diff options
-rw-r--r-- | engine/lib/api.php | 144 |
1 files changed, 84 insertions, 60 deletions
diff --git a/engine/lib/api.php b/engine/lib/api.php index 2751e2166..b2696ade9 100644 --- a/engine/lib/api.php +++ b/engine/lib/api.php @@ -175,6 +175,7 @@ * $METHODS = array ( * "api.method" => array ( * "function" = 'my_function_callback' + * "call_method" = 'GET' | 'POST' * "parameters" = array ( * "variable" = array ( // NB, the order is the same as defined by your function callback * type => 'int' | 'bool' | 'float' | 'string' @@ -189,6 +190,14 @@ $METHODS = array(); /** + * Get the request method. + */ + function get_call_method() + { + return $_SERVER['REQUEST_METHOD']; + } + + /** * Validate a token against a given site. * * A token registered with one site can not be used from a different apikey(site), so be aware of this @@ -224,11 +233,12 @@ * @param string $method The api name to expose this as, eg "myapi.dosomething" * @param string $function Your function callback. * @param array $parameters Optional list of parameters in the same order as in your function, with optional parameters last. + * @param string $call_method Define what call method should be used for this function. * @param bool $require_auth Whether this requires a user authentication token or not (default is true) * @param string $description Optional human readable description of the function. * @return bool */ - function expose_function($method, $function, array $parameters = NULL, $require_auth = true, $description = "") + function expose_function($method, $function, array $parameters = NULL, $call_method = "GET", $require_auth = true, $description = "") { global $METHODS; @@ -244,6 +254,15 @@ if ($parameters!=NULL) $METHODS[$method]["parameters"] = $parameters; + $call_method = strtoupper($call_method); + switch ($call_method) + { + case 'POST' : $METHODS[$method]["call_method"] = 'POST'; break; + case 'GET' : $METHODS[$method]["call_method"] = 'GET'; break; + default : + throw new InvalidParameterException("Unrecognised call method '$call_method'"); + } + $METHODS[$method]["description"] = $description; $METHODS[$method]["require_auth"] = $require_auth; @@ -275,82 +294,87 @@ // See if we can find the method handler if ((isset($METHODS[$method]["function"])) && (is_callable($METHODS[$method]["function"]))) { - $serialised_parameters = ""; - - $validated_userid = validate_user_token($CONFIG->site_id, $token); - - if ((!$METHODS[$method]["require_auth"]) || ($validated_userid) || (isloggedin())) + // See if this is being made with the right call method + if (strcmp(get_call_method(), $METHODS[$method]["call_method"])) { - // If we have parameters then we need to sanitise the parameters. - if ((isset($METHODS[$method]["parameters"])) && (is_array($METHODS[$method]["parameters"]))) + $serialised_parameters = ""; + + $validated_userid = validate_user_token($CONFIG->site_id, $token); + + if ((!$METHODS[$method]["require_auth"]) || ($validated_userid) || (isloggedin())) { - foreach ($METHODS[$method]["parameters"] as $key => $value) + // If we have parameters then we need to sanitise the parameters. + if ((isset($METHODS[$method]["parameters"])) && (is_array($METHODS[$method]["parameters"]))) { - if ( - (is_array($value)) // Check that this is an array - && (isset($value['type'])) // Check we have a type defined - ) + foreach ($METHODS[$method]["parameters"] as $key => $value) { - // Check that the variable is present in the request - if ( - (!isset($parameters[$key])) && // No parameter - ((!isset($value['required'])) || ($value['required']!=true)) // and not optional + (is_array($value)) // Check that this is an array + && (isset($value['type'])) // Check we have a type defined ) - throw new APIException("Missing parameter $key in method $method"); - else { - // Avoid debug error - if (isset($parameters[$key])) + // Check that the variable is present in the request + + if ( + (!isset($parameters[$key])) && // No parameter + ((!isset($value['required'])) || ($value['required']!=true)) // and not optional + ) + throw new APIException("Missing parameter $key in method $method"); + else { - // Set variables casting to type. - switch (strtolower($value['type'])) + // Avoid debug error + if (isset($parameters[$key])) { - case 'int': - case 'integer' : $serialised_parameters .= "," . (int)trim($parameters[$key]); break; - case 'bool': - case 'boolean': - if (strcasecmp(trim($parameters[$key]), "false")==0) - $parameters[$key]=''; - - $serialised_parameters .= "," . (bool)trim($parameters[$key]); - break; - case 'string': $serialised_parameters .= ",'" . (string)mysql_real_escape_string(trim($parameters[$key])) . "'"; - break; - case 'float': $serialised_parameters .= "," . (float)trim($parameters[$key]); - break; - - default : throw new APIException("Unrecognised type in cast {$value['type']} for variable '$key' in method '$method'"); + // Set variables casting to type. + switch (strtolower($value['type'])) + { + case 'int': + case 'integer' : $serialised_parameters .= "," . (int)trim($parameters[$key]); break; + case 'bool': + case 'boolean': + if (strcasecmp(trim($parameters[$key]), "false")==0) + $parameters[$key]=''; + + $serialised_parameters .= "," . (bool)trim($parameters[$key]); + break; + case 'string': $serialised_parameters .= ",'" . (string)mysql_real_escape_string(trim($parameters[$key])) . "'"; + break; + case 'float': $serialised_parameters .= "," . (float)trim($parameters[$key]); + break; + + default : throw new APIException("Unrecognised type in cast {$value['type']} for variable '$key' in method '$method'"); + } } } } + else + throw new APIException("Invalid parameter found for '$key' in method '$method'."); } - else - throw new APIException("Invalid parameter found for '$key' in method '$method'."); } - } - - // Execute function: Construct function and calling parameters - $function = $METHODS[$method]["function"]; - $serialised_parameters = trim($serialised_parameters, ", "); - - $result = eval("return $function($serialised_parameters);"); - - // Sanity check result - if ($result instanceof GenericResult) // If this function returns an api result itself, just return it - return $result; - if ($result === FALSE) - throw new APIException("$function($serialised_parameters) has a parsing error."); + // Execute function: Construct function and calling parameters + $function = $METHODS[$method]["function"]; + $serialised_parameters = trim($serialised_parameters, ", "); - if ($result === NULL) - throw new APIException("$function($serialised_parameters) returned no value."); // If no value + $result = eval("return $function($serialised_parameters);"); - return SuccessResult::getInstance($result); // Otherwise assume that the call was successful and return it as a success object. - } + // Sanity check result + if ($result instanceof GenericResult) // If this function returns an api result itself, just return it + return $result; + + if ($result === FALSE) + throw new APIException("$function($serialised_parameters) has a parsing error."); + + if ($result === NULL) + throw new APIException("$function($serialised_parameters) returned no value."); // If no value + + return SuccessResult::getInstance($result); // Otherwise assume that the call was successful and return it as a success object. + } + else + throw new SecurityException("Authentication token either missing, invalid or expired.", GenericResult::$RESULT_FAIL_AUTHTOKEN); + } else - throw new SecurityException("Authentication token either missing, invalid or expired.", GenericResult::$RESULT_FAIL_AUTHTOKEN); - + throw new CallException("$method must be called using '{$METHODS[$method]["call_method"]}'"); } // Return an error if not found @@ -369,7 +393,7 @@ } // Expose some system api functions - expose_function("system.api.list", "list_all_apis", NULL, false, "List all available API calls on the system."); + expose_function("system.api.list", "list_all_apis", NULL, "GET", false, "List all available API calls on the system."); // PAM AUTH HMAC functions //////////////////////////////////////////////////////////////// |