public function init($extra)
{
$this->startTime = microtime(true);
if (!Z_CONFIG::$API_ENABLED) {
$this->e503(Z_CONFIG::$MAINTENANCE_MESSAGE);
}
set_exception_handler(array($this, 'handleException'));
// TODO: Throw error on some notices but allow DB/Memcached/etc. failures?
//set_error_handler(array($this, 'handleError'), E_ALL | E_USER_ERROR | E_RECOVERABLE_ERROR);
set_error_handler(array($this, 'handleError'), E_USER_ERROR | E_RECOVERABLE_ERROR);
require_once '../model/Error.inc.php';
// On testing sites, include notifications in headers
if (Z_CONFIG::$TESTING_SITE) {
Zotero_NotifierObserver::addMessageReceiver(function ($topic, $msg) {
$header = "Zotero-Debug-Notifications";
if (!empty($this->headers[$header])) {
$notifications = json_decode(base64_decode($this->headers[$header]));
} else {
$notifications = [];
}
$notifications[] = $msg;
$this->headers[$header] = base64_encode(json_encode($notifications));
});
}
register_shutdown_function(array($this, 'checkDBTransactionState'));
register_shutdown_function(array($this, 'logTotalRequestTime'));
register_shutdown_function(array($this, 'checkForFatalError'));
register_shutdown_function(array($this, 'addHeaders'));
$this->method = $_SERVER['REQUEST_METHOD'];
if (!in_array($this->method, array('HEAD', 'OPTIONS', 'GET', 'PUT', 'POST', 'DELETE', 'PATCH'))) {
$this->e501();
}
StatsD::increment("api.request.method." . strtolower($this->method), 0.25);
// There doesn't seem to be a way for PHP to start processing the request
// before the entire body is sent, so an Expect: 100 Continue will,
// depending on the client, either fail or cause a delay while the client
// waits for the 100 response. To make this explicit, we return an error.
if (!empty($_SERVER['HTTP_EXPECT'])) {
header("HTTP/1.1 417 Expectation Failed");
die("Expect header is not supported");
}
// CORS
if (isset($_SERVER['HTTP_ORIGIN'])) {
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: HEAD, GET, POST, PUT, PATCH, DELETE");
header("Access-Control-Allow-Headers: Content-Type, If-Match, If-None-Match, If-Modified-Since-Version, If-Unmodified-Since-Version, Zotero-API-Version, Zotero-Write-Token");
header("Access-Control-Expose-Headers: Backoff, ETag, Last-Modified-Version, Link, Retry-After, Total-Results, Zotero-API-Version");
}
if ($this->method == 'OPTIONS') {
$this->end();
}
if (in_array($this->method, array('POST', 'PUT', 'PATCH'))) {
$this->ifUnmodifiedSince = isset($_SERVER['HTTP_IF_UNMODIFIED_SINCE']) ? strtotime($_SERVER['HTTP_IF_UNMODIFIED_SINCE']) : false;
$this->body = file_get_contents("php://input");
if ($this->body == "" && !in_array($this->action, array('clear', 'laststoragesync', 'removestoragefiles', 'itemContent'))) {
$this->e400("{$this->method} data not provided");
}
}
if ($this->profile) {
Zotero_DB::profileStart();
}
// If HTTP Basic Auth credentials provided, authenticate
if (isset($_SERVER['PHP_AUTH_USER'])) {
$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
if ($username == Z_CONFIG::$API_SUPER_USERNAME && $password == Z_CONFIG::$API_SUPER_PASSWORD) {
$this->userID = 0;
$this->permissions = new Zotero_Permissions();
$this->permissions->setSuper();
} else {
if (!empty($extra['allowHTTP']) || !empty($extra['auth'])) {
$userID = Zotero_Users::authenticate('password', array('username' => $username, 'password' => $password));
if (!$userID) {
$this->e401('Invalid login');
}
$this->httpAuth = true;
$this->userID = $userID;
$this->grantUserPermissions($userID);
}
}
}
if (!isset($this->userID)) {
