From c21600e85f148f41173c68d3024a4c1329b8ff58 Mon Sep 17 00:00:00 2001
From: icewing <icewing@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Mon, 10 Mar 2008 16:12:17 +0000
Subject: Marcus Povey <marcus@dushka.co.uk> * Tokens and execute code added to
 api

git-svn-id: https://code.elgg.org/elgg/trunk@140 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 engine/lib/api.php      | 129 +++++++++++++++++++++++++++++++++++++++++++++---
 engine/lib/users.php    |   3 +-
 engine/schema/mysql.sql |  19 ++++++-
 3 files changed, 141 insertions(+), 10 deletions(-)

(limited to 'engine')

diff --git a/engine/lib/api.php b/engine/lib/api.php
index b446c5d63..0e9260629 100644
--- a/engine/lib/api.php
+++ b/engine/lib/api.php
@@ -162,8 +162,7 @@
 	
 	/** Create the environment for API Calls */
 	$ApiEnvironment = new stdClass;
-
-		
+	
 	/** 
 	 * An array holding methods.
 	 * The structure of this is 
@@ -182,8 +181,22 @@
 	 */
 	$METHODS = array();
 	
+	/**
+	 * Validate a token against a given site. 
+	 * 
+	 * A token registered with one site can not be used from a different apikey(site), so be aware of this
+	 * during development.
+	 *
+	 * @param int $site The ID of the site
+	 * @param string $token The Token.
+	 * @return mixed The user id attached to the token or false.
+	 */
+	function validate_user_token($site, $token)
+	{
+		$u = new User();
 	
-	// export function
+		return $u->getUserIDFromAuthToken($site, $token);
+	}
 
 	/**
 	 * Expose an arbitrary function as an api call.
@@ -198,6 +211,26 @@
 	 */
 	function expose_function($method, $function, array $parameters = NULL, $require_auth = true)
 	{
+		global $METHODS;
+		
+		if (
+			($method!="") &&
+			($function!="")
+		)
+		{
+			$METHODS[$method] = array();
+				
+			$METHODS[$method]["function"] = $function;
+			
+			if ($parameters!=NULL)
+				$METHODS[$method]["parameters"] = $parameters;
+			
+			$METHODS[$method]["require_auth"] = $require_auth;
+			
+			return true;
+		}
+		
+		return false;	
 	}
 
 	/**
@@ -212,9 +245,91 @@
 	 */
 	function execute_method($method, array $parameters, $token = "")
 	{
-
-		// TODO: If auth token, validate user and set session
+		global $METHODS, $ApiEnvironment;
 		
