diff options
-rw-r--r-- | include/ws_core.inc.php | 16 | ||||
-rw-r--r-- | include/ws_functions.inc.php | 188 | ||||
-rw-r--r-- | ws.php | 120 |
3 files changed, 104 insertions, 220 deletions
diff --git a/include/ws_core.inc.php b/include/ws_core.inc.php index 3bb69a828..704e383ea 100644 --- a/include/ws_core.inc.php +++ b/include/ws_core.inc.php @@ -324,7 +324,9 @@ Request format: ".@$this->_requestFormat." Response format: ".@$this->_responseF * @param description string - a description of the method. * @param include_file string - a file to be included befaore the callback is executed * @param options array - * @option bool hidden (hidden) - if true, this method won't be visible by reflection.getMethodList + * @option bool hidden (optional) - if true, this method won't be visible by reflection.getMethodList + * @option bool admin_only (optional) + * @option bool post_only (optional) */ function addMethod($methodName, $callback, $params=array(), $description='', $include_file='', $options=array()) { @@ -388,7 +390,7 @@ Request format: ".@$this->_requestFormat." Response format: ".@$this->_responseF return isset($signature) ? $signature : array(); } - /*static*/ function isPost() + static function isPost() { return isset($HTTP_RAW_POST_DATA) or !empty($_POST); } @@ -510,6 +512,16 @@ Request format: ".@$this->_requestFormat." Response format: ".@$this->_responseF { return new PwgError(WS_ERR_INVALID_METHOD, 'Method name is not valid'); } + + if ( isset($method['options']['post_only']) and $method['options']['post_only'] and !self::isPost() ) + { + return new PwgError(405, 'This method requires HTTP POST'); + } + + if ( isset($method['options']['admin_only']) and $method['options']['admin_only'] and !is_admin() ) + { + return new PwgError(401, 'Access denied'); + } // parameter check and data correction $signature = $method['signature']; diff --git a/include/ws_functions.inc.php b/include/ws_functions.inc.php index d2a920772..55bd60863 100644 --- a/include/ws_functions.inc.php +++ b/include/ws_functions.inc.php @@ -208,11 +208,6 @@ function ws_std_get_tag_xml_attributes() function ws_getMissingDerivatives($params, $service) { - if (!is_admin()) - { - return new PwgError(403, 'Forbidden'); - } - if ( empty($params['types']) ) { $types = array_keys(ImageStdParams::get_defined_type_map()); @@ -319,11 +314,6 @@ function ws_getVersion($params, $service) */ function ws_getInfos($params, $service) { - if (!is_admin()) - { - return new PwgError(403, 'Forbidden'); - } - $infos['version'] = PHPWG_VERSION; $query = 'SELECT COUNT(*) FROM '.IMAGES_TABLE.';'; @@ -383,10 +373,6 @@ function ws_getInfos($params, $service) function ws_caddie_add($params, $service) { - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } global $user; $query = ' SELECT id @@ -880,11 +866,6 @@ SELECT id, path, representative_ext */ function ws_categories_getAdminList($params, $service) { - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - $query = ' SELECT category_id, @@ -948,11 +929,6 @@ SELECT */ function ws_images_addComment($params, $service) { - if (!$service->isPost()) - { - return new PwgError(405, "This method requires HTTP POST"); - } - $query = ' SELECT DISTINCT image_id FROM '.IMAGE_CATEGORY_TABLE.' INNER JOIN '.CATEGORIES_TABLE.' ON category_id=id @@ -1294,14 +1270,6 @@ SELECT * FROM '.IMAGES_TABLE.' function ws_images_setPrivacyLevel($params, $service) { - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - if (!$service->isPost()) - { - return new PwgError(405, "This method requires HTTP POST"); - } global $conf; if ( !in_array($params['level'], $conf['available_permission_levels']) ) { @@ -1324,16 +1292,6 @@ UPDATE '.IMAGES_TABLE.' function ws_images_setRank($params, $service) { - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - - if (!$service->isPost()) - { - return new PwgError(405, "This method requires HTTP POST"); - } - // does the image really exist? $query=' SELECT COUNT(*) @@ -1418,16 +1376,6 @@ function ws_images_add_chunk($params, $service) // type {thumb, file, high} // position - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - - if (!