debug_event('Access Control', 'Error Attempted to use XML API with Access Control turned off', '3'); echo XML_Data::error('501', T_('Access Control not Enabled')); exit; } /** * Verify the existance of the Session they passed in we do allow them to * login via this interface so we do have an exception for action=login */ if (!Session::exists('api', $_REQUEST['auth']) and $_REQUEST['action'] != 'handshake' and $_REQUEST['action'] != 'ping') { debug_event('Access Denied', 'Invalid Session attempt to API [' . $_REQUEST['action'] . ']', '3'); ob_end_clean(); echo XML_Data::error('401', T_('Session Expired')); exit; } // If the session exists then let's try to pull some data from it to see if we're still allowed to do this $username = $_REQUEST['action'] == 'handshake' || $_REQUEST['action'] == 'ping' ? $_REQUEST['user'] : Session::username($_REQUEST['auth']); if (!Access::check_network('init-api', $username, 5)) { debug_event('Access Denied', 'Unauthorized access attempt to API [' . $_SERVER['REMOTE_ADDR'] . ']', '3'); ob_end_clean(); echo XML_Data::error('403', T_('Unauthorized access attempt to API - ACL Error')); exit; } if ($_REQUEST['action'] != 'handshake' and $_REQUEST['action'] != 'ping') { Session::extend($_REQUEST['auth']); $GLOBALS['user'] = User::get_from_username($username); } // Get the list of possible methods for the Ampache API $methods = get_class_methods('api'); // Define list of internal functions that should be skipped $internal_functions = array('set_filter'); // Recurse through them and see if we're calling one of them