diff options
| author | cweiske <cweiske@b3834d28-1941-0410-a4f8-b48e95affb8f> | 2010-09-28 22:14:31 +0000 | 
|---|---|---|
| committer | cweiske <cweiske@b3834d28-1941-0410-a4f8-b48e95affb8f> | 2010-09-28 22:14:31 +0000 | 
| commit | 22c9a01ee845d2b92fcab6b6cb10ac6ff0eec52e (patch) | |
| tree | 5f5c876689ee1dc4d8054db29ce9946221b0045b | |
| parent | df8216d607a9806b57b83eea9eb55577eae7d54f (diff) | |
| download | semanticscuttle-22c9a01ee845d2b92fcab6b6cb10ac6ff0eec52e.tar.gz semanticscuttle-22c9a01ee845d2b92fcab6b6cb10ac6ff0eec52e.tar.bz2 | |
rewrite api/posts/delete to be more secure and add unit tests for it
git-svn-id: https://semanticscuttle.svn.sourceforge.net/svnroot/semanticscuttle/trunk@769 b3834d28-1941-0410-a4f8-b48e95affb8f
| -rw-r--r-- | src/SemanticScuttle/Service/Bookmark.php | 18 | ||||
| -rw-r--r-- | tests/Api/PostsDeleteTest.php | 9 | ||||
| -rw-r--r-- | www/api/posts_delete.php | 63 | 
3 files changed, 62 insertions, 28 deletions
| diff --git a/src/SemanticScuttle/Service/Bookmark.php b/src/SemanticScuttle/Service/Bookmark.php index dde1df5..4e18d3f 100644 --- a/src/SemanticScuttle/Service/Bookmark.php +++ b/src/SemanticScuttle/Service/Bookmark.php @@ -176,7 +176,10 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService       * Retrieves a bookmark with the given URL.       * DOES NOT RESPECT PRIVACY SETTINGS!       * -     * @param string $address URL to get bookmarks for +     * @param string  $address URL to get bookmarks for +     * @param boolean $all     Retrieve from all users (true) +     *                         or only bookmarks owned by the current +     *                         user (false)       *       * @return mixed Array with bookmark data or false in case       *               of an error (i.e. not found). @@ -184,9 +187,9 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService       * @uses getBookmarkByHash()       * @see  getBookmarkByShortname()       */ -    public function getBookmarkByAddress($address) +    public function getBookmarkByAddress($address, $all = true)      { -        return $this->getBookmarkByHash($this->getHash($address)); +        return $this->getBookmarkByHash($this->getHash($address), $all);      } @@ -195,16 +198,19 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService       * Retrieves a bookmark with the given hash.       * DOES NOT RESPECT PRIVACY SETTINGS!       * -     * @param string $hash URL hash +     * @param string  $hash URL hash +     * @param boolean $all  Retrieve from all users (true) +     *                      or only bookmarks owned by the current +     *                      user (false)       *       * @return mixed Array with bookmark data or false in case       *               of an error (i.e. not found).       *       * @see getHash()       */ -    public function getBookmarkByHash($hash) +    public function getBookmarkByHash($hash, $all = true)      { -        return $this->_getbookmark('bHash', $hash, true); +        return $this->_getbookmark('bHash', $hash, $all);      } diff --git a/tests/Api/PostsDeleteTest.php b/tests/Api/PostsDeleteTest.php index 705f94e..626746f 100644 --- a/tests/Api/PostsDeleteTest.php +++ b/tests/Api/PostsDeleteTest.php @@ -202,8 +202,9 @@ class Api_PostsDeleteTest extends TestBaseApi          //send request          $res = $req->send(); -        //401 - unauthorized -        $this->assertEquals(401, $res->getStatus()); +        //404 - user does not have that bookmark +        $this->assertEquals(404, $res->getStatus()); +          //verify MIME content type          $this->assertEquals(              'text/xml; charset=utf-8', @@ -211,10 +212,10 @@ class Api_PostsDeleteTest extends TestBaseApi          );          //verify xml -        $this->assertNotTag( +        $this->assertTag(              array(                  'tag'        => 'result', -                'attributes' => array('code' => 'done') +                'attributes' => array('code' => 'something went wrong')              ),              $res->getBody(),              '', false diff --git a/www/api/posts_delete.php b/www/api/posts_delete.php index a63cc62..982b686 100644 --- a/www/api/posts_delete.php +++ b/www/api/posts_delete.php @@ -1,33 +1,60 @@  <?php -// Implements the del.icio.us API request to delete a post. - -// del.icio.us behavior: -// - returns "done" even if the bookmark doesn't exist; -// - does NOT allow the hash for the url parameter; -// - doesn't set the Content-Type to text/xml (we do). +/** + * API for deleting a bookmark. + * The delicious API is implemented here. + * + * The delicious API behaves like that: + * - returns "done" even if the bookmark doesn't exist + *   - we do it correctly + * - does NOT allow the hash for the url parameter + * - doesn't set the Content-Type to text/xml + *   - we do it correctly, too + * + * SemanticScuttle - your social bookmark manager. + * + * PHP version 5. + * + * @category Bookmarking + * @package  SemanticScuttle + * @author   Benjamin Huynh-Kim-Bang <mensonge@users.sourceforge.net> + * @author   Christian Weiske <cweiske@cweiske.de> + * @author   Eric Dane <ericdane@users.sourceforge.net> + * @license  GPL http://www.gnu.org/licenses/gpl.html + * @link     http://sourceforge.net/projects/semanticscuttle + */  // Force HTTP authentication first!  $httpContentType = 'text/xml';  require_once 'httpauth.inc.php'; -/* Service creation: only useful services are created */ -$bookmarkservice =SemanticScuttle_Service_Factory::get('Bookmark'); - +$bs  = SemanticScuttle_Service_Factory::get('Bookmark'); +$uId = $userservice->getCurrentUserId(); -// Note that del.icio.us only errors out if no URL was passed in; there's no error on attempting -// to delete a bookmark you don't have.  // Error out if there's no address -if (is_null($_REQUEST['url'])) { +if (!isset($_REQUEST['url']) +    || $_REQUEST['url'] == '' +) {      $deleted = false; +} else if (!$bs->bookmarkExists($_REQUEST['url'], $uId)) { +    //the user does not have such a bookmark +    // Note that del.icio.us only errors out if no URL was passed in; +    // there's no error on attempting to delete a bookmark you don't have. +    // this sucks, and I don't care about being different but correct here. +    header('HTTP/1.0 404 Not Found'); +    $deleted = false; +  } else { -    $bookmark = $bookmarkservice->getBookmarkByAddress($_REQUEST['url']); -    $bid = $bookmark['bId']; -    $delete = $bookmarkservice->deleteBookmark($bid); -    $deleted = true; +    $bookmark = $bs->getBookmarkByAddress($_REQUEST['url'], false); +    $bId      = $bookmark['bId']; +    $deleted  = $bs->deleteBookmark($bId); +    if (!$deleted) { +        //something really went wrong +        header('HTTP/1.0 500 Internal Server Error'); +    }  }  // Set up the XML file and output the result. -echo '<?xml version="1.0" standalone="yes" ?'.">\r\n"; -echo '<result code="'. ($deleted ? 'done' : 'something went wrong') .'" />'; +echo '<?xml version="1.0" standalone="yes" ?' . ">\r\n"; +echo '<result code="' . ($deleted ? 'done' : 'something went wrong') . '" />';  ?>
\ No newline at end of file | 