$key = false;
// Allow Zotero-API-Key header
if (!empty($_SERVER['HTTP_ZOTERO_API_KEY'])) {
$key = $_SERVER['HTTP_ZOTERO_API_KEY'];
}
// Allow ?key=<apikey>
if (isset($_GET['key'])) {
if (!$key) {
$key = $_GET['key'];
} else {
if ($_GET['key'] !== $key) {
$this->e400("Zotero-API-Key header and 'key' parameter differ");
}
}
}
// If neither of the above passed, allow "Authorization: Bearer <apikey>"
//
// Apache/mod_php doesn't seem to make Authorization available for auth schemes
// other than Basic/Digest, so use an Apache-specific method to get the header
if (!$key && function_exists('apache_request_headers')) {
$headers = apache_request_headers();
if (isset($headers['Authorization'])) {
// Look for "Authorization: Bearer" from OAuth 2.0, and ignore everything else
if (preg_match('/^bearer/i', $headers['Authorization'], $matches)) {
if (preg_match('/^bearer +([a-z0-9]+)$/i', $headers['Authorization'], $matches)) {
$key = $matches[1];
} else {
$this->e400("Invalid Authorization header format");
}
}
}
}
if ($key) {
$keyObj = Zotero_Keys::authenticate($key);
if (!$keyObj) {
$this->e403('Invalid key');
}
$this->apiKey = $key;
$this->userID = $keyObj->userID;
$this->permissions = $keyObj->getPermissions();
// Check Zotero-Write-Token if it exists to make sure
// this isn't a duplicate request
if ($this->isWriteMethod()) {
if ($cacheKey = $this->getWriteTokenCacheKey()) {
if (Z_Core::$MC->get($cacheKey)) {
$this->e412("Write token already used");
}
}
}
} else {
if (!empty($_GET['session']) && ($this->userID = Zotero_Users::getUserIDFromSessionID($_GET['session']))) {
// Users who haven't synced may not exist in our DB
if (!Zotero_Users::exists($this->userID)) {
Zotero_Users::add($this->userID);
}
$this->grantUserPermissions($this->userID);
$this->cookieAuth = true;
} else {
if (!empty($_GET['auth']) || !empty($extra['auth'])) {
$this->e401();
}
// Explicit auth request or not a GET request
//
// /users/<id>/keys is an exception, since the key is embedded in the URL
if ($this->method != "GET" && $this->action != 'keys') {
$this->e403('An API key is required for write requests.');
}
// Anonymous request
$this->permissions = new Zotero_Permissions();
$this->permissions->setAnonymous();
}
}
}
$this->uri = Z_CONFIG::$API_BASE_URI . substr($_SERVER["REQUEST_URI"], 1);
// Get object user
if (isset($this->objectUserID)) {
if (!$this->objectUserID) {
$this->e400("Invalid user ID", Z_ERROR_INVALID_INPUT);
}
try {
$this->objectLibraryID = Zotero_Users::getLibraryIDFromUserID($this->objectUserID);
} catch (Exception $e) {
if ($e->getCode() == Z_ERROR_USER_NOT_FOUND) {
try {
Zotero_Users::addFromWWW($this->objectUserID);
} catch (Exception $e) {
if ($e->getCode() == Z_ERROR_USER_NOT_FOUND) {
$this->e404("User {$this->objectUserID} not found");
}
throw $e;
}
$this->objectLibraryID = Zotero_Users::getLibraryIDFromUserID($this->objectUserID);
} else {
throw $e;
}
}
// Make sure user isn't banned
if (!Zotero_Users::isValidUser($this->objectUserID)) {
$this->e404();
}
} else {
if (isset($this->objectGroupID)) {
if (!$this->objectGroupID) {
$this->e400("Invalid group ID", Z_ERROR_INVALID_INPUT);
}
// Make sure group exists
$group = Zotero_Groups::get($this->objectGroupID);
if (!$group) {
$this->e404();
}
// Don't show groups owned by banned users
if (!Zotero_Users::isValidUser($group->ownerUserID)) {
$this->e404();
}
$this->objectLibraryID = Zotero_Groups::getLibraryIDFromGroupID($this->objectGroupID);
}
}
