diff options
Diffstat (limited to 'engine/lib/web_services.php')
| -rw-r--r-- | engine/lib/web_services.php | 140 |
1 files changed, 75 insertions, 65 deletions
diff --git a/engine/lib/web_services.php b/engine/lib/web_services.php index e529711e1..51cad6f39 100644 --- a/engine/lib/web_services.php +++ b/engine/lib/web_services.php @@ -29,6 +29,7 @@ * ) * ) */ +global $API_METHODS; $API_METHODS = array(); /** @@ -153,6 +154,7 @@ function unexpose_function($method) { * @return true or throws an exception * @throws APIException * @since 1.7.0 + * @access private */ function authenticate_method($method) { global $API_METHODS; @@ -162,12 +164,6 @@ function authenticate_method($method) { throw new APIException(elgg_echo('APIException:MethodCallNotImplemented', array($method))); } - // make sure that POST variables are available if needed - // @todo this may not be needed anymore due to adding %{QUERY_STRING} in .htaccess in 1.7.2 - if (get_call_method() === 'POST' && empty($_POST)) { - include_post_data(); - } - // check API authentication if required if ($API_METHODS[$method]["require_api_auth"] == true) { $api_pam = new ElggPAM('api'); @@ -177,12 +173,12 @@ function authenticate_method($method) { } $user_pam = new ElggPAM('user'); - $user_auth_result = $user_pam->authenticate(); + $user_auth_result = $user_pam->authenticate(array()); // check if user authentication is required if ($API_METHODS[$method]["require_user_auth"] == true) { if ($user_auth_result == false) { - throw new APIException($user_pam->getFailureMessage()); + throw new APIException($user_pam->getFailureMessage(), ErrorResult::$RESULT_FAIL_AUTHTOKEN); } } @@ -197,6 +193,7 @@ function authenticate_method($method) { * * @return GenericResult The result of the execution. * @throws APIException, CallException + * @access private */ function execute_method($method) { global $API_METHODS, $CONFIG; @@ -235,6 +232,7 @@ function execute_method($method) { $function = $API_METHODS[$method]["function"]; $serialised_parameters = trim($serialised_parameters, ", "); + // @todo document why we cannot use call_user_func_array here $result = eval("return $function($serialised_parameters);"); // Sanity check result @@ -262,6 +260,7 @@ function execute_method($method) { * Get the request method. * * @return string HTTP request method + * @access private */ function get_call_method() { return $_SERVER['REQUEST_METHOD']; @@ -276,6 +275,7 @@ function get_call_method() { * @param string $method The method * * @return array containing parameters as key => value + * @access private */ function get_parameters_for_method($method) { global $API_METHODS; @@ -286,7 +286,7 @@ function get_parameters_for_method($method) { if (isset($API_METHODS[$method]['parameters'])) { foreach ($API_METHODS[$method]['parameters'] as $k => $v) { $param = get_input($k); // Make things go through the sanitiser - if ($param !== '') { + if ($param !== '' && $param !== null) { $sanitised[$k] = $param; } else { // parameter wasn't passed so check for default @@ -305,6 +305,7 @@ function get_parameters_for_method($method) { * Since this is called through a handler, we need to manually get the post data * * @return POST data as string encoded as multipart/form-data + * @access private */ function get_post_data() { @@ -314,37 +315,6 @@ function get_post_data() { } /** - * This fixes the post parameters that are munged due to page handler - * - * @since 1.7.0 - * - * @return void - */ -function include_post_data() { - - $postdata = get_post_data(); - - if (isset($postdata)) { - $query_arr = elgg_parse_str($postdata); - - // grrrr... magic quotes is turned on so we need to strip slashes - if (ini_get_bool('magic_quotes_gpc')) { - if (function_exists('stripslashes_deep')) { - // defined in input.php to handle magic quotes - $query_arr = stripslashes_deep($query_arr); - } - } - - if (is_array($query_arr)) { - foreach ($query_arr as $name => $val) { - set_input($name, $val); - } - } - - } -} - -/** * Verify