/**
* Processes a POST (if there was one) of the registration form. If there was not a successful registration, then modifies
* the data passed in to contain the values which WERE posted (to make form re-submission easier). Returns 'true' if there
* was a successful registration, false if there was no registration attempt or an error.
*
* If registration is successful, also sets 'apiKey' key in the 'data' array to the new API key that was created.
*
* @param data - array - an associative array whose keys are the names of the the variables for the template, and whose values should
* be the default values for those fields. This will be modified (overridden) by any of those values which were posted
* to this page.
* @return mixed - boolean true if there was a successful registration, false if there was no registration or a failed attempt. If there was
* an error, that will be added to the 'data' array under the key 'errorString'.
*/
public static function processPost(&$data)
{
$didRegister = false;
if (ApiGate::getPost('formName') == "apiGate_register") {
$firstName = ApiGate::getPost('firstName');
$lastName = ApiGate::getPost('lastName');
$email_1 = ApiGate::getPost('email_1');
$email_2 = ApiGate::getPost('email_2');
// Validate the input.
$errorString = "";
$errorString = ApiGate_Register::validateNameAndEmail($firstName, $lastName, $email_1, $email_2, $errorString);
// If input was valid, attempt to create a key.
if ($errorString == "") {
// Create a new API key and store it to the database with the values provided.
$apiKey = self::generateKey();
$userId = ApiGate_Config::getUserId();
// This is in library-code (not MediaWiki) so build the query by hand.
$dbw = ApiGate_Config::getMasterDb();
$queryString = "INSERT INTO /* ApiGate_Register::processPost() */" . ApiGate::TABLE_KEYS . " (user_id, apiKey, email, firstName, lastName) VALUES (";
$queryString .= "'" . mysql_real_escape_string($userId, $dbw) . "', ";
$queryString .= "'" . mysql_real_escape_string($apiKey, $dbw) . "', ";
$queryString .= "'" . mysql_real_escape_string($email_1, $dbw) . "', ";
$queryString .= "'" . mysql_real_escape_string($firstName, $dbw) . "', ";
$queryString .= "'" . mysql_real_escape_string($lastName, $dbw) . "')";
if (ApiGate::sendQuery($queryString)) {
ApiGate::sendQuery("COMMIT");
// MediaWiki was randomly not saving the row without this.
$data['apiKey'] = $apiKey;
$didRegister = true;
} else {
$errorString .= "\n" . i18n('apigate-mysql-error');
$errorString .= "\n<br/><br/>" . mysql_error($dbw);
}
}
if ($errorString != "") {
$errorString = trim($errorString);
$errorString = str_replace("\n", "<br/>", $errorString);
$data['errorString'] = $errorString;
}
}
return $didRegister;
}
/**
* Displays usage stats (as interactive javscript charts) for a specific API key. Re-uses
* some of our SponsorshipDashboard code, so it's not reusable by ApiGate and isn't very customizable
* yet, but using SD saved a TON by getting us a decent amount of features in almost no time.
*
* The calling code is responsible for checking whether the user should be allowed to see the html
* that this function returns.
*
* @param apiKey - string - api key whose usage stats should be shown.
* @param html - string - the html for showing the charts of stats. Can be thrown right into wgOut.
*/
public function subpage_keyStats($apiKey)
{
wfProfileIn(__METHOD__);
global $wgCacheBuster;
$html = "";
// TODO: LATER: When API Gate has its own charting, use that instead of this SponsorshipDashboard-dependent code.
$metricName = wfMsg('apigate-chart-metric-requests');
// Will just show daily and monthly to users for now (and hourly will just be for admins to detect anything weird).
if (ApiGate_Config::isAdmin()) {
$html .= wfMsg('apigate-hourly-admin-only') . "<br/><br/>\n";
// to avoid confusion, mention on the page that only admins see the hourly graph
$chartName = wfMsg('apigate-chart-name-hourly');
$html .= $this->getChartHtmlByPeriod($apiKey, "hourly", $metricName, $chartName);
}
$chartName = wfMsg('apigate-chart-name-daily');
$html .= $this->getChartHtmlByPeriod($apiKey, "daily", $metricName, $chartName);
$chartName = wfMsg('apigate-chart-name-monthly');
$html .= $this->getChartHtmlByPeriod($apiKey, "monthly", $metricName, $chartName);
wfProfileOut(__METHOD__);
return $html;
}
/**
* If the form in the 'key' template was posted, this will process it and apply any updates.
*
* @return string - a string containing any errors that occurred while trying to update the key info.