$apiVersion = !empty($_SERVER['HTTP_ZOTERO_API_VERSION']) ? (int) $_SERVER['HTTP_ZOTERO_API_VERSION'] : false;
// Serve v1 to ZotPad 1.x, at Mikko's request
if (!$apiVersion && !empty($_SERVER['HTTP_USER_AGENT']) && strpos($_SERVER['HTTP_USER_AGENT'], 'ZotPad 1') === 0) {
$apiVersion = 1;
}
// For publications URLs (e.g., /users/:userID/publications/items), swap in
// objectLibraryID of user's publications library
if (!empty($extra['publications'])) {
// Query parameters not yet parsed, so check version parameter
if ($apiVersion && $apiVersion < 3 || !empty($_REQUEST['v']) && $_REQUEST['v'] < 3 || !empty($_REQUEST['version']) && $_REQUEST['version'] == 1) {
$this->e404();
}
$userLibraryID = $this->objectLibraryID;
$this->objectLibraryID = Zotero_Users::getLibraryIDFromUserID($this->objectUserID, 'publications');
// If one doesn't exist, for write requests create a library if the key
// has write permission to the user library. For read requests, just
// return a 404.
if (!$this->objectLibraryID) {
if ($this->isWriteMethod()) {
if (!$this->permissions->canAccess($userLibraryID) || !$this->permissions->canWrite($userLibraryID)) {
$this->e403();
}
$this->objectLibraryID = Zotero_Publications::add($this->objectUserID);
} else {
$this->objectLibraryID = 0;
}
}
}
// Return 409 if target library is locked
switch ($this->method) {
case 'POST':
case 'PUT':
case 'DELETE':
switch ($this->action) {
// Library lock doesn't matter for some admin requests
case 'keys':
case 'storageadmin':
break;
default:
if ($this->objectLibraryID && Zotero_Libraries::isLocked($this->objectLibraryID)) {
$this->e409("Target library is locked");
}
break;
}
}
$this->scopeObject = !empty($extra['scopeObject']) ? $extra['scopeObject'] : $this->scopeObject;
$this->subset = !empty($extra['subset']) ? $extra['subset'] : $this->subset;
$this->fileMode = !empty($extra['file']) ? !empty($_GET['info']) ? 'info' : 'download' : false;
$this->fileView = !empty($extra['view']);
$this->singleObject = $this->objectKey && !$this->subset;
$this->checkLibraryIfModifiedSinceVersion($this->action);
// If Accept header includes application/atom+xml, send Atom, as long as there's no 'format'
$atomAccepted = false;
if (!empty($_SERVER['HTTP_ACCEPT'])) {
$accept = preg_split('/\\s*,\\s*/', $_SERVER['HTTP_ACCEPT']);
$atomAccepted = in_array('application/atom+xml', $accept);
}
$this->queryParams = Zotero_API::parseQueryParams($_SERVER['QUERY_STRING'], $this->action, $this->singleObject, $apiVersion, $atomAccepted);
// Sorting by Item Type or Added By currently require writing to shard tables, so don't
// send those to the read replicas
if ($this->queryParams['sort'] == 'itemType' || $this->queryParams['sort'] == 'addedBy') {
Zotero_DB::readOnly(false);
}
$this->apiVersion = $version = $this->queryParams['v'];
header("Zotero-API-Version: " . $version);
StatsD::increment("api.request.version.v" . $version, 0.25);
}
public function collections()
{
// Check for general library access
if (!$this->permissions->canAccess($this->objectLibraryID)) {
$this->e403();
}
if ($this->isWriteMethod()) {
// Check for library write access
if (!$this->permissions->canWrite($this->objectLibraryID)) {
$this->e403("Write access denied");
}
// Make sure library hasn't been modified
if (!$this->singleObject) {
$libraryTimestampChecked = $this->checkLibraryIfUnmodifiedSinceVersion();
}
Zotero_Libraries::updateVersionAndTimestamp($this->objectLibraryID);
}
$collectionIDs = array();
$collectionKeys = array();
$results = array();
// Single collection
if ($this->singleObject) {
