rewrite api/posts/delete to be more secure and add unit tests for it

git-svn-id: https://semanticscuttle.svn.sourceforge.net/svnroot/semanticscuttle/trunk@769 b3834d28-1941-0410-a4f8-b48e95affb8f

3 files changed, 62 insertions, 28 deletions

diff --git a/src/SemanticScuttle/Service/Bookmark.php b/src/SemanticScuttle/Service/Bookmark.php
index dde1df5..4e18d3f 100644
--- a/src/SemanticScuttle/Service/Bookmark.php
+++ b/src/SemanticScuttle/Service/Bookmark.php
@@ -176,7 +176,10 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService
      * Retrieves a bookmark with the given URL.
      * DOES NOT RESPECT PRIVACY SETTINGS!
      *
-     * @param string $address URL to get bookmarks for
+     * @param string  $address URL to get bookmarks for
+     * @param boolean $all     Retrieve from all users (true)
+     *                         or only bookmarks owned by the current
+     *                         user (false)
      *
      * @return mixed Array with bookmark data or false in case
      *               of an error (i.e. not found).
@@ -184,9 +187,9 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService
      * @uses getBookmarkByHash()
      * @see  getBookmarkByShortname()
      */
-    public function getBookmarkByAddress($address)
+    public function getBookmarkByAddress($address, $all = true)
     {
-        return $this->getBookmarkByHash($this->getHash($address));
+        return $this->getBookmarkByHash($this->getHash($address), $all);
     }
 
 
@@ -195,16 +198,19 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService
      * Retrieves a bookmark with the given hash.
      * DOES NOT RESPECT PRIVACY SETTINGS!
      *
-     * @param string $hash URL hash
+     * @param string  $hash URL hash
+     * @param boolean $all  Retrieve from all users (true)
+     *                      or only bookmarks owned by the current
+     *                      user (false)
      *
      * @return mixed Array with bookmark data or false in case
      *               of an error (i.e. not found).
      *
      * @see getHash()
      */
-    public function getBookmarkByHash($hash)
+    public function getBookmarkByHash($hash, $all = true)
     {
-        return $this->_getbookmark('bHash', $hash, true);
+        return $this->_getbookmark('bHash', $hash, $all);
     }
 
 
diff --git a/tests/Api/PostsDeleteTest.php b/tests/Api/PostsDeleteTest.php
index 705f94e..626746f 100644
--- a/tests/Api/PostsDeleteTest.php
+++ b/tests/Api/PostsDeleteTest.php
@@ -202,8 +202,9 @@ class Api_PostsDeleteTest extends TestBaseApi
         //send request
         $res = $req->send();
 
-        //401 - unauthorized
-        $this->assertEquals(401, $res->getStatus());
+        //404 - user does not have that bookmark
+        $this->assertEquals(404, $res->getStatus());
+
         //verify MIME content type
         $this->assertEquals(
             'text/xml; charset=utf-8',
@@ -211,10 +212,10 @@ class Api_PostsDeleteTest extends TestBaseApi
         );
 
         //verify xml
-        $this->assertNotTag(
+        $this->assertTag(
             array(
                 'tag'        => 'result',
-                'attributes' => array('code' => 'done')
+                'attributes' => array('code' => 'something went wrong')
             ),
             $res->getBody(),
             '', false
diff --git a/www/api/posts_delete.php b/www/api/posts_delete.php
index a63cc62..982b686 100644
--- a/www/api/posts_delete.php
+++ b/www/api/posts_delete.php
@@ -1,33 +1,60 @@
 <?php
-// Implements the del.icio.us API request to delete a post.
-
-// del.icio.us behavior:
-// - returns "done" even if the bookmark doesn't exist;
-// - does NOT allow the hash for the url parameter;
-// - doesn't set the Content-Type to text/xml (we do).
+/**
+ * API for deleting a bookmark.
+ * The delicious API is implemented here.
+ *
+ * The delicious API behaves like that:
+ * - returns "done" even if the bookmark doesn't exist
+ *   - we do it correctly
+ * - does NOT allow the hash for the url parameter
+ * - doesn't set the Content-Type to text/xml
+ *   - we do it correctly, too
+ *
+ * SemanticScuttle - your social bookmark manager.
+ *
+ * PHP version 5.
+ *
+ * @category Bookmarking
+ * @package  SemanticScuttle
+ * @author   Benjamin Huynh-Kim-Bang <mensonge@users.sourceforge.net>
+ * @author   Christian Weiske <cweiske@cweiske.de>
+ * @author   Eric Dane <ericdane@users.sourceforge.net>
+ * @license  GPL http://www.gnu.org/licenses/gpl.html
+ * @link     http://sourceforge.net/projects/semanticscuttle
+ */
 
 // Force HTTP authentication first!
 $httpContentType = 'text/xml';
 require_once 'httpauth.inc.php';
 
-/* Service creation: only useful services are created */
-$bookmarkservice =SemanticScuttle_Service_Factory::get('Bookmark');
-
+$bs  = SemanticScuttle_Service_Factory::get('Bookmark');
+$uId = $userservice->getCurrentUserId();
 
-// Note that del.icio.us only errors out if no URL was passed in; there's no error on attempting
-// to delete a bookmark you don't have.
 
 // Error out if there's no address
-if (is_null($_REQUEST['url'])) {
+if (!isset($_REQUEST['url'])
+    || $_REQUEST['url'] == ''
+) {
     $deleted = false;
+} else if (!$bs->bookmarkExists($_REQUEST['url'], $uId)) {
+    //the user does not have such a bookmark
+    // Note that del.icio.us only errors out if no URL was passed in;
+    // there's no error on attempting to delete a bookmark you don't have.
+    // this sucks, and I don't care about being different but correct here.
+    header('HTTP/1.0 404 Not Found');
+    $deleted = false;
+
 } else {
-    $bookmark = $bookmarkservice->getBookmarkByAddress($_REQUEST['url']);
-    $bid = $bookmark['bId'];
-    $delete = $bookmarkservice->deleteBookmark($bid);
-    $deleted = true;
+    $bookmark = $bs->getBookmarkByAddress($_REQUEST['url'], false);
+    $bId      = $bookmark['bId'];
+    $deleted  = $bs->deleteBookmark($bId);
+    if (!$deleted) {
+        //something really went wrong
+        header('HTTP/1.0 500 Internal Server Error');
+    }
 }
 
 // Set up the XML file and output the result.
-echo '<?xml version="1.0" standalone="yes" ?'.">\r\n";
-echo '<result code="'. ($deleted ? 'done' : 'something went wrong') .'" />';
+echo '<?xml version="1.0" standalone="yes" ?' . ">\r\n";
+echo '<result code="' . ($deleted ? 'done' : 'something went wrong') . '" />';
 ?>
\ No newline at end of file