$service->isPost()) - { - return new PwgError(405, "This method requires HTTP POST"); - } - foreach ($params as $param_key => $param_value) { if ('data' == $param_key) { continue; @@ -1576,10 +1524,6 @@ function ws_images_addFile($params, $service) // sum -> not used currently (Piwigo 2.4) global $conf; - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } // // what is the path and other infos about the photo? @@ -1662,10 +1606,6 @@ SELECT function ws_images_add($params, $service) { global $conf, $user; - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } foreach ($params as $param_key => $param_value) { ws_logfile( @@ -1816,15 +1756,6 @@ SELECT id, name, permalink function ws_images_addSimple($params, $service) { global $conf; - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - - if (!$service->isPost()) - { - return new PwgError(405, "This method requires HTTP POST"); - } if (!isset($_FILES['image'])) { @@ -1938,18 +1869,6 @@ SELECT id, name, permalink function ws_rates_delete($params, $service) { - global $conf; - - if (!$service->isPost()) - { - return new PwgError(405, 'This method requires HTTP POST'); - } - - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - $query = ' DELETE FROM '.RATE_TABLE.' WHERE user_id='.$params['user_id']; @@ -1974,12 +1893,6 @@ DELETE FROM '.RATE_TABLE.' */ function ws_session_login($params, $service) { - global $conf; - - if (!$service->isPost()) - { - return new PwgError(405, "This method requires HTTP POST"); - } if (try_log_user($params['username'], $params['password'],false)) { return true; @@ -2056,11 +1969,6 @@ function ws_tags_getList($params, $service) */ function ws_tags_getAdminList($params, $service) { - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - $tags = get_all_tags(); return array( 'tags' => new PwgNamedArray( @@ -2228,11 +2136,6 @@ function ws_categories_add($params, $service) function ws_tags_add($params, $service) { - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); $creation_output = create_tag($params['name']); @@ -2251,11 +2154,6 @@ function ws_images_exist($params, $service) global $conf; - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - $split_pattern = '/[\s,;\|]/'; if ('md5sum' == $conf['uniqueness_mode']) @@ -2328,11 +2226,6 @@ function ws_images_checkFiles($params, $service) { ws_logfile(__FUNCTION__.', input : '.var_export($params, true)); - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - // input parameters // // image_id @@ -2394,15 +2287,6 @@ SELECT function ws_images_setInfo($params, $service) { global $conf; - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - - if (!$service->isPost()) - { - return new PwgError(405, "This method requires HTTP POST"); - } include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); @@ -2534,15 +2418,6 @@ SELECT * function ws_images_delete($params, $service) { global $conf; - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - - if (!$service->isPost()) - { - return new PwgError(405, "This method requires HTTP POST"); - } if (get_pwg_token() != $params['pwg_token']) { @@ -2726,15 +2601,6 @@ SELECT function ws_categories_setInfo($params, $service) { global $conf; - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - - if (!$service->isPost()) - { - return new PwgError(405, "This method requires HTTP POST"); - } // category_id // name @@ -2774,16 +2640,6 @@ function ws_categories_setRepresentative($params, $service) { global $conf; - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - - if (!$service->isPost()) - { - return new PwgError(405, "This method requires HTTP POST"); - } - // category_id // image_id @@ -2831,15 +2687,6 @@ UPDATE '.USER_CACHE_CATEGORIES_TABLE.' function ws_categories_delete($params, $service) { global $conf; - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - - if (!$service->isPost()) - { - return new PwgError(405, "This method requires HTTP POST"); - } if (get_pwg_token() != $params['pwg_token']) { @@ -2903,16 +2750,6 @@ function ws_categories_move($params, $service) { global $conf, $page; - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - - if (!