$this->allowMethods(['HEAD', 'GET', 'PUT', 'PATCH', 'DELETE']);
if (!Zotero_ID::isValidKey($this->objectKey)) {
$this->e404();
}
$collection = Zotero_Collections::getByLibraryAndKey($this->objectLibraryID, $this->objectKey);
if ($this->isWriteMethod()) {
$collection = $this->handleObjectWrite('collection', $collection ? $collection : null);
$this->queryParams['content'] = ['json'];
}
if (!$collection) {
$this->e404("Collection not found");
}
$this->libraryVersion = $collection->version;
if ($this->method == 'HEAD') {
$this->end();
}
switch ($this->queryParams['format']) {
case 'atom':
$this->responseXML = Zotero_Collections::convertCollectionToAtom($collection, $this->queryParams);
break;
case 'json':
$json = $collection->toResponseJSON($this->queryParams, $this->permissions);
echo Zotero_Utilities::formatJSON($json);
break;
default:
throw new Exception("Unexpected format '" . $this->queryParams['format'] . "'");
}
} else {
$this->allowMethods(['HEAD', 'GET', 'POST', 'DELETE']);
$this->libraryVersion = Zotero_Libraries::getUpdatedVersion($this->objectLibraryID);
if ($this->scopeObject) {
$this->allowMethods(array('GET'));
switch ($this->scopeObject) {
case 'collections':
$collection = Zotero_Collections::getByLibraryAndKey($this->objectLibraryID, $this->scopeObjectKey);
if (!$collection) {
$this->e404("Collection not found");
}
$title = "Child Collections of ‘{$collection->name}'’";
$collectionIDs = $collection->getChildCollections();
break;
default:
throw new Exception("Invalid collections scope object '{$this->scopeObject}'");
}
} else {
// Top-level items
if ($this->subset == 'top') {
$this->allowMethods(array('GET'));
$title = "Top-Level Collections";
$results = Zotero_Collections::search($this->objectLibraryID, true, $this->queryParams);
} else {
// Create a collection
if ($this->method == 'POST') {
$this->queryParams['format'] = 'writereport';
$obj = $this->jsonDecode($this->body);
$results = Zotero_Collections::updateMultipleFromJSON($obj, $this->queryParams, $this->objectLibraryID, $this->userID, $this->permissions, $libraryTimestampChecked ? 0 : 1, null);
if ($cacheKey = $this->getWriteTokenCacheKey()) {
Z_Core::$MC->set($cacheKey, true, $this->writeTokenCacheTime);
}
if ($this->apiVersion < 2) {
$uri = Zotero_API::getCollectionsURI($this->objectLibraryID);
$keys = array_merge(get_object_vars($results['success']), get_object_vars($results['unchanged']));
$queryString = "collectionKey=" . urlencode(implode(",", $keys)) . "&format=atom&content=json&order=collectionKeyList&sort=asc";
if ($this->apiKey) {
$queryString .= "&key=" . $this->apiKey;
}
$uri .= "?" . $queryString;
$this->queryParams = Zotero_API::parseQueryParams($queryString, $this->action, true, $this->apiVersion);
$title = "Collections";
$results = Zotero_Collections::search($this->objectLibraryID, false, $this->queryParams);
}
} else {
if ($this->method == 'DELETE') {
Zotero_DB::beginTransaction();
foreach ($this->queryParams['collectionKey'] as $collectionKey) {
Zotero_Collections::delete($this->objectLibraryID, $collectionKey);
}
Zotero_DB::commit();
$this->e204();
} else {
$title = "Collections";
$results = Zotero_Collections::search($this->objectLibraryID, false, $this->queryParams);
}
}
}
}
if ($collectionIDs) {
$this->queryParams['collectionIDs'] = $collectionIDs;
$results = Zotero_Collections::search($this->objectLibraryID, false, $this->queryParams);
}
$options = ['action' => $this->action, 'uri' => $this->uri, 'results' => $results, 'requestParams' => $this->queryParams, 'permissions' => $this->permissions, 'head' => $this->method == 'HEAD'];
