public function __construct($action, $settings, $extra)
{
if (!Z_CONFIG::$API_ENABLED) {
$this->e503(Z_CONFIG::$MAINTENANCE_MESSAGE);
}
set_exception_handler(array($this, 'handleException'));
set_error_handler(array($this, 'handleError'), E_USER_ERROR);
require_once '../model/Error.inc.php';
$this->startTime = microtime(true);
$this->method = $_SERVER['REQUEST_METHOD'];
/*if (isset($_SERVER['REMOTE_ADDR'])
&& in_array($_SERVER['REMOTE_ADDR'], array(''))) {
header("HTTP/1.1 429 Rate Limited");
die("Too many requests");
}*/
if (!in_array($this->method, array('HEAD', 'GET', 'PUT', 'POST', 'DELETE', 'PATCH'))) {
header("HTTP/1.1 501 Not Implemented");
die("Method is not implemented");
}
// There doesn't seem to be a way for PHP to start processing the request
// before the entire body is sent, so an Expect: 100 Continue will,
// depending on the client, either fail or cause a delay while the client
// waits for the 100 response. To make this explicit, we return an error.
if (!empty($_SERVER['HTTP_EXPECT'])) {
header("HTTP/1.1 417 Expectation Failed");
die("Expect header is not supported");
}
if (in_array($this->method, array('POST', 'PUT', 'PATCH'))) {
$this->ifUnmodifiedSince = isset($_SERVER['HTTP_IF_UNMODIFIED_SINCE']) ? strtotime($_SERVER['HTTP_IF_UNMODIFIED_SINCE']) : false;
$this->body = file_get_contents("php://input");
}
if ($this->profile) {
Zotero_DB::profileStart($this->profileShard);
}
// If HTTP Basic Auth credentials provided, authenticate
if (isset($_SERVER['PHP_AUTH_USER'])) {
$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
if ($username == Z_CONFIG::$API_SUPER_USERNAME && $password == Z_CONFIG::$API_SUPER_PASSWORD) {
$this->userID = 0;
$this->permissions = new Zotero_Permissions();
$this->permissions->setSuper();
} else {
if (!empty($extra['allowHTTP'])) {
$userID = Zotero_Users::authenticate('password', array('username' => $username, 'password' => $password));
if (!$userID) {
$this->e401('Invalid login');
}
$this->httpAuth = true;
$this->userID = $userID;
$this->grantUserPermissions($userID);
} else {
$this->e401('Invalid login');
}
}
} else {
if (isset($_GET['key'])) {
$keyObj = Zotero_Keys::authenticate($_GET['key']);
if (!$keyObj) {
$this->e403('Invalid key');
}
$this->apiKey = $_GET['key'];
$this->userID = $keyObj->userID;
$this->permissions = $keyObj->getPermissions();
// Check X-Zotero-Write-Token if it exists to make sure
if ($this->method == 'POST' || $this->method == 'PUT') {
if ($cacheKey = $this->getWriteTokenCacheKey()) {
if (Z_Core::$MC->get($cacheKey)) {
$this->e412("Write token already used");
}
}
}
} else {
if (!empty($_COOKIE) && !empty($_GET['session']) && ($this->userID = Zotero_Users::getUserIDFromSession($_COOKIE, $_GET['session']))) {
$this->grantUserPermissions($this->userID);
$this->cookieAuth = true;
} else {
if (!empty($_GET['auth'])) {
$this->e401();
}
// Always challenge a 'me' request
if (!empty($extra['userID']) && $extra['userID'] == 'me') {
$this->e403('You must specify a key when making a /me request.');
}
// Explicit auth request or not a GET request
if ($this->method != "GET") {
$this->e403('You must specify a key to access the Zotero API.');
}
// Anonymous request
$this->permissions = new Zotero_Permissions();
$this->permissions->setAnonymous();
}
}
}
// Get the API version
if (empty($_REQUEST['version'])) {
$this->apiVersion = $this->defaultAPIVersion;
} else {
if (!in_array($_REQUEST['version'], $this->validAPIVersions)) {
$this->e400("Invalid request API version '{$_REQUEST['version']}'");
}
$this->apiVersion = (int) $_REQUEST['version'];
}
