From 8b66788392652515532a89e0dd7e3af594272cb4 Mon Sep 17 00:00:00 2001
From: rvelices <rv-github@modusoptimus.com>
Date: Fri, 18 Dec 2009 21:08:21 +0000
Subject: web method images.setPrivacyLevel (ws_images_setPrivacyLevel) is POST
 only

git-svn-id: http://piwigo.org/svn/branches/2.0@4512 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 include/ws_functions.inc.php | 51 ++++++++++++++++++++------------------
 template-common/scripts.js   | 58 ++++++++++++++++++++++++++------------------
 template/yoga/picture.tpl    |  1 +
 ws.php                       |  8 +++---
 4 files changed, 68 insertions(+), 50 deletions(-)

diff --git a/include/ws_functions.inc.php b/include/ws_functions.inc.php
index 26a205014..6e13af641 100644
--- a/include/ws_functions.inc.php
+++ b/include/ws_functions.inc.php
@@ -855,6 +855,10 @@ function ws_images_setPrivacyLevel($params, &$service)
   {
     return new PwgError(401, 'Access denied');
   }
+  if (!$service->isPost())
+  {
+    return new PwgError(405, "This method requires HTTP POST");
+  }
   $params['image_id'] = array_map( 'intval',$params['image_id'] );
   if ( empty($params['image_id']) )
   {
@@ -865,6 +869,7 @@ function ws_images_setPrivacyLevel($params, &$service)
   {
     return new PwgError(WS_ERR_INVALID_PARAM, "Invalid level");
   }
+
   $query = '
 UPDATE '.IMAGES_TABLE.'
   SET level='.(int)$params['level'].'
@@ -885,7 +890,7 @@ function ws_images_add_chunk($params, &$service)
   // original_sum
   // type {thumb, file, high}
   // position
-  
+
   if (!is_admin() || is_adviser() )
   {
     return new PwgError(401, 'Access denied');
@@ -950,18 +955,18 @@ function merge_chunks($output_filepath, $original_sum, $type)
   if (is_file($output_filepath))
   {
     unlink($output_filepath);
-    
+
     if (is_file($output_filepath))
     {
       new PwgError(500, '[merge_chunks] error while trying to remove existing '.$output_filepath);
       exit();
     }
   }
-  
+
   $upload_dir = PHPWG_ROOT_PATH.'upload/buffer';
   $pattern = '/'.$original_sum.'-'.$type.'/';
   $chunks = array();
-  
+
   if ($handle = opendir($upload_dir))
   {
     while (false !== ($file = readdir($handle)))
@@ -982,21 +987,21 @@ function merge_chunks($output_filepath, $original_sum, $type)
   }
 
   $i = 0;
-  
+
   foreach ($chunks as $chunk)
   {
     $string = file_get_contents($chunk);
-    
+
     if (function_exists('memory_get_usage')) {
       ws_logfile('[merge_chunks] memory_get_usage on chunk '.++$i.': '.memory_get_usage());
     }
-    
+
     if (!file_put_contents($output_filepath, $string, FILE_APPEND))
     {
       new PwgError(500, '[merge_chunks] error while writting chunks for '.$output_filepath);
       exit();
     }
-    
+
     unlink($chunk);
   }
 
@@ -1014,7 +1019,7 @@ function add_file($file_path, $type, $original_sum, $file_sum)
   $file_path = file_path_for_type($file_path, $type);
 
   $upload_dir = dirname($file_path);
-  
+
   if (!is_dir($upload_dir)) {
     umask(0000);
     $recursive = true;
@@ -1101,7 +1106,7 @@ SELECT
   // update basic metadata from file
   //
   $update = array();
-  
+
   if ('high' == $params['type'])
   {
     $update['high_filesize'] = $infos['filesize'];
@@ -1120,7 +1125,7 @@ SELECT
   if (count($update) > 0)
   {
     $update['id'] = $params['image_id'];
-    
+
     include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
     mass_updates(
       IMAGES_TABLE,
@@ -1839,7 +1844,7 @@ function ws_add_image_category_relations($image_id, $categories_string, $replace
       );
     exit();
   }
-  
+
   $query = '
 SELECT
     id
@@ -1857,9 +1862,9 @@ SELECT
       );
     exit();
   }
-  
+
   $to_update_cat_ids = array();
-    
+
   // in case of replace mode, we first check the existing associations
   $query = '
 SELECT
@@ -1884,13 +1889,13 @@ DELETE
       update_category($to_remove_cat_ids);
     }
   }
-  
+
   $new_cat_ids = array_diff($cat_ids, $existing_cat_ids);
   if (count($new_cat_ids) == 0)
   {
     return true;
   }
-    
+
   if ($search_current_ranks)
   {
     $query = '
@@ -1914,16 +1919,16 @@ SELECT
       {
         $current_rank_of[$cat_id] = 0;
       }
-      
+
       if ('auto' == $rank_on_category[$cat_id])
       {
         $rank_on_category[$cat_id] = $current_rank_of[$cat_id] + 1;
       }
     }
   }
-  
+
   $inserts = array();
-  
+
   foreach ($new_cat_ids as $cat_id)
   {
     array_push(
@@ -1935,14 +1940,14 @@ SELECT
         )
       );
   }
-  
+
   include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
   mass_inserts(
     IMAGE_CATEGORY_TABLE,
     array_keys($inserts[0]),
     $inserts
     );
-  
+
   update_category($new_cat_ids);
 }
 
