Ejemplo n.º 1
0
function api_dispatch($method)
{
    if (!$GLOBALS['cfg']['enable_feature_api']) {
        api_output_error(999, 'API disabled');
    }
    $method = filter_strict($method);
    $enc_method = htmlspecialchars($method);
    $methods = $GLOBALS['cfg']['api']['methods'];
    if (!$method || !isset($methods[$method])) {
        api_output_error(404, "Method '{$enc_method}' not found");
    }
    $method_row = $methods[$method];
    if (!$method_row['enabled']) {
        api_output_error(404, "Method '{$enc_method}' not found");
    }
    $method_row['name'] = $method;
    # TO DO: check API keys here
    # TO DO: actually check auth here (whatever that means...)
    if ($method_row['requires_auth']) {
        api_auth_ensure_auth($method_row);
    }
    if ($method_row['requires_crumb']) {
        api_auth_ensure_crumb($method_row);
    }
    loadlib($method_row['library']);
    $parts = explode(".", $method);
    $method = array_pop($parts);
    $func = "{$method_row['library']}_{$method}";
    call_user_func($func);
    exit;
}
Ejemplo n.º 2
0
function api_dispatch($method)
{
    if (!$GLOBALS['cfg']['enable_feature_api']) {
        api_output_error(999, 'API disabled');
    }
    $method = filter_strict($method);
    $api_key = request_str("api_key");
    $access_token = request_str("access_token");
    # Log the basics
    api_log(array('api_key' => $api_key, 'method' => $method, 'access_token' => $access_token, 'remote_addr' => $_SERVER['REMOTE_ADDR']));
    $methods = $GLOBALS['cfg']['api']['methods'];
    if (!$method || !isset($methods[$method])) {
        $enc_method = htmlspecialchars($method);
        api_output_error(404, "Method '{$enc_method}' not found");
    }
    apache_setenv("API_METHOD", $method);
    $method_row = $methods[$method];
    $key_row = null;
    $token_row = null;
    if (!$method_row['enabled']) {
        $enc_method = htmlspecialchars($method);
        api_output_error(404, "Method '{$enc_method}' not found");
    }
    $method_row['name'] = $method;
    if ($GLOBALS['cfg']['api_auth_type'] == 'oauth2') {
        if ($_SERVER['REQUEST_METHOD'] != 'POST' && !$GLOBALS['cfg']['api_oauth2_allow_get_parameters']) {
            api_output_error(405, 'Method not allowed');
        }
    }
    if (isset($method_row['request_method'])) {
        if ($_SERVER['REQUEST_METHOD'] != $method_row['request_method']) {
            api_output_error(405, 'Method not allowed');
        }
    }
    # Okay – now we get in to validation and authorization. Which means a
    # whole world of pedantic stupid if we're using Oauth2. Note that you
    # could use OAuth2 and require API keys be passed explictly but since
    # that's not part of the spec if you enable the two features simultaneously
    # don't be surprised when hilarity ensues. Good times. (20121026/straup)
    # First API keys
    if (features_is_enabled("api_require_keys")) {
        if (!$api_key) {
            api_output_error(999, "Required API key is missing");
        }
        $key_row = api_keys_get_by_key($api_key);
        api_keys_utils_ensure_valid_key($key_row);
    }
    # Second auth-y bits
    $auth_rsp = api_auth_ensure_auth($method_row, $key_row);
    if (isset($auth_rsp['api_key'])) {
        $key_row = $auth_rsp['api_key'];
    }
    if (isset($auth_rsp['access_token'])) {
        $token_row = $auth_rsp['access_token'];
    }
    if ($auth_rsp['user']) {
        $GLOBALS['cfg']['user'] = $auth_rsp['user'];
    }
    apache_setenv("API_KEY", $key_row['api_key']);
    # Check for require-iness of users here ?
    # Roles - for API keys (things like only the site keys)
    api_config_ensure_role($method_row, $key_row, $token_row);
    # Blessings and other method specific access controls
    api_config_ensure_blessing($method_row, $key_row, $token_row);
    # Finally, crumbs - because they are tastey
    if ($method_row['requires_crumb']) {
        api_auth_ensure_crumb($method_row);
    }
    # GO!
    loadlib($method_row['library']);
    $parts = explode(".", $method);
    $method = array_pop($parts);
    $func = "{$method_row['library']}_{$method}";
    if (!function_exists($func)) {
        api_output_error(404, "Method not found");
    }
    call_user_func($func);
    exit;
}