*/
public static function processPost()
{
$errorString = "";
if (ApiGate::getPost('formName') == "apiGate_apiKey_updateKeyInfo") {
$apiKey = ApiGate::getPost('apiKey');
$apiKeyObject = ApiGate_ApiKey::newFromDb($apiKey);
if (is_object($apiKeyObject)) {
if ($apiKeyObject->canBeEditedByCurrentUser()) {
$nickName = ApiGate::getPost('nickName');
$firstName = ApiGate::getPost('firstName');
$lastName = ApiGate::getPost('lastName');
$email_1 = ApiGate::getPost('email_1');
$email_2 = ApiGate::getPost('email_2');
// Validate input (same business logic as ApiGate_Register::processPost()).
global $API_GATE_DIR;
include_once "{$API_GATE_DIR}/ApiGate_Register.class.php";
$errorString = ApiGate_Register::validateNameAndEmail($firstName, $lastName, $email_1, $email_2, $errorString);
// If there were no errors, update the key info in the database.
if ($errorString == "") {
$dbw = ApiGate_Config::getMasterDb();
$queryString = "UPDATE " . ApiGate::TABLE_KEYS . " SET ";
$queryString .= "nickName='" . mysql_real_escape_string($nickName, $dbw) . "'";
$queryString .= ", firstName='" . mysql_real_escape_string($firstName, $dbw) . "'";
$queryString .= ", lastName='" . mysql_real_escape_string($lastName, $dbw) . "'";
$queryString .= ", email='" . mysql_real_escape_string($email_1, $dbw) . "'";
// If this is an admin, also allow changing of the enabled/disabled field from this form.
if (ApiGate_Config::isAdmin()) {
$enabled = intval(ApiGate::getPost('enabled'));
$setToEnabled = $enabled !== 0;
// If there was a change, update the log and apply it.
if ($setToEnabled != $apiKeyObject->isEnabled()) {
$queryString .= ", enabled='{$enabled}'";
$reason = ApiGate::getPost('reason');
$logQuery = "INSERT INTO " . ApiGate::TABLE_BANLOG . " (apiKey, action, username, reason) VALUES (";
$logQuery .= "'" . $apiKeyObject->getApiKeySqlSafe() . "'";
$logQuery .= ", '" . ($setToEnabled ? "enabled" : "disabled") . "'";
$logQuery .= ", '" . mysql_real_escape_string(ApiGate_Config::getUsername(), $dbw) . "'";
$logQuery .= ", 'MANUAL CHANGE: " . mysql_real_escape_string($reason, $dbw) . "'";
$logQuery .= ")";
ApiGate::sendQuery($logQuery);
// Purge the remote cache of this key's validity (for example, Fastly's cached call to check if the key is allowed to access the API).
ApiGate::purgeKey($apiKey);
}
}
$queryString .= " WHERE apiKey='{$apiKeyObject->getApiKeySqlSafe()}'";
if (ApiGate::sendQuery($queryString)) {
ApiGate::sendQuery("COMMIT");
// MediaWiki was randomly not saving some rows without this (the registration queries, so I'm assuming it's the same everywhere).
} else {
$errorString .= "\n" . i18n('apigate-register-error-mysql_error');
$errorString .= "\n<br/><br/>" . mysql_error($dbw);
}
}
} else {
$errorString .= ApiGate::getErrorHtml(i18n('apigate-error-keyaccess-denied', $apiKey));
}
} else {
// NOTE: This message which says essentially "not found or you don't have access" is intentionally vauge.
// If we had access-denied and key-not-found be different errors, attackers could just iterate through a bunch of possibilities
// until they found a key that exists & then they could spoof as being that app.
$errorString .= ApiGate::getErrorHtml(i18n('apigate-error-keyaccess-denied', $apiKey));
}
}
return $errorString;
}
$statusMsg = i18n('apigate-keyinfo-status-enabled');
} else {
$statusClass = "disabled";
$statusMsg = i18n('apigate-keyinfo-status-disabled');
}
$statusHtml = "<span class='status {$statusClass}'>{$statusMsg}</span>";
}
print i18n('apigate-keyinfo-status', $statusHtml);
// If the key is disabled, show the user why.
if (!$apiKeyObject->isEnabled()) {
$reasonBanned = $apiKeyObject->getReasonBanned();
$reasonBanned = $reasonBanned == null ? i18n('apigate-keyinfo-no-reason-found') : $apiKeyObject->getReasonBanned();
print "<div class='reasonDisabled'>\n" . i18n('apigate-keyinfo-reason-disabled', $reasonBanned) . "\n</div>\n";
}
// Always display the full banlog to admins if there are any events in it.
if (ApiGate_Config::isAdmin()) {
print "<div class='banLog'>\n" . i18n('apigate-keyinfo-banlog-heading') . "\n<br/>\n";
print $apiKeyObject->getBanLogHtml() . "</div>\n";
}
?>
<br/>
<?php
echo i18n('apigate-keyinfo-name');
?>
<br/>
<input type='text' name='firstName' value='<?php
echo $apiKeyObject->getFirstName();
?>
' style='width:192px'/>
<input type='text' name='lastName' value='<?php
echo $apiKeyObject->getLastName();
/**
* Returns the result of a READ-ONLY mySQL query that only has one result (one column and one row)
*
* NOTE: for READ-ONLY operations
*/
public static function simpleQuery($queryString)
{
wfProfileIn(__METHOD__);
$dbr = ApiGate_Config::getSlaveDb();
$retVal = "";
if ($result = mysql_query($queryString, $dbr)) {
if (mysql_num_rows($result) > 0) {
if ($myRow = mysql_fetch_row($result)) {
$retVal = $myRow[0];
}
}
} else {
ApiGate::queryError($queryString, $dbr);
}
wfProfileOut(__METHOD__);
return $retVal;
}