that the required parameters are present * * @param string $method Method name @@ -353,6 +323,7 @@ function include_post_data() { * @return true on success or exception * @throws APIException * @since 1.7.0 + * @access private */ function verify_parameters($method, $parameters) { global $API_METHODS; @@ -390,6 +361,7 @@ function verify_parameters($method, $parameters) { * @return string or exception * @throws APIException * @since 1.7.0 + * @access private */ function serialise_parameters($method, $parameters) { global $API_METHODS; @@ -474,6 +446,7 @@ function serialise_parameters($method, $parameters) { * @return mixed * @throws APIException * @since 1.7.0 + * @access private */ function api_auth_key() { global $CONFIG; @@ -504,6 +477,7 @@ function api_auth_key() { * * @throws SecurityException * @since 1.7.0 + * @access private */ function api_auth_hmac() { global $CONFIG; @@ -568,6 +542,7 @@ function api_auth_hmac() { * * @return stdClass Containing all the values. * @throws APIException Detailing any error. + * @access private */ function get_and_validate_api_headers() { $result = new stdClass; @@ -640,6 +615,7 @@ function get_and_validate_api_headers() { * * @return string The php algorithm * @throws APIException if an algorithm is not supported. + * @access private */ function map_api_hash($algo) { $algo = strtolower(sanitise_string($algo)); @@ -672,6 +648,7 @@ function map_api_hash($algo) { * @param string $post_hash Optional sha1 hash of the post data. * * @return string The HMAC signature + * @access private */ function calculate_hmac($algo, $time, $nonce, $api_key, $secret_key, $get_variables, $post_hash = "") { @@ -702,6 +679,7 @@ $get_variables, $post_hash = "") { * @param string $algo The algorithm used. * * @return string The hash. + * @access private */ function calculate_posthash($postdata, $algo) { $ctx = hash_init(map_api_hash($algo)); @@ -718,6 +696,7 @@ function calculate_posthash($postdata, $algo) { * @param string $hmac The hmac string. * * @return bool True if replay detected, false if not. + * @access private */ function cache_hmac_check_replay($hmac) { // cache lifetime is 25 hours (this should be related to the time drift @@ -815,6 +794,7 @@ function remove_api_user($site_guid, $api_key) { * session code of Elgg, that user will be logged out of all other sessions. * * @return bool + * @access private */ function pam_auth_usertoken() { global $CONFIG; @@ -859,9 +839,10 @@ function pam_auth_usertoken() { * See if the user has a valid login sesson * * @return bool + * @access private */ function pam_auth_session() { - return isloggedin(); + return elgg_is_logged_in(); } // user token functions @@ -1004,6 +985,7 @@ function remove_expired_user_tokens() { * @param array $headers The array of headers "key" => "value" * * @return string + * @access private */ function serialise_api_headers(array $headers) { $headers_str = ""; @@ -1159,6 +1141,7 @@ function get_standard_api_key_array($secret_key, $api_key) { * Simple api to return a list of all api's installed on the system. * * @return array + * @access private */ function list_all_apis() { global $API_METHODS; @@ -1180,9 +1163,21 @@ function list_all_apis() { * * @return string Token string or exception * @throws SecurityException + * @access private */ function auth_gettoken($username, $password) { - if (authenticate($username, $password)) { + // check if username is an email address
+ if (is_email_address($username)) {
+ $users = get_user_by_email($username);
+
+ // check if we have a unique user
+ if (is_array($users) && (count($users) == 1)) {
+ $username = $users[0]->username;
+ }
+ }
+