switch ($this->queryParams['format']) {
case 'atom':
$this->responseXML = Zotero_API::multiResponse(array_merge($options, ['title' => $this->getFeedNamePrefix($this->objectLibraryID) . $title]));
break;
case 'json':
case 'keys':
case 'versions':
case 'writereport':
Zotero_API::multiResponse($options);
break;
default:
throw new Exception("Unexpected format '" . $this->queryParams['format'] . "'");
}
}
$this->end();
}
public function collections()
{
if (($this->method == 'POST' || $this->method == 'PUT') && !$this->body) {
$this->e400("{$this->method} data not provided");
}
$collections = array();
// Single collection
if (($this->objectID || $this->objectKey) && $this->subset != 'collections') {
$this->allowMethods(array('GET', 'PUT', 'DELETE'));
// If id, redirect to key URL
if ($this->objectID) {
$this->allowMethods(array('GET'));
$collection = Zotero_Collections::get($this->objectLibraryID, $this->objectID);
if (!$collection) {
$this->e404("Collection not found");
}
$qs = !empty($_SERVER['QUERY_STRING']) ? '?' . $_SERVER['QUERY_STRING'] : '';
header("Location: " . Zotero_API::getCollectionURI($collection) . $qs);
exit;
}
$collection = Zotero_Collections::getByLibraryAndKey($this->objectLibraryID, $this->objectKey);
if (!$collection) {
$this->e404("Collection not found");
}
// In single-collection mode, require public pref to be enabled
if (!$this->permissions->canAccess($this->objectLibraryID)) {
$this->e403();
}
if ($this->method == 'PUT' || $this->method == 'DELETE') {
if (!$this->permissions->canWrite($this->objectLibraryID)) {
$this->e403("Write access denied");
}
if (!Z_CONFIG::$TESTING_SITE || empty($_GET['skipetag'])) {
if (empty($_SERVER['HTTP_IF_MATCH'])) {
$this->e400("If-Match header not provided");
}
if (!preg_match('/^"?([a-f0-9]{32})"?$/', $_SERVER['HTTP_IF_MATCH'], $matches)) {
$this->e400("Invalid ETag in If-Match header");
}
if ($collection->etag != $matches[1]) {
$this->e412("ETag does not match current version of collection");
}
}
if ($this->method == 'PUT') {
$obj = $this->jsonDecode($this->body);
Zotero_Collections::updateFromJSON($collection, $obj);
$this->queryParams['format'] = 'atom';
$this->queryParams['content'] = array('json');
if ($cacheKey = $this->getWriteTokenCacheKey()) {
Z_Core::$MC->set($cacheKey, true, $this->writeTokenCacheTime);
}
} else {
Zotero_Collections::delete($this->objectLibraryID, $this->objectKey, true);
$this->e204();
}
}
$this->responseXML = Zotero_Collections::convertCollectionToAtom($collection, $this->queryParams['content']);
} else {
$this->allowMethods(array('GET', 'POST'));
if (!$this->permissions->canAccess($this->objectLibraryID)) {
$this->e403();
}
if ($this->scopeObject) {
$this->allowMethods(array('GET'));
switch ($this->scopeObject) {
case 'collections':
// If id, redirect to key URL
if ($this->scopeObjectID) {
$collection = Zotero_Collections::get($this->objectLibraryID, $this->scopeObjectID);
if (!$collection) {
$this->e404("Collection not found");
}
$qs = !empty($_SERVER['QUERY_STRING']) ? '?' . $_SERVER['QUERY_STRING'] : '';
header("Location: " . Zotero_API::getCollectionURI($collection) . $qs);
exit;
}
$collection = Zotero_Collections::getByLibraryAndKey($this->objectLibraryID, $this->scopeObjectKey);
if (!$collection) {
$this->e404("Collection not found");
}
$title = "Child Collections of ‘{$collection->name}'’";
$collectionIDs = $collection->getChildCollections();
break;
