aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--engine/lib/api.php197
-rw-r--r--services/api/rest.php4
2 files changed, 122 insertions, 79 deletions
diff --git a/engine/lib/api.php b/engine/lib/api.php
index 20550d767..ca8d559d8 100644
--- a/engine/lib/api.php
+++ b/engine/lib/api.php
@@ -191,7 +191,7 @@
* required => true (default) | false
* )
* )
- * "require_auth" => true (default) | false
+ * "require_auth_token" => true (default) | false
* "description" => "Some human readable description"
* )
* )
@@ -249,10 +249,11 @@
* )
* @param string $description Optional human readable description of the function.
* @param string $call_method Define what call method should be used for this function.
- * @param bool $require_auth Whether this requires a user authentication token or not (default is true)
+ * @param bool $require_auth_token Whether this requires a user authentication token or not (default is true).
+ * @param bool $anonymous Can anonymous (non-authenticated in any way) users execute this call.
* @return bool
*/
- function expose_function($method, $function, array $parameters = NULL, $description = "", $call_method = "GET", $require_auth = true)
+ function expose_function($method, $function, array $parameters = NULL, $description = "", $call_method = "GET", $require_auth_token = true, $anonymous = false)
{
global $METHODS;
@@ -279,7 +280,9 @@
$METHODS[$method]["description"] = $description;
- $METHODS[$method]["require_auth"] = $require_auth;
+ $METHODS[$method]["require_auth_token"] = $require_auth_token;
+
+ $METHODS[$method]["anonymous"] = $anonymous;
return true;
}
@@ -313,101 +316,96 @@
{
$serialised_parameters = "";
- $validated_userid = validate_user_token($CONFIG->site_id, $token);
-
- if ((!$METHODS[$method]["require_auth"]) || ($validated_userid) || (isloggedin()))
+
+ // If we have parameters then we need to sanitise the parameters.
+ if ((isset($METHODS[$method]["parameters"])) && (is_array($METHODS[$method]["parameters"])))
{
- // If we have parameters then we need to sanitise the parameters.
- if ((isset($METHODS[$method]["parameters"])) && (is_array($METHODS[$method]["parameters"])))
+ foreach ($METHODS[$method]["parameters"] as $key => $value)
{
- foreach ($METHODS[$method]["parameters"] as $key => $value)
+ if (
+ (is_array($value)) // Check that this is an array
+ && (isset($value['type'])) // Check we have a type defined
+ )
{
+ // Check that the variable is present in the request
+
if (
- (is_array($value)) // Check that this is an array
- && (isset($value['type'])) // Check we have a type defined
+ (!isset($parameters[$key])) && // No parameter
+ ((!isset($value['required'])) || ($value['required']!=true)) // and not optional
)
+ throw new APIException(sprintf(elgg_echo('APIException:MissingParameterInMethod'), $key, $method));
+ else
{
- // Check that the variable is present in the request
-
- if (
- (!isset($parameters[$key])) && // No parameter
- ((!isset($value['required'])) || ($value['required']!=true)) // and not optional
- )
- throw new APIException(sprintf(elgg_echo('APIException:MissingParameterInMethod'), $key, $method));
- else
+ // Avoid debug error
+ if (isset($parameters[$key]))
{
- // Avoid debug error
- if (isset($parameters[$key]))
+ // Set variables casting to type.
+ switch (strtolower($value['type']))
{
- // Set variables casting to type.
- switch (strtolower($value['type']))
- {
- case 'int':
- case 'integer' : $serialised_parameters .= "," . (int)trim($parameters[$key]); break;
- case 'bool':
- case 'boolean':
- if (strcasecmp(trim($parameters[$key]), "false")==0)
- $parameters[$key]='';
-
- $serialised_parameters .= "," . (bool)trim($parameters[$key]);
- break;
- case 'string': $serialised_parameters .= ",'" . (string)mysql_real_escape_string(trim($parameters[$key])) . "'";
- break;
- case 'float': $serialised_parameters .= "," . (float)trim($parameters[$key]);
- break;
- case 'array':
- $array = "array(";
+ case 'int':
+ case 'integer' : $serialised_parameters .= "," . (int)trim($parameters[$key]); break;
+ case 'bool':
+ case 'boolean':
+ if (strcasecmp(trim($parameters[$key]), "false")==0)
+ $parameters[$key]='';
- if (is_array($parameters[$key]))
+ $serialised_parameters .= "," . (bool)trim($parameters[$key]);
+ break;
+ case 'string': $serialised_parameters .= ",'" . (string)mysql_real_escape_string(trim($parameters[$key])) . "'";
+ break;
+ case 'float': $serialised_parameters .= "," . (float)trim($parameters[$key]);
+ break;
+ case 'array':
+ $array = "array(";
+
+ if (is_array($parameters[$key]))
+ {
+ foreach ($parameters[$key] as $k => $v)
{
- foreach ($parameters[$key] as $k => $v)
- {
- $k = sanitise_string($k);
- $v = sanitise_string($v);
-
- $array .= "'$k'=>'$v',";
- }
+ $k = sanitise_string($k);
+ $v = sanitise_string($v);
- $array = trim($array,",");