$this->uri = Z_CONFIG::$API_BASE_URI . substr($_SERVER["REQUEST_URI"], 1);
// Get object user
if (!empty($extra['userID'])) {
// Possibly temporary shortcut for viewing one's own data via HTTP Auth
if ($extra['userID'] == 'me') {
$objectUserID = $this->userID;
} else {
$objectUserID = (int) $extra['userID'];
if (!$objectUserID) {
$this->e400("Invalid user ID", Z_ERROR_INVALID_INPUT);
}
}
$this->objectUserID = $objectUserID;
try {
$this->objectLibraryID = Zotero_Users::getLibraryIDFromUserID($objectUserID);
} catch (Exception $e) {
if ($e->getCode() == Z_ERROR_USER_NOT_FOUND) {
try {
Zotero_Users::addFromWWW($objectUserID);
} catch (Exception $e) {
if ($e->getCode() == Z_ERROR_USER_NOT_FOUND) {
$this->e404();
}
throw $e;
}
$this->objectLibraryID = Zotero_Users::getLibraryIDFromUserID($objectUserID);
} else {
throw $e;
}
}
// Make sure user isn't banned
if (!Zotero_Users::isValidUser($objectUserID)) {
$this->e404();
}
} else {
if (!empty($extra['groupID'])) {
$objectGroupID = (int) $extra['groupID'];
if (!$objectGroupID) {
$this->e400("Invalid group ID", Z_ERROR_INVALID_INPUT);
}
// Make sure group exists
$group = Zotero_Groups::get($objectGroupID);
if (!$group) {
$this->e404();
}
// Don't show groups owned by banned users
if (!Zotero_Users::isValidUser($group->ownerUserID)) {
$this->e404();
}
$this->objectGroupID = $objectGroupID;
$this->objectLibraryID = Zotero_Groups::getLibraryIDFromGroupID($objectGroupID);
}
}
// Return 409 if target library is locked
switch ($this->method) {
case 'POST':
case 'PUT':
case 'DELETE':
switch ($action) {
// Library lock doesn't matter for some admin requests
case 'storageadmin':
break;
default:
if ($this->objectLibraryID && Zotero_Libraries::isLocked($this->objectLibraryID)) {
$this->e409("Target library is locked");
}
break;
}
}
$this->scopeObject = !empty($extra['scopeObject']) ? $extra['scopeObject'] : null;
$this->scopeObjectID = !empty($extra['scopeObjectID']) ? (int) $extra['scopeObjectID'] : null;
if (!empty($extra['scopeObjectKey'])) {
// Handle incoming requests using ids instead of keys
// - Keys might be all numeric, so only do this if length != 8
if (preg_match('/^[0-9]+$/', $extra['scopeObjectKey']) && strlen($extra['scopeObjectKey']) != 8) {
$this->scopeObjectID = (int) $extra['scopeObjectKey'];
} else {
if (preg_match('/[A-Z0-9]{8}/', $extra['scopeObjectKey'])) {
$this->scopeObjectKey = $extra['scopeObjectKey'];
}
}
}
$this->scopeObjectName = !empty($extra['scopeObjectName']) ? urldecode($extra['scopeObjectName']) : null;
// Can be either id or key
if (!empty($extra['key'])) {
if (!empty($_GET['key']) && strlen($_GET['key']) == 8) {
$this->objectKey = $extra['key'];
} else {
if (!empty($_GET['iskey'])) {
$this->objectKey = $extra['key'];
} else {
if (preg_match('/^[0-9]+$/', $extra['key'])) {
$this->objectID = (int) $extra['key'];
} else {
if (preg_match('/^[A-Z0-9]{8}$/', $extra['key'])) {
$this->objectKey = $extra['key'];
} else {
if ($extra['key'] != 'top') {
Z_Core::logError("=============");
Z_Core::logError("Invalid key");
Z_Core::logError($extra['key']);
}
}
}
}
}
}
if (!empty($extra['id'])) {
$this->objectID = (int) $extra['id'];
}
$this->objectName = !empty($extra['name']) ? urldecode($extra['name']) : null;
$this->subset = !empty($extra['subset']) ? $extra['subset'] : null;
$this->fileMode = !empty($extra['file']) ? !empty($_GET['info']) ? 'info' : 'download' : false;
$this->fileView = !empty($extra['view']);
$singleObject = ($this->objectID || $this->objectKey) && !$this->subset;
$this->queryParams = Zotero_API::parseQueryParams($_SERVER['QUERY_STRING'], $action, $singleObject);
}