default:
throw new Exception("Invalid collections scope object '{$this->scopeObject}'");
}
} else {
// Top-level items
if ($this->subset == 'top') {
$this->allowMethods(array('GET'));
$title = "Top-Level Collections";
$results = Zotero_Collections::getAllAdvanced($this->objectLibraryID, true, $this->queryParams);
} else {
// Create a collection
if ($this->method == 'POST') {
if (!$this->permissions->canWrite($this->objectLibraryID)) {
$this->e403("Write access denied");
}
$obj = $this->jsonDecode($this->body);
$collection = Zotero_Collections::addFromJSON($obj, $this->objectLibraryID);
if ($cacheKey = $this->getWriteTokenCacheKey()) {
Z_Core::$MC->set($cacheKey, true, $this->writeTokenCacheTime);
}
$uri = Zotero_API::getCollectionURI($collection);
$queryString = "content=json";
if ($this->apiKey) {
$queryString .= "&key=" . $this->apiKey;
}
$uri .= "?" . $queryString;
$this->queryParams = Zotero_API::parseQueryParams($queryString, $this->action, true);
}
$title = "Collections";
$results = Zotero_Collections::getAllAdvanced($this->objectLibraryID, false, $this->queryParams);
}
$collections = $results['collections'];
$totalResults = $results['total'];
}
if (!empty($collectionIDs)) {
foreach ($collectionIDs as $collectionID) {
$collections[] = Zotero_Collections::get($this->objectLibraryID, $collectionID);
}
// Fake sorting and limiting
$totalResults = sizeOf($collections);
$key = $this->queryParams['order'];
if ($key == 'title') {
$key = 'name';
}
$dir = $this->queryParams['sort'];
usort($collections, function ($a, $b) use($key, $dir) {
$dir = $dir == "asc" ? 1 : -1;
if ($a->{$key} == $b->{$key}) {
return 0;
} else {
return $a->{$key} > $b->{$key} ? $dir : $dir * -1;
}
});
$collections = array_slice($collections, $this->queryParams['start'], $this->queryParams['limit']);
}
$this->responseXML = Zotero_Atom::createAtomFeed($this->getFeedNamePrefix($this->objectLibraryID) . $title, $this->uri, $collections, $totalResults, $this->queryParams, $this->apiVersion, $this->permissions);
}
$this->end();
}
public function items()
{
// Check for general library access
if (!$this->permissions->canAccess($this->objectLibraryID)) {
$this->e403();
}
if ($this->isWriteMethod()) {
// Check for library write access
if (!$this->permissions->canWrite($this->objectLibraryID)) {
$this->e403("Write access denied");
}
// Make sure library hasn't been modified
if (!$this->singleObject) {
$libraryTimestampChecked = $this->checkLibraryIfUnmodifiedSinceVersion();
}
// We don't update the library version in file mode, because currently
// to avoid conflicts in the client the timestamp can't change
// when the client updates file metadata
if (!$this->fileMode) {
Zotero_Libraries::updateVersionAndTimestamp($this->objectLibraryID);
}
}
$itemIDs = array();
$itemKeys = array();
$results = array();
$title = "";
//
// Single item
//
if ($this->singleObject) {
if ($this->fileMode) {
if ($this->fileView) {
$this->allowMethods(array('HEAD', 'GET', 'POST'));
} else {
$this->allowMethods(array('HEAD', 'GET', 'PUT', 'POST', 'PATCH'));
}
} else {
$this->allowMethods(array('HEAD', 'GET', 'PUT', 'PATCH', 'DELETE'));
}
if (!$this->objectLibraryID || !Zotero_ID::isValidKey($this->objectKey)) {
$this->e404();
}
$item = Zotero_Items::getByLibraryAndKey($this->objectLibraryID, $this->objectKey);
if ($item) {
// If no access to the note, don't show that it exists
if ($item->isNote() && !$this->permissions->canAccess($this->objectLibraryID, 'notes')) {
$this->e404();
}
