function __construct()
{
// REQUIRED IN EXTENDED CLASS TO LOAD DEFAULTS
parent::__construct();
session_start();
session_regenerate_id();
}
/**
* REST POST - Change a users profile details, this requires a table called 'user' and 'banned' in your db with various fields as per header
* @param $data The data to update the users profile with
* @return message as complete or error
*/
public function post($data)
{
// check we have a logged in user
if ((int) $this->user['access_level'] < 1) {
$this->response('You do not have permission to perform that action', 'json', 401);
}
if (empty($data)) {
$this->response('Invalid data', 'json', 400);
}
if ($this->user["id"] != $data["id"]) {
$this->response('You do not have permission to alter that account', 'json', 401);
}
// check password
$user_password_check = $this->rars_db->get_first('user', '*', array('id' => $this->user['id']));
if (!$user_password_check) {
$this->response('Permission denied', 'json', 401);
}
if (RarsAPI::create_hash($data['password'], substr($user_password_check['password'], 0, strlen($user_password_check['password']) / 2), 'sha1') !== $user_password_check['password']) {
$this->response('Permission denied, password incorrect', 'json', 401);
}
// check if we are doing a deletion
if (isset($data['delete']) && $data['delete'] == 1) {
$this->rars_db->delete_data('user', array('id' => $this->user['id']));
$this->response('Account deleted, logging you out...', 'json', 202);
// reset content as deleted
}
// check email is unique if changed
if ($data["email_address"] != $this->user["email_address"]) {
$user_email_check = $this->rars_db->get_first('user', '*', array('email_address' => $data["email_address"]));
if (!empty($user)) {
$this->response('Email address already registered', 'json', 409);
}
}
// if this is your account, alter name and email
$row = array("name" => $data["name"], "email_address" => $data["email_address"]);
if (isset($data["new_password"]) && !empty($data["new_password"])) {
$row["password"] = $this->create_hash($data["new_password"]);
}
$this->rars_db->edit_data('user', $row, array('id' => $this->user['id']));
if (isset($row["password"])) {
$this->response('User account updated, logging you out...', 'json', 202);
} else {
$this->response('User account updated', 'json');
}
}
/**
* Handle Error
* Handles all errors and exceptions
*
* @param string $error_type Type of error
* @param string $error_string Actual error string
* @param string $error_file File error happened in
* @param string $error_line Line error happened on
* @return bool True on pass
*/
public function handle_error($error_type = "", $error_string = "", $error_file = "", $error_line = "")
{
$error_group = 'log';
// changeing log type to chrome php
$type = '';
if (is_int($error_type)) {
switch ($error_type) {
case E_ERROR:
// 1 //
$error_group = 'error';
$type = 'E_ERROR';
break;
case E_WARNING:
// 2 //
$error_group = 'warn';
$type = 'E_WARNING';
break;
case E_PARSE:
// 4 //
$type = 'E_PARSE';
break;
case E_NOTICE:
// 8 //
$type = 'E_NOTICE';
break;
case E_CORE_ERROR:
// 16 //
$error_group = 'error';
$type = 'E_CORE_ERROR';
break;
case E_CORE_WARNING:
// 32 //
$error_group = 'warn';
$type = 'E_CORE_WARNING';
break;
case E_CORE_ERROR:
// 64 //
$error_group = 'error';
$type = 'E_COMPILE_ERROR';
break;
case E_CORE_WARNING:
// 128 //
$error_group = 'warn';
$type = 'E_COMPILE_WARNING';
break;
case E_USER_ERROR:
// 256 //
$error_group = 'error';
$type = 'E_USER_ERROR';
break;
case E_USER_WARNING:
// 512 //
$error_group = 'warn';
$type = 'E_USER_WARNING';
break;
case E_USER_NOTICE:
// 1024 //
$type = 'E_USER_NOTICE';
break;
case E_STRICT:
// 2048 //
$type = 'E_STRICT';
break;
case E_RECOVERABLE_ERROR:
// 4096 //
$error_group = 'error';
$type = 'E_RECOVERABLE_ERROR';
break;
case E_DEPRECATED:
// 8192 //
$type = 'E_DEPRECATED';
break;
case E_USER_DEPRECATED:
// 16384 //
$type = 'E_USER_DEPRECATED';
break;
}
}
$error['error'] = $type;
$error['type'] = $error_type;
$error['file'] = $error_file;
$error['line'] = $error_line;
$error['string'] = $error_string;
$error['group'] = $error_group;
// log error
self::log_error($error);
// log error to chromephp
self::chrome_php($error, false);
// display error on screen
self::display_error($error);
if (class_exists("RarsAPI")) {
RarsAPI::response(null, null, 500);
} else {
return true;
}
}
$path_parts = explode("/", $_GET["path"]);
$filename = "";
$classname = "";
$found = false;
$c = 0;
foreach ($path_parts as $pp) {
$c++;
$filename .= "/" . preg_replace("/[^a-z0-9_-]/", '', strtolower($pp));
$classname .= ucfirst(preg_replace("/[^a-z0-9_]/", '', strtolower($pp)));
if (is_file(RARS_BASE_PATH . "api{$filename}.php")) {