$service->isPost()) - { - return new PwgError(405, "This method requires HTTP POST"); - } - if (get_pwg_token() != $params['pwg_token']) { return new PwgError(403, 'Invalid security token'); @@ -3035,11 +2872,6 @@ function ws_images_checkUpload($params, $service) { global $conf; - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - include_once(PHPWG_ROOT_PATH.'admin/include/functions_upload.inc.php'); $ret['message'] = ready_for_upload_message(); $ret['ready_for_upload'] = true; @@ -3056,11 +2888,6 @@ function ws_plugins_getList($params, $service) { global $conf; - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - include_once(PHPWG_ROOT_PATH.'admin/include/plugins.class.php'); $plugins = new plugins(); $plugins->sort_fs_plugins('name'); @@ -3094,11 +2921,6 @@ function ws_plugins_performAction($params, &$service) { global $template; - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - if (get_pwg_token() != $params['pwg_token']) { return new PwgError(403, 'Invalid security token'); @@ -3128,11 +2950,6 @@ function ws_themes_performAction($params, $service) { global $template; - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - if (get_pwg_token() != $params['pwg_token']) { return new PwgError(403, 'Invalid security token'); @@ -3305,11 +3122,6 @@ function ws_extensions_checkupdates($params, $service) include_once(PHPWG_ROOT_PATH.'admin/include/updates.class.php'); $update = new updates(); - if (!is_admin()) - { - return new PwgError(401, 'Access denied'); - } - $result = array(); if (!isset($_SESSION['need_update'])) @@ -135,7 +135,9 @@ function ws_addDefaultMethods( $arr ) 'pwg.getInfos', 'ws_getInfos', null, - '<b>Admin only.</b> Returns general informations.' + '<b>Admin only.</b> Returns general informations.', + null, + array('admin_only'=>true) ); $service->addMethod( @@ -145,7 +147,9 @@ function ws_addDefaultMethods( $arr ) 'image_id'=> array('flags'=>WS_PARAM_FORCE_ARRAY, 'type'=>WS_TYPE_ID), ), - '<b>Admin only.</b> Adds elements to the caddie. Returns the number of elements added.' + '<b>Admin only.</b> Adds elements to the caddie. Returns the number of elements added.', + null, + array('admin_only'=>true) ); $service->addMethod( @@ -204,7 +208,9 @@ function ws_addDefaultMethods( $arr ) 'prev_page' => array('default'=>null, 'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE), ), $f_params), - '<b>Admin only.</b> Returns a list of derivatives to build.' + '<b>Admin only.</b> Returns a list of derivatives to build.', + null, + array('admin_only'=>true) ); $service->addMethod( @@ -216,7 +222,9 @@ function ws_addDefaultMethods( $arr ) 'content' => array(), 'key' => array(), ), - '<b>POST only.</b> Adds a comment to an image.' + '<b>POST only.</b> Adds a comment to an image.', + null, + array('post_only'=>true) ); $service->addMethod( @@ -268,7 +276,9 @@ function ws_addDefaultMethods( $arr ) 'level' => array('maxValue'=>max($conf['available_permission_levels']), 'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE), ), - '<b>Admin & POST only.</b> Sets the privacy levels for the images.' + '<b>Admin & POST only.</b> Sets the privacy levels for the images.', + null, + array('admin_only'=>true, 'post_only'=>true) ); $service->addMethod( @@ -279,7 +289,9 @@ function ws_addDefaultMethods( $arr ) 'category_id' => array('type'=>WS_TYPE_ID), 'rank' => array('type'=>WS_TYPE_INT|WS_TYPE_POSITIVE|WS_TYPE_NOTNULL) ), - '<b>Admin & POST only.</b> Sets the rank of a photo for a given album.' + '<b>Admin & POST only.</b> Sets the rank of a photo for a given album.', + null, + array('admin_only'=>true, 'post_only'=>true) ); $service->addMethod( @@ -289,7 +301,9 @@ function ws_addDefaultMethods( $arr ) 'user_id' => array('type'=>WS_TYPE_ID), 'anonymous_id' => array('default'=>null), ), - '<b>Admin & POST only.</b> Deletes all rates for a user.' + '<b>Admin & POST only.