$service->addMethod(
@@ -279,7 +289,9 @@ function ws_addDefaultMethods( $arr )
'category_id' => array('type'=>WS_TYPE_ID),
'rank' => array('type'=>WS_TYPE_INT|WS_TYPE_POSITIVE|WS_TYPE_NOTNULL)
),
- '<b>Admin & POST only.</b> Sets the rank of a photo for a given album.'
+ '<b>Admin & POST only.</b> Sets the rank of a photo for a given album.',
+ null,
+ array('admin_only'=>true, 'post_only'=>true)
);
$service->addMethod(
@@ -289,7 +301,9 @@ function ws_addDefaultMethods( $arr )
'user_id' => array('type'=>WS_TYPE_ID),
'anonymous_id' => array('default'=>null),
),
- '<b>Admin & POST only.</b> Deletes all rates for a user.'
+ '<b>Admin & POST only.</b> Deletes all rates for a user.',
+ null,
+ array('admin_only'=>true, 'post_only'=>true)
);
$service->addMethod(
@@ -303,7 +317,9 @@ function ws_addDefaultMethods( $arr )
'pwg.session.login',
'ws_session_login',
array('username', 'password'),
- '<b>POST only.</b> Tries to login the user.'
+ '<b>POST only.</b> Tries to login the user.',
+ null,
+ array('post_only'=>true)
);
$service->addMethod(
@@ -357,7 +373,9 @@ function ws_addDefaultMethods( $arr )
'info'=>'Must be "file", for backward compatiblity "high" and "thumb" are allowed.'),
'position' => array()
),
- '<b>Admin & POST only.</b> Add a chunk of a file.'
+ '<b>Admin & POST only.</b> Add a chunk of a file.',
+ null,
+ array('admin_only'=>true, 'post_only'=>true)
);
$service->addMethod(
@@ -370,7 +388,9 @@ function ws_addDefaultMethods( $arr )
'sum' => array(),
),
'<b>Admin only.</b> Add or update a file for an existing photo.
-<br>pwg.images.addChunk must have been called before (maybe several times).'
+<br>pwg.images.addChunk must have been called before (maybe several times).',
+ null,
+ array('admin_only'=>true)
);
@@ -401,7 +421,9 @@ function ws_addDefaultMethods( $arr )
),
'<b>Admin only.</b> Add an image.
<br>pwg.images.addChunk must have been called before (maybe several times).
-<br>Don\'t use "thumbnail_sum" and "high_sum", these parameters are here for backward compatibility.'
+<br>Don\'t use "thumbnail_sum" and "high_sum", these parameters are here for backward compatibility.',
+ null,
+ array('admin_only'=>true)
);
$service->addMethod(
@@ -425,7 +447,9 @@ function ws_addDefaultMethods( $arr )
'<b>Admin & POST only.</b> Add an image.
<br>Use the <b>$_FILES[image]</b> field for uploading file.
<br>Set the form encoding to "form-data".
-<br>You can update an existing photo if you define an existing image_id.'
+<br>You can update an existing photo if you define an existing image_id.',
+ null,
+ array('admin_only'=>true, 'post_only'=>true)
);
$service->addMethod(
@@ -435,14 +459,18 @@ function ws_addDefaultMethods( $arr )
'image_id' => array('flags'=>WS_PARAM_ACCEPT_ARRAY),
'pwg_token' => array(),
),
- '<b>Admin & POST only.</b> Deletes image(s).'
+ '<b>Admin & POST only.</b> Deletes image(s).',
+ null,
+ array('admin_only'=>true, 'post_only'=>true)
);
$service->addMethod(
'pwg.categories.getAdminList',
'ws_categories_getAdminList',
null,
- '<b>Admin only.</b>'
+ '<b>Admin only.</b>',
+ null,
+ array('admin_only'=>true)
);
$service->addMethod(
@@ -473,7 +501,9 @@ function ws_addDefaultMethods( $arr )
),
'<b>Admin & POST only.</b> Deletes album(s).
<br><b>photo_deletion_mode</b> can be "no_delete" (may create orphan photos), "delete_orphans"
-(default mode, only deletes photos linked to no other album) or "force_delete" (delete all photos, even those linked to other albums)'
+(default mode, only deletes photos linked to no other album) or "force_delete" (delete all photos, even those linked to other albums)',
+ null,
+ array('admin_only'=>true, 'post_only'=>true)
);
$service->addMethod(
@@ -485,7 +515,9 @@ function ws_addDefaultMethods( $arr )
'pwg_token' => array(),
),
'<b>Admin & POST only.</b> Move album(s).
-<br>Set parent as 0 to move to gallery root. Only virtual categories can be moved.'
+<br>Set parent as 0 to move to gallery root. Only virtual categories can be moved.',
+ null,
+ array('admin_only'=>true, 'post_only'=>true)
);
$service->addMethod(
@@ -495,21 +527,27 @@ function ws_addDefaultMethods( $arr )
'category_id' => array('type'=>WS_TYPE_ID),
'image_id' => array('type'=>WS_TYPE_ID),
),
- '<b>Admin & POST only.</b> Sets the representative photo for an album. The photo doesn\'t have to belong to the album.'