$found = true;
break;
}
}
if (!$found) {
RarsAPI::response(null, null, $code = 404);
}
// grab any data or id's data
if ($method == "delete" || $method == "get") {
$data = count($path_parts) == $c + 1 ? RarsAPI::clean_data($path_parts[$c]) : (count($path_parts) == $c + 2 ? RarsAPI::clean_data($path_parts[$c + 1]) : null);
} else {
$data = RarsAPI::clean_data(!empty($_POST) ? $_POST : json_decode(file_get_contents('php://input')));
}
// load resource or throw error
include RARS_BASE_PATH . "api{$filename}.php";
$resource = new $classname();
if (!method_exists($resource, $method)) {
RarsAPI::response(null, null, $code = 405);
}
$response = $resource->{$method}($data);
/* EOF */
function __construct()
{
// REQUIRED IN EXTENDED CLASS TO LOAD DEFAULTS
parent::__construct();
}
/**
* REST POST - Log in user, this requires a table called 'user' nad 'banned' in your db with various fields as per header
* @param $data The login data via rest request containing 'username' and 'password', note username contains the email_address
* @return array Basic user details of varified account against the username and password, also sets correct return Autherization header for token generated
*/
public function post($data)
{
// check if email set
if (!isset($data["username"]) || !isset($data['password'])) {
$this->response('Login failed: username or password missmatch', 'json', 401);
}
$ip_address = preg_replace("/[^0-9.]/", '', substr($_SERVER["REMOTE_ADDR"], 0, 50));
$user_agent = preg_replace("/[^0-9a-zA-Z.:;-_]/", '', substr($_SERVER["HTTP_USER_AGENT"], 0, 250));
// check ban list if active before doing anything else
if (RARS_ACCESS_BAN_ATTEMPS > 0) {
// find banned rows
$banned = $this->rars_db->get_first('banned', '*', array('ip_address' => $ip_address, 'user_agent' => $user_agent));
if (!empty($banned)) {
$this->response('Login failed: ip banned', 'json', 401);
}
}
/* carry on with login */
// find user
$user = $this->rars_db->get_first('user', '*', array('email_address' => $data['username']));
// check user found
if (empty($user)) {
$this->response('Login failed: username or password missmatch', 'json', 401);
}
// check if user is locked out here
if (!empty($user['lock_until']) && strtotime($user['lock_until']) > time()) {
$this->response('Login failed: user locked out please try later', 'json', 401);
}
// check active user
if (!$user['active']) {
$this->response('Login failed: user not active', 'json', 401);
}
// now check if password ok (we need password first to get salt from it before we can check it), if not then send response
if (RarsAPI::create_hash($data['password'], substr($user['password'], 0, strlen($user['password']) / 2), 'sha1') !== $user['password']) {
// data to update
$update_data = array('failed_attempts' => $user['failed_attempts']++);
if ($user['failed_attempts'] > 0 && $user['failed_attempts'] % RARS_ACCESS_ATTEMPTS == 0) {
$update_data['lock_until'] = date('Y-m-d H:i:s', time() + RARS_ACCESS_LOCKOUT);
}
// update
$this->rars_db->edit_data('user', $update_data, array('id' => $user['id']));
// add to banned list if banned active and too many attempts
if (RARS_ACCESS_BAN_ATTEMPS > 0 && $user['failed_attempts'] + 1 >= RARS_ACCESS_BAN_ATTEMPS) {
// add ip and agent to banned
$this->rars_db->add_data('banned', array('ip_address' => $ip_address, 'user_agent' => $user_agent, 'created' => date('Y-m-d H:i:s', time())));
}
$this->response('Login failed: username or password missmatch', 'json', 401);
}
/* we are now authenticated, respond and send token back */
// need to create a token and last logged stamp and save it in the db
$last_logged = date('Y-m-d H:i:s', time());
$pass_hash = $user['password'];
$token = sha1($last_logged . $user_agent . $ip_address . $pass_hash) . '_' . $user['id'];
// update data
$update_data = array('id' => $user['id'], 'last_logged_in' => $last_logged, 'last_accessed' => $last_logged, 'ip_address' => $ip_address);
$user = $this->rars_db->edit_data('user', $update_data, array('id' => $user['id']), '*');
// collect user data
$user_data = array('id' => $user[0]['id'], 'name' => $user[0]['name'], 'email_address' => $user[0]['email_address'], 'last_logged_in' => $user[0]['last_logged_in'], 'access_level' => $user[0]['access_level']);
// setup response with authorization token
$_SERVER['HTTP_AUTHORIZATION'] = $token;
$this->response($user_data, 'json');
}
private static function xml($data)
{
$data = RarsAPI::clean_output($data);
// build sitemap index
$output = '<?xml version="1.0" encoding="UTF-8"?>';
$output .= $data;
header('Content-Type: application/xml; charset=utf-8');
header("Cache-Control: no-cache, no-store, must-revalidate");
echo $output;
exit;
}