</b> Deletes all rates for a user.', + null, + array('admin_only'=>true, 'post_only'=>true) ); $service->addMethod( @@ -303,7 +317,9 @@ function ws_addDefaultMethods( $arr ) 'pwg.session.login', 'ws_session_login', array('username', 'password'), - '<b>POST only.</b> Tries to login the user.' + '<b>POST only.</b> Tries to login the user.', + null, + array('post_only'=>true) ); $service->addMethod( @@ -357,7 +373,9 @@ function ws_addDefaultMethods( $arr ) 'info'=>'Must be "file", for backward compatiblity "high" and "thumb" are allowed.'), 'position' => array() ), - '<b>Admin & POST only.</b> Add a chunk of a file.' + '<b>Admin & POST only.</b> Add a chunk of a file.', + null, + array('admin_only'=>true, 'post_only'=>true) ); $service->addMethod( @@ -370,7 +388,9 @@ function ws_addDefaultMethods( $arr ) 'sum' => array(), ), '<b>Admin only.</b> Add or update a file for an existing photo. -<br>pwg.images.addChunk must have been called before (maybe several times).' +<br>pwg.images.addChunk must have been called before (maybe several times).', + null, + array('admin_only'=>true) ); @@ -401,7 +421,9 @@ function ws_addDefaultMethods( $arr ) ), '<b>Admin only.</b> Add an image. <br>pwg.images.addChunk must have been called before (maybe several times). -<br>Don\'t use "thumbnail_sum" and "high_sum", these parameters are here for backward compatibility.' +<br>Don\'t use "thumbnail_sum" and "high_sum", these parameters are here for backward compatibility.', + null, + array('admin_only'=>true) ); $service->addMethod( @@ -425,7 +447,9 @@ function ws_addDefaultMethods( $arr ) '<b>Admin & POST only.</b> Add an image. <br>Use the <b>$_FILES[image]</b> field for uploading file. <br>Set the form encoding to "form-data". -<br>You can update an existing photo if you define an existing image_id.' +<br>You can update an existing photo if you define an existing image_id.', + null, + array('admin_only'=>true, 'post_only'=>true) ); $service->addMethod( @@ -435,14 +459,18 @@ function ws_addDefaultMethods( $arr ) 'image_id' => array('flags'=>WS_PARAM_ACCEPT_ARRAY), 'pwg_token' => array(), ), - '<b>Admin & POST only.</b> Deletes image(s).' + '<b>Admin & POST only.</b> Deletes image(s).', + null, + array('admin_only'=>true, 'post_only'=>true) ); $service->addMethod( 'pwg.categories.getAdminList', 'ws_categories_getAdminList', null, - '<b>Admin only.</b>' + '<b>Admin only.</b>', + null, + array('admin_only'=>true) ); $service->addMethod( @@ -473,7 +501,9 @@ function ws_addDefaultMethods( $arr ) ), '<b>Admin & POST only.</b> Deletes album(s). <br><b>photo_deletion_mode</b> can be "no_delete" (may create orphan photos), "delete_orphans" -(default mode, only deletes photos linked to no other album) or "force_delete" (delete all photos, even those linked to other albums)' +(default mode, only deletes photos linked to no other album) or "force_delete" (delete all photos, even those linked to other albums)', + null, + array('admin_only'=>true, 'post_only'=>true) ); $service->addMethod( @@ -485,7 +515,9 @@ function ws_addDefaultMethods( $arr ) 'pwg_token' => array(), ), '<b>Admin & POST only.</b> Move album(s). -<br>Set parent as 0 to move to gallery root. Only virtual categories can be moved.' +<br>Set parent as 0 to move to gallery root. Only virtual categories can be moved.', + null, + array('admin_only'=>true, 'post_only'=>true) ); $service->addMethod( @@ -495,21 +527,27 @@ function ws_addDefaultMethods( $arr ) 'category_id' => array('type'=>WS_TYPE_ID), 'image_id' => array('type'=>WS_TYPE_ID), ), - '<b>Admin & POST only.</b> Sets the representative photo for an album. The photo doesn\'t have to belong to the album.' + '<b>Admin & POST only.</b> Sets the representative photo for an album. The photo doesn\'t have to belong to the album.', + null, + array('admin_only'=>true, 'post_only'=>true) ); $service->addMethod( 'pwg.tags.getAdminList', 'ws_tags_getAdminList', null, - '<b>Admin only.</b> ' + '<b>Admin only.</b>', + null, + array('admin_only'=>true) ); $service->addMethod( // TODO: create multiple tags 'pwg.tags.add', 'ws_tags_add', array('name'), - '<b>Admin only.