/** * Displays the page with key information and statistics (one tab each). */ public function subpage_key($apiKey) { wfProfileIn(__METHOD__); $apiKeyObject = ApiGate_ApiKey::newFromDb($apiKey); $html = ""; ob_start(); if (is_object($apiKeyObject)) { // Determine if the current user can view this key (they must either own it or be an ApiGate admin). if ($apiKeyObject->canBeViewedByCurrentUser()) { $useTwoColLayout = false; // use full width so that the charts fit // Use standard tabs (from UI Style Guide) ?> <ul class="tabs"> <li class="selected" data-tab="apiGate_keyInfo"><a><?php echo wfMsg('apigate-tab-keyinfo'); ?> </a></li> <li data-tab="apiGate_keyStats"><a><?php echo wfMsg('apigate-tab-keystats'); ?> </a></li> </ul> <div id="apiGate_keyInfo" data-tab-body="apiGate_keyInfo" class="tabBody selected"> <?php echo $this->subpage_keyInfo($apiKeyObject); ?> </div> <div id="apiGate_keyStats" data-tab-body="apiGate_keyStats" class="tabBody"> <?php echo $this->subpage_keyStats($apiKey); ?> </div><!-- end apiGate_keyStats --> <?php } else { ApiGate::printError(i18n('apigate-error-keyaccess-denied', $apiKey)); } } else { // NOTE: This message which says essentially "not found or you don't have access" is intentionally vauge. // If we had access-denied and key-not-found be different errors, attackers could just iterate through a bunch of possibilities // until they found a key that exists & then they could spoof as being that app. ApiGate::printError(i18n('apigate-error-keyaccess-denied', $apiKey)); } $html .= ob_get_clean(); wfProfileOut(__METHOD__); return $html; }
/** * If the form in the 'key' template was posted, this will process it and apply any updates. * * @return string - a string containing any errors that occurred while trying to update the key info. */ public static function processPost() { $errorString = ""; if (ApiGate::getPost('formName') == "apiGate_apiKey_updateKeyInfo") { $apiKey = ApiGate::getPost('apiKey'); $apiKeyObject = ApiGate_ApiKey::newFromDb($apiKey); if (is_object($apiKeyObject)) { if ($apiKeyObject->canBeEditedByCurrentUser()) { $nickName = ApiGate::getPost('nickName'); $firstName = ApiGate::getPost('firstName'); $lastName = ApiGate::getPost('lastName'); $email_1 = ApiGate::getPost('email_1'); $email_2 = ApiGate::getPost('email_2'); // Validate input (same business logic as ApiGate_Register::processPost()). global $API_GATE_DIR; include_once "{$API_GATE_DIR}/ApiGate_Register.class.php"; $errorString = ApiGate_Register::validateNameAndEmail($firstName, $lastName, $email_1, $email_2, $errorString); // If there were no errors, update the key info in the database. if ($errorString == "") { $dbw = ApiGate_Config::getMasterDb(); $queryString = "UPDATE " . ApiGate::TABLE_KEYS . " SET "; $queryString .= "nickName='" . mysql_real_escape_string($nickName, $dbw) . "'"; $queryString .= ", firstName='" . mysql_real_escape_string($firstName, $dbw) . "'"; $queryString .= ", lastName='" . mysql_real_escape_string($lastName, $dbw) . "'"; $queryString .= ", email='" . mysql_real_escape_string($email_1, $dbw) . "'"; // If this is an admin, also allow changing of the enabled/disabled field from this form. if (ApiGate_Config::isAdmin()) { $enabled = intval(ApiGate::getPost('enabled')); $setToEnabled = $enabled !== 0; // If there was a change, update the log and apply it. if ($setToEnabled != $apiKeyObject->isEnabled()) { $queryString .= ", enabled='{$enabled}'"; $reason = ApiGate::getPost('reason'); $logQuery = "INSERT INTO " . ApiGate::TABLE_BANLOG . " (apiKey, action, username, reason) VALUES ("; $logQuery .= "'" . $apiKeyObject->getApiKeySqlSafe() . "'"; $logQuery .= ", '" . ($setToEnabled ? "enabled" : "disabled") . "'"; $logQuery .= ", '" . mysql_real_escape_string(ApiGate_Config::getUsername(), $dbw) . "'"; $logQuery .= ", 'MANUAL CHANGE: " . mysql_real_escape_string($reason, $dbw) . "'"; $logQuery .= ")"; ApiGate::sendQuery($logQuery); // Purge the remote cache of this key's validity (for example, Fastly's cached call to check if the key is allowed to access the API). ApiGate::purgeKey($apiKey); } } $queryString .= " WHERE apiKey='{$apiKeyObject->getApiKeySqlSafe()}'"; if (ApiGate::sendQuery($queryString)) { ApiGate::sendQuery("COMMIT"); // MediaWiki was randomly not saving some rows without this (the registration queries, so I'm assuming it's the same everywhere). } else { $errorString .= "\n" . i18n('apigate-register-error-mysql_error'); $errorString .= "\n<br/><br/>" . mysql_error($dbw); } } } else { $errorString .= ApiGate::getErrorHtml(i18n('apigate-error-keyaccess-denied', $apiKey)); } } else { // NOTE: This message which says essentially "not found or you don't have access" is intentionally vauge. // If we had access-denied and key-not-found be different errors, attackers could just iterate through a bunch of possibilities // until they found a key that exists & then they could spoof as being that app. $errorString .= ApiGate::getErrorHtml(i18n('apigate-error-keyaccess-denied', $apiKey)); } } return $errorString; }