// Make sure URL libraryID matches item libraryID
if ($this->objectLibraryID != $item->libraryID) {
$this->e404("Item does not exist");
}
// File access mode
if ($this->fileMode) {
$this->_handleFileRequest($item);
}
if ($this->scopeObject) {
switch ($this->scopeObject) {
// Remove item from collection
case 'collections':
$this->allowMethods(array('DELETE'));
$collection = Zotero_Collections::getByLibraryAndKey($this->objectLibraryID, $this->scopeObjectKey);
if (!$collection) {
$this->e404("Collection not found");
}
if (!$collection->hasItem($item->id)) {
$this->e404("Item not found in collection");
}
$collection->removeItem($item->id);
$this->e204();
default:
$this->e400();
}
}
} else {
// Possibly temporary workaround to block unnecessary full syncs
if ($this->fileMode && $this->httpAuth && $this->method == 'POST') {
// If > 2 requests for missing file, trigger a full sync via 404
$cacheKey = "apiMissingFile_" . $this->objectLibraryID . "_" . $this->objectKey;
$set = Z_Core::$MC->get($cacheKey);
if (!$set) {
Z_Core::$MC->set($cacheKey, 1, 86400);
} else {
if ($set < 2) {
Z_Core::$MC->increment($cacheKey);
} else {
Z_Core::$MC->delete($cacheKey);
$this->e404("A file sync error occurred. Please sync again.");
}
}
$this->e500("A file sync error occurred. Please sync again.");
}
}
if ($this->isWriteMethod()) {
$item = $this->handleObjectWrite('item', $item ? $item : null);
if ($this->apiVersion < 2 && ($this->method == 'PUT' || $this->method == 'PATCH')) {
$this->queryParams['format'] = 'atom';
$this->queryParams['content'] = ['json'];
}
}
if (!$item) {
$this->e404("Item does not exist");
}
$this->libraryVersion = $item->version;
if ($this->method == 'HEAD') {
$this->end();
}
// Display item
switch ($this->queryParams['format']) {
case 'atom':
$this->responseXML = Zotero_Items::convertItemToAtom($item, $this->queryParams, $this->permissions);
break;
case 'bib':
echo Zotero_Cite::getBibliographyFromCitationServer(array($item), $this->queryParams);
break;
case 'csljson':
$json = Zotero_Cite::getJSONFromItems(array($item), true);
echo Zotero_Utilities::formatJSON($json);
break;
case 'json':
$json = $item->toResponseJSON($this->queryParams, $this->permissions);
echo Zotero_Utilities::formatJSON($json);
break;
default:
$export = Zotero_Translate::doExport(array($item), $this->queryParams['format']);
$this->queryParams['format'] = null;
header("Content-Type: " . $export['mimeType']);
echo $export['body'];
break;
}
} else {
$this->allowMethods(array('HEAD', 'GET', 'POST', 'DELETE'));
$this->libraryVersion = Zotero_Libraries::getUpdatedVersion($this->objectLibraryID);
$includeTrashed = $this->queryParams['includeTrashed'];
if ($this->scopeObject) {
$this->allowMethods(array('GET', 'POST'));
switch ($this->scopeObject) {
case 'collections':
// TEMP
if (Zotero_ID::isValidKey($this->scopeObjectKey)) {
$collection = Zotero_Collections::getByLibraryAndKey($this->objectLibraryID, $this->scopeObjectKey);
} else {
$collection = false;
}
if (!$collection) {
// If old collectionID, redirect
if ($this->method == 'GET' && Zotero_Utilities::isPosInt($this->scopeObjectKey)) {
$collection = Zotero_Collections::get($this->objectLibraryID, $this->scopeObjectKey);
if ($collection) {
$qs = !empty($_SERVER['QUERY_STRING']) ? '?' . $_SERVER['QUERY_STRING'] : '';
$base = Zotero_API::getCollectionURI($collection);
$this->redirect($base . "/items" . $qs, 301);
}
}
$this->e404("Collection not found");
}
// Add items to collection
if ($this->method == 'POST') {
$itemKeys = explode(' ', $