</b> Adds a new tag.' + '<b>Admin only.</b> Adds a new tag.', + null, + array('admin_only'=>true) ); $service->addMethod( @@ -520,7 +558,9 @@ function ws_addDefaultMethods( $arr ) 'filename_list' => array('default'=>null), ), '<b>Admin only.</b> Checks existence of images. -<br>Give <b>md5sum_list</b> if $conf[uniqueness_mode]==md5sum. Give <b>filename_list</b> if $conf[uniqueness_mode]==filename.' +<br>Give <b>md5sum_list</b> if $conf[uniqueness_mode]==md5sum. Give <b>filename_list</b> if $conf[uniqueness_mode]==filename.', + null, + array('admin_only'=>true) ); $service->addMethod( @@ -533,14 +573,18 @@ function ws_addDefaultMethods( $arr ) 'high_sum' => array('default'=>null), ), '<b>Admin only.</b> Checks if you have updated version of your files for a given photo, the answer can be "missing", "equals" or "differs". -<br>Don\'t use "thumbnail_sum" and "high_sum", these parameters are here for backward compatibility.' +<br>Don\'t use "thumbnail_sum" and "high_sum", these parameters are here for backward compatibility.', + null, + array('admin_only'=>true) ); $service->addMethod( 'pwg.images.checkUpload', 'ws_images_checkUpload', null, - '<b>Admin only.</b> Checks if Piwigo is ready for upload.' + '<b>Admin only.</b> Checks if Piwigo is ready for upload.', + null, + array('admin_only'=>true) ); $service->addMethod( @@ -566,7 +610,9 @@ function ws_addDefaultMethods( $arr ) '<b>Admin & POST only.</b> Changes properties of an image. <br><b>single_value_mode</b> can be "fill_if_empty" (only use the input value if the corresponding values is currently empty) or "replace" (overwrite any existing value) and applies to single values properties like name/author/date_creation/comment. -<br><b>multiple_value_mode</b> can be "append" (no change on existing values, add the new values) or "replace" and applies to multiple values properties like tag_ids/categories.' +<br><b>multiple_value_mode</b> can be "append" (no change on existing values, add the new values) or "replace" and applies to multiple values properties like tag_ids/categories.', + null, + array('admin_only'=>true, 'post_only'=>true) ); $service->addMethod( @@ -577,14 +623,18 @@ function ws_addDefaultMethods( $arr ) 'name' => array('default'=>null), 'comment' => array('default'=>null), ), - '<b>Admin & POST only.</b> Changes properties of an album.' + '<b>Admin & POST only.</b> Changes properties of an album.', + null, + array('admin_only'=>true, 'post_only'=>true) ); $service->addMethod( 'pwg.plugins.getList', 'ws_plugins_getList', null, - '<b>Admin only.</b> Gets the list of plugins with id, name, version, state and description.' + '<b>Admin only.</b> Gets the list of plugins with id, name, version, state and description.', + null, + array('admin_only'=>true) ); $service->addMethod( @@ -595,7 +645,9 @@ function ws_addDefaultMethods( $arr ) 'plugin' => array(), 'pwg_token' => array(), ), - '<b>Admin only.</b>' + '<b>Admin only.</b>', + null, + array('admin_only'=>true) ); $service->addMethod( @@ -606,7 +658,9 @@ function ws_addDefaultMethods( $arr ) 'theme' => array(), 'pwg_token' => array(), ), - '<b>Admin only.</b>' + '<b>Admin only.</b>', + null, + array('admin_only'=>true) ); $service->addMethod( @@ -618,7 +672,9 @@ function ws_addDefaultMethods( $arr ) 'revision' => array(), 'pwg_token' => array(), ), - '<b>Webmaster only.</b>' + '<b>Webmaster only.</b>', + null, + array('admin_only'=>true) ); $service->addMethod( @@ -633,14 +689,18 @@ function ws_addDefaultMethods( $arr ) 'info'=>'If true, all ignored extensions will be reinitilized.'), 'pwg_token' => array(), ), - '<b>Webmaster only.</b> Ignores an extension if it needs update.' + '<b>Webmaster only.</b> Ignores an extension if it needs update.', + null, + array('admin_only'=>true) ); $service->addMethod( 'pwg.extensions.checkUpdates', 'ws_extensions_checkupdates', null, - '<b>Admin only.</b> Checks if piwigo or extensions are up to date.' + '<b>Admin only.</b> Checks if piwigo or extensions are up to date.', + null, + array('admin_only'=>true) ); } |