+ $array .= "'$k'=>'$v',";
}
- else
- throw APIException(sprintf(elgg_echo('APIException:ParameterNotArray'), $key));
-
- $array .= ")";
- $serialised_parameters .= $array;
- break;
-
- default : throw new APIException(sprintf(elgg_echo('APIException:UnrecognisedTypeCast'), $value['type'], $key, $method));
- }
+ $array = trim($array,",");
+ }
+ else
+ throw APIException(sprintf(elgg_echo('APIException:ParameterNotArray'), $key));
+
+ $array .= ")";
+
+ $serialised_parameters .= $array;
+ break;
+
+ default : throw new APIException(sprintf(elgg_echo('APIException:UnrecognisedTypeCast'), $value['type'], $key, $method));
}
}
}
- else
- throw new APIException(sprintf(elgg_echo('APIException:InvalidParameter'), $key, $method));
}
+ else
+ throw new APIException(sprintf(elgg_echo('APIException:InvalidParameter'), $key, $method));
}
+ }
+
+ // Execute function: Construct function and calling parameters
+ $function = $METHODS[$method]["function"];
+ $serialised_parameters = trim($serialised_parameters, ", ");
+
+ $result = eval("return $function($serialised_parameters);");
+
+ // Sanity check result
+ if ($result instanceof GenericResult) // If this function returns an api result itself, just return it
+ return $result;
- // Execute function: Construct function and calling parameters
- $function = $METHODS[$method]["function"];
- $serialised_parameters = trim($serialised_parameters, ", ");
+ if ($result === FALSE)
+ throw new APIException(sprintf(elgg_echo('APIException:FunctionParseError'), $function, $serialised_parameters));
- $result = eval("return $function($serialised_parameters);");
+ if ($result === NULL)
+ throw new APIException(sprintf(elgg_echo('APIException:FunctionNoReturn'), $function, $serialised_parameters)); // If no value
- // Sanity check result
- if ($result instanceof GenericResult) // If this function returns an api result itself, just return it
- return $result;
-
- if ($result === FALSE)
- throw new APIException(sprintf(elgg_echo('APIException:FunctionParseError'), $function, $serialised_parameters));
-
- if ($result === NULL)
- throw new APIException(sprintf(elgg_echo('APIException:FunctionNoReturn'), $function, $serialised_parameters)); // If no value
-
- return SuccessResult::getInstance($result); // Otherwise assume that the call was successful and return it as a success object.
- }
- else
- throw new SecurityException(elgg_echo('SecurityException:AuthTokenExpired'), GenericResult::$RESULT_FAIL_AUTHTOKEN);
+ return SuccessResult::getInstance($result); // Otherwise assume that the call was successful and return it as a success object.
+
}
else
throw new CallException(sprintf(elgg_echo('CallException:InvalidCallMethod'), $method, $METHODS[$method]["call_method"]));
@@ -617,6 +615,49 @@
// PAM functions //////////////////////////////////////////////////////////////////////////
/**
+ * Function that examines whether an authentication token is present returning true if it is, OR the requested
+ * method doesn't require one.
+ *
+ * @param unknown_type $credentials
+ */
+ function pam_auth_usertoken($credentials = NULL)
+ {
+ global $METHODS, $CONFIG;
+
+ $method = get_input('method');
+ $token = get_input('token');
+
+ if (($method) && ($token))
+ {
+ $validated_userid = validate_user_token($CONFIG->site_id, $token);
+
+ if ((!$METHODS[$method]["require_auth_token"]) || ($validated_userid) || (isloggedin()))
+ return true;
+ else
+ throw new SecurityException(elgg_echo('SecurityException:AuthTokenExpired'), GenericResult::$RESULT_FAIL_AUTHTOKEN);
+ }
+
+ return false;
+ }
+
+ /**
+ * Test to see whether a given function has been declared as anonymous access (it doesn't require any auth token)
+ *
+ * @param unknown_type $credentials
+ */
+ function pam_auth_anonymous_method($credentials = NULL)
+ {
+ global $METHODS, $CONFIG;
+
+ $method = get_input('method');
+
+ if ((isset($METHODS[$method]["anonymous"])) && ($METHODS[$method]["anonymous"]))
+ return true;
+
+ return false;
+ }
+
+ /**
* See if the user has a valid login sesson.
*/
function pam_auth_session($credentials = NULL)
diff --git a/services/api/rest.php b/services/api/rest.php
index 41e44d9b2..15a7ad923 100644
--- a/services/api/rest.php
+++ b/services/api/rest.php
@@ -14,7 +14,7 @@
/**
* Start the Elgg engine
*/
- require_once('../engine/start.php');
+ require_once("../../engine/start.php");
global $CONFIG;
// Register the error handler
@@ -31,6 +31,8 @@
// Register some default PAM methods, plugins can add their own
register_pam_handler('pam_auth_session');
register_pam_handler('pam_auth_hmac');
+ register_pam_handler('pam_auth_usertoken', 'required'); // Either token present and valid OR method doesn't require one.
+ register_pam_handler('pam_auth_anonymous_method'); // Support anonymous functions
// Get parameter variables
$method = get_input('method');