+ // validate username and password + if (true === elgg_authenticate($username, $password)) { $token = create_user_token($username); if ($token) { return $token; @@ -1210,6 +1205,9 @@ $ERRORS = array(); * @param array $vars Vars * * @return void + * @access private + * + * @throws Exception */ function _php_api_error_handler($errno, $errmsg, $filename, $linenum, $vars) { global $ERRORS; @@ -1247,6 +1245,7 @@ function _php_api_error_handler($errno, $errmsg, $filename, $linenum, $vars) { * @param Exception $exception Exception * * @return void + * @access private */ function _php_api_exception_handler($exception) { @@ -1269,6 +1268,7 @@ function _php_api_exception_handler($exception) { * @param array $request Request string * * @return void + * @access private */ function service_handler($handler, $request) { global $CONFIG; @@ -1278,25 +1278,23 @@ function service_handler($handler, $request) { $request = explode('/', $request); // after the handler, the first identifier is response format - // ex) http://example.org/services/api/rest/xml/?method=test - $reponse_format = array_shift($request); + // ex) http://example.org/services/api/rest/json/?method=test + $response_format = array_shift($request); // Which view - xml, json, ... - if ($reponse_format) { - elgg_set_viewtype($reponse_format); + if ($response_format && elgg_is_valid_view_type($response_format)) { + elgg_set_viewtype($response_format); } else { - // default to xml - elgg_set_viewtype("xml"); + // default to json + elgg_set_viewtype("json"); } if (!isset($CONFIG->servicehandler) || empty($handler)) { // no handlers set or bad url header("HTTP/1.0 404 Not Found"); exit; - } else if (isset($CONFIG->servicehandler[$handler]) - && is_callable($CONFIG->servicehandler[$handler])) { - + } else if (isset($CONFIG->servicehandler[$handler]) && is_callable($CONFIG->servicehandler[$handler])) { $function = $CONFIG->servicehandler[$handler]; - $function($request, $handler); + call_user_func($function, $request, $handler); } else { // no handler for this web service header("HTTP/1.0 404 Not Found"); @@ -1315,10 +1313,11 @@ function service_handler($handler, $request) { */ function register_service_handler($handler, $function) { global $CONFIG; + if (!isset($CONFIG->servicehandler)) { $CONFIG->servicehandler = array(); } - if (is_callable($function)) { + if (is_callable($function, true)) { $CONFIG->servicehandler[$handler] = $function; return true; } @@ -1333,11 +1332,13 @@ function register_service_handler($handler, $function) { * * @param string $handler web services type * - * @return 1.7.0 + * @return void + * @since 1.7.0 */ function unregister_service_handler($handler) { global $CONFIG; - if (isset($CONFIG->servicehandler) && isset($CONFIG->servicehandler[$handler])) { + + if (isset($CONFIG->servicehandler, $CONFIG->servicehandler[$handler])) { unset($CONFIG->servicehandler[$handler]); } } @@ -1346,6 +1347,9 @@ function unregister_service_handler($handler) { * REST API handler * * @return void + * @access private + * + * @throws SecurityException|APIException */ function rest_handler() { global $CONFIG; @@ -1400,15 +1404,17 @@ function rest_handler() { /** * Unit tests for API * - * @param sting $hook unit_test + * @param string $hook unit_test * @param string $type system * @param mixed $value Array of tests * @param mixed $params Params * * @return array + * @access private */ function api_unit_test($hook, $type, $value, $params) { global $CONFIG; + $value[] = $CONFIG->path . 'engine/tests/services/api.php'; return $value; } @@ -1417,6 +1423,7 @@ function api_unit_test($hook, $type, $value, $params) { * Initialise the API subsystem. * * @return void + * @access private */ function api_init() { // Register a page handler, so we can have nice URLs @@ -1429,15 +1436,18 @@ function api_init() { elgg_echo("system.api.list"), "GET", false, false); // The authentication token api - expose_function("auth.gettoken", - "auth_gettoken", array( - 'username' => array ('type' => 'string'), - 'password' => array ('type' => 'string'), - ), - elgg_echo('auth.gettoken'), - 'POST', - false, - false); + expose_function( + "auth.gettoken", + "auth_gettoken", + array( + 'username' => array ('type' => 'string'), + 'password' => array ('type' => 'string'), + ), + elgg_echo('auth.gettoken'), + 'POST', + false, + false + ); } |