@@ -2001,7 +2006,7 @@ function ws_categories_setInfo($params, &$service)
       array($update)
       );
   }
-  
+
 }
 
 function ws_logfile($string)
@@ -2011,7 +2016,7 @@ function ws_logfile($string)
   if (!$conf['ws_enable_log']) {
     return true;
   }
-  
+
   file_put_contents(
     $conf['ws_log_filepath'],
     '['.date('c').'] '.$string."\n",
diff --git a/template-common/scripts.js b/template-common/scripts.js
index f6b22b41c..389ed1b21 100644
--- a/template-common/scripts.js
+++ b/template-common/scripts.js
@@ -71,6 +71,23 @@ function popuphelp(url)
 }
 
 
+function blockToggleDisplay(headerId, contentId)
+{
+	var revHeader = document.getElementById(headerId);
+	var revContent = document.getElementById(contentId);
+
+	if (revContent.style.display == 'none')
+	{
+		revContent.style.display = 'block';
+		revHeader.className = 'instructionBlockHeaderExpanded';
+	}
+	else
+	{
+		revContent.style.display = 'none';
+		revHeader.className = 'instructionBlockHeaderCollapsed';
+	}
+}
+
 
 Function.prototype.pwgBind = function() {
 	var __method = this, object = arguments[0], args = new Array();
@@ -90,23 +107,6 @@ function PwgWS(urlRoot)
 	};
 };
 
-function blockToggleDisplay(headerId, contentId)
-{
-  var revHeader = document.getElementById(headerId);
-  var revContent = document.getElementById(contentId);
-
-  if (revContent.style.display == 'none')
-  {
-    revContent.style.display = 'block';
-    revHeader.className = 'instructionBlockHeaderExpanded';
-  }
-  else
-  {
-    revContent.style.display = 'none';
-    revHeader.className = 'instructionBlockHeaderCollapsed';
-  }
-}
-
 
 PwgWS.prototype = {
 
@@ -129,8 +129,9 @@ PwgWS.prototype = {
 		}
 		this.transport.onreadystatechange = this.onStateChange.pwgBind(this);
 
-		var url = this.urlRoot;
-		url += "ws.php?format=json&method="+method;
+		var url = this.urlRoot+"ws.php?format=json";
+
+		var body = "method="+method;
 		if (parameters)
 		{
 			for (var property in parameters)
@@ -138,14 +139,25 @@ PwgWS.prototype = {
 				if ( typeof parameters[property] == 'object' && parameters[property])
 				{
 					for (var i=0; i<parameters[property].length; i++)
-						url += "&"+property+"[]="+encodeURIComponent(parameters[property][i]);
+						body += "&"+property+"[]="+encodeURIComponent(parameters[property][i]);
 				}
 				else
-					url += "&"+property+"="+encodeURIComponent(parameters[property]);
+					body += "&"+property+"="+encodeURIComponent(parameters[property]);
 			}
 		}
-		this.transport.open(this.options.method, url, this.options.async);
-		this.transport.send(null);
+
+		if (this.options.method == "POST" )
+		{
+			this.transport.open(this.options.method, url, this.options.async);
+			this.transport.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+			this.transport.send(body);
+		}
+		else
+		{
+			url += "&"+body;
+			this.transport.open(this.options.method, url, this.options.async);
+			this.transport.send(null);
+		}
 	},
 
 	onStateChange: function() {
diff --git a/template/yoga/picture.tpl b/template/yoga/picture.tpl
index 26450a21c..5b720c85e 100644
--- a/template/yoga/picture.tpl
+++ b/template/yoga/picture.tpl
@@ -215,6 +215,7 @@ var y = new PwgWS(rootUrl);
 y.callService(
 	"pwg.images.setPrivacyLevel", {image_id: id, level:level} ,
 	{
+		method: "POST",
 		onFailure: function(num, text) { selectElement.disabled = false; alert(num + " " + text); },
 		onSuccess: function(result) { selectElement.disabled = false; }
 	}
diff --git a/ws.php b/ws.php
index f4d1ce029..fded120db 100644
--- a/ws.php
+++ b/ws.php
@@ -136,7 +136,7 @@ function ws_addDefaultMethods( $arr )
       'image_id' => array('flags'=>WS_PARAM_FORCE_ARRAY),
       'level' => array('maxValue'=>$conf['available_permission_levels']),
       ),
-    'sets the privacy levels for the images'
+    'sets the privacy levels for the images (POST method only)'
     );
 
   $service->addMethod('pwg.session.getStatus', 'ws_session_getStatus', null, '' );
@@ -278,7 +278,7 @@ function ws_addDefaultMethods( $arr )
     'ws_images_setInfo',
     array(
       'image_id' => array(),
-      
+
       'name' => array('default' => null),
       'author' => array('default' => null),
       'date_creation' => array('default' => null),
@@ -297,13 +297,13 @@ function ws_addDefaultMethods( $arr )
 <br/><b>single_value_mode</b> can be "fill_if_empty" (only use the input value if the corresponding values is currently empty) or "replace" (overwrite any existing value) and applies to single values properties like name/author/date_creation/comment
 <br/><b>multiple_value_mode</b> can be "append" (no change on existing values, add the new values) or "replace" and applies to multiple values properties like tag_ids/categories'
     );
-  
+
   $service->addMethod(
     'pwg.categories.setInfo',
     'ws_categories_setInfo',
     array(
       'category_id' => array(),
-      
+
       'name' => array('default' => null),
       'comment' => array('default' => null),
       ),
-- 
cgit v1.2.3