+		// Sanity check
+		$method = trim($method); 
+		$token = trim($token); 
+		
+		// See if we can find the method handler
+		if (is_callable($METHODS[$method]["function"]))
+		{
+			$serialised_parameters = "";
+			
+			$validated_userid = validate_user_token($ApiEnvironment->site_id, $token); 
+
+			if ((!$METHODS[$method]["require_auth"]) || ($validated_userid) || (isloggedin()))
+			{
+				// If we have parameters then we need to sanitise the parameters.
+				if ((isset($METHODS[$method]["parameters"])) && (is_array($METHODS[$method]["parameters"]))) 
+				{
+					foreach ($METHODS[$method]["parameters"] as $key => $value)
+					{
+						if (
+							(is_array($value)) 			// Check that this is an array
+							&& (isset($value['type']))		// Check we have a type defined
+						)
+						{
+							// Check that the variable is present in the request
+
+							if (
+								(!isset($parameters[$key])) &&				// No parameter
+								((!isset($value['required'])) || ($value['required']!=true)) // and not optional
+							)
+								throw new APIException("Missing parameter $key in method $method");
+							else
+							{
+								// Avoid debug error
+								if (isset($parameters[$key]))
+								{
+									// Set variables casting to type.	
+									switch (strtolower($value['type']))
+									{
+										case 'int':
+										case 'integer' : $serialised_parameters .= "," . (int)trim($parameters[$key]); break;
+										case 'bool':
+										case 'boolean': 
+													if (strcasecmp(trim($parameters[$key]), "false")==0) 
+														$parameters[$key]='';
+															
+													$serialised_parameters .= "," . (bool)trim($parameters[$key]); 
+													break;
+										case 'string': $serialised_parameters .= ",'" .  (string)mysql_real_escape_string(trim($parameters[$key])) . "'"; 
+													break;
+										case 'float': $serialised_parameters .= "," . (float)trim($parameters[$key]); 
+													break;
+			
+										default : throw new APIException("Unrecognised type in cast {$value['type']} for variable '$key' in method '$method'");
+									}
+								}
+							}
+						}
+						else
+							throw new APIException("Invalid parameter found for '$key' in method '$method'.");
+					}
+				}
+				
+				// Execute function: Construct function and calling parameters
+				$function = $METHODS[$method]["function"];
+				$serialised_parameters = trim($serialised_parameters, ", ");
+				
+				$result = eval("return $function($serialised_parameters);");
+			
+				// Sanity check result
+				if ($result instanceof GenericResult) // If this function returns an api result itself, just return it
+					return $result; 
+					
+				if ($result === FALSE)
+					throw new APIException("$function($serialised_parameters) has a parsing error.");
+					
+				if ($result ===  NULL)
+					throw new APIException("$function($serialised_parameters) returned no value."); // If no value
+				
+				return SuccessResult::getInstance($result); // Otherwise assume that the call was successful and return it as a success object.	
+			}
+			else
+				throw new SecurityException("Authentication token either missing, invalid or expired.", GenericResult::$RESULT_FAIL_AUTHTOKEN); 
+		}
 		
 		// Return an error if not found
 		throw new APIException("Method call '$method' has not been implemented."); 
@@ -227,7 +342,7 @@
 	 * @return stdClass Containing all the values.
 	 * @throws APIException Detailing the error.
 	 */
-	function get_and_validate_api_headers()
+	function get_and_validate_api_headers() 
 	{
 		$result = new stdClass;
 		
@@ -351,8 +466,6 @@
 		return true;
 	}
 	
-	
-	
 	// XML functions //////////////////////////////////////////////////////////////////////////
 	
 	/**
diff --git a/engine/lib/users.php b/engine/lib/users.php
index 6003be706..24ded8ce5 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -708,7 +708,8 @@
                          setcookie("elggperm", $code, (time()+(86400 * 30)),"/");
                          
                      //}
-                     // set_login_fields($user->id);
+                     // set_login_fields($user->id);
+
                      
                  }
                  
diff --git a/engine/schema/mysql.sql b/engine/schema/mysql.sql
index 8563eed7e..dff19be35 100644
--- a/engine/schema/mysql.sql
+++ b/engine/schema/mysql.sql
@@ -119,6 +119,23 @@ CREATE TABLE `prefix_users` (
 ) ENGINE=MyISAM ;
 
 
+--
+-- User sessions
+-- 
+
+CREATE TABLE `prefix_users_apisessions` (
+	`id` int(11) NOT NULL auto_increment,
+	`user_id` int(11) NOT NULL,
+  	`site_id` int(11) NOT NULL,
+  	
+  	`token` varchar(40),
+  	
+  	`expires` int(11) NOT NULL,
+	
+	PRIMARY KEY  (`id`),
+	UNIQUE KEY (`user_id`,`site_id`)
+) ENGINE=MyISAM;
+
 -- --------------------------------------------------------
 
 --
@@ -215,7 +232,7 @@ CREATE TABLE `prefix_api_users` (
 	id     int(11)     auto_increment,
 	
 	email_address varchar(128),
-	
+	site_id	  int(11),
 	api_key   varchar(40),
 	secret    varchar(40) NOT NULL,
 	active    int default 1,
-- 
cgit v1.2.3