+ '<b>Admin & POST only.</b> Sets the representative photo for an album. The photo doesn\'t have to belong to the album.',
+ null,
+ array('admin_only'=>true, 'post_only'=>true)
);
$service->addMethod(
'pwg.tags.getAdminList',
'ws_tags_getAdminList',
null,
- '<b>Admin only.</b> '
+ '<b>Admin only.</b>',
+ null,
+ array('admin_only'=>true)
);
$service->addMethod( // TODO: create multiple tags
'pwg.tags.add',
'ws_tags_add',
array('name'),
- '<b>Admin only.</b> Adds a new tag.'
+ '<b>Admin only.</b> Adds a new tag.',
+ null,
+ array('admin_only'=>true)
);
$service->addMethod(
@@ -520,7 +558,9 @@ function ws_addDefaultMethods( $arr )
'filename_list' => array('default'=>null),
),
'<b>Admin only.</b> Checks existence of images.
-<br>Give <b>md5sum_list</b> if $conf[uniqueness_mode]==md5sum. Give <b>filename_list</b> if $conf[uniqueness_mode]==filename.'
+<br>Give <b>md5sum_list</b> if $conf[uniqueness_mode]==md5sum. Give <b>filename_list</b> if $conf[uniqueness_mode]==filename.',
+ null,
+ array('admin_only'=>true)
);
$service->addMethod(
@@ -533,14 +573,18 @@ function ws_addDefaultMethods( $arr )
'high_sum' => array('default'=>null),
),
'<b>Admin only.</b> Checks if you have updated version of your files for a given photo, the answer can be "missing", "equals" or "differs".
-<br>Don\'t use "thumbnail_sum" and "high_sum", these parameters are here for backward compatibility.'
+<br>Don\'t use "thumbnail_sum" and "high_sum", these parameters are here for backward compatibility.',
+ null,
+ array('admin_only'=>true)
);
$service->addMethod(
'pwg.images.checkUpload',
'ws_images_checkUpload',
null,
- '<b>Admin only.</b> Checks if Piwigo is ready for upload.'
+ '<b>Admin only.</b> Checks if Piwigo is ready for upload.',
+ null,
+ array('admin_only'=>true)
);
$service->addMethod(
@@ -566,7 +610,9 @@ function ws_addDefaultMethods( $arr )
'<b>Admin & POST only.</b> Changes properties of an image.
<br><b>single_value_mode</b> can be "fill_if_empty" (only use the input value if the corresponding values is currently empty) or "replace"
(overwrite any existing value) and applies to single values properties like name/author/date_creation/comment.
-<br><b>multiple_value_mode</b> can be "append" (no change on existing values, add the new values) or "replace" and applies to multiple values properties like tag_ids/categories.'
+<br><b>multiple_value_mode</b> can be "append" (no change on existing values, add the new values) or "replace" and applies to multiple values properties like tag_ids/categories.',
+ null,
+ array('admin_only'=>true, 'post_only'=>true)
);
$service->addMethod(
@@ -577,14 +623,18 @@ function ws_addDefaultMethods( $arr )
'name' => array('default'=>null),
'comment' => array('default'=>null),
),
- '<b>Admin & POST only.</b> Changes properties of an album.'
+ '<b>Admin & POST only.</b> Changes properties of an album.',
+ null,
+ array('admin_only'=>true, 'post_only'=>true)
);
$service->addMethod(
'pwg.plugins.getList',
'ws_plugins_getList',
null,
- '<b>Admin only.</b> Gets the list of plugins with id, name, version, state and description.'
+ '<b>Admin only.</b> Gets the list of plugins with id, name, version, state and description.',
+ null,
+ array('admin_only'=>true)
);
$service->addMethod(
@@ -595,7 +645,9 @@ function ws_addDefaultMethods( $arr )
'plugin' => array(),
'pwg_token' => array(),
),
- '<b>Admin only.</b>'
+ '<b>Admin only.</b>',
+ null,
+ array('admin_only'=>true)
);
$service->addMethod(
@@ -606,7 +658,9 @@ function ws_addDefaultMethods( $arr )
'theme' => array(),
'pwg_token' => array(),
),
- '<b>Admin only.</b>'
+ '<b>Admin only.</b>',
+ null,
+ array('admin_only'=>true)
);
$service->addMethod(
@@ -618,7 +672,9 @@ function ws_addDefaultMethods( $arr )
'revision' => array(),
'pwg_token' => array(),
),
- '<b>Webmaster only.</b>'
+ '<b>Webmaster only.</b>',
+ null,
+ array('admin_only'=>true)
);
$service->addMethod(
@@ -633,14 +689,18 @@ function ws_addDefaultMethods( $arr )
'info'=>'If true, all ignored extensions will be reinitilized.'),
'pwg_token' => array(),
),
- '<b>Webmaster only.</b> Ignores an extension if it needs update.'
+ '<b>Webmaster only.</b> Ignores an extension if it needs update.',
+ null,
+ array('admin_only'=>true)
);
$service->addMethod(
'pwg.extensions.checkUpdates',
'ws_extensions_checkupdates',
null,
- '<b>Admin only.</b> Checks if piwigo or extensions are up to date.'
+ '<b>Admin only.</b> Checks if piwigo or extensions are up to date.',
+ null,
+ array('admin_only'=>true)
);
}