public function changeSkin() { $updateData = array(); if (!isset($_POST['widgetId'])) { return $this->_errorAnswer('Missing POST variable widgetId'); } $widgetId = $_POST['widgetId']; $record = Model::getWidgetRecord($widgetId); if (!$record) { return $this->_errorAnswer('Unknown widget. ' . $widgetId); } if (!isset($_POST['skin'])) { return $this->_errorAnswer('Missing POST variable skin'); } $skin = $_POST['skin']; $skin = basename($skin); //to avoid any path manipulation $updateData['skin'] = $skin; Model::updateWidget($record['id'], $updateData); $previewHtml = Model::generateWidgetPreview($widgetId, true); $data = array('status' => 'success', 'action' => '_updateWidget', 'html' => $previewHtml, 'widgetId' => $widgetId); return new \Ip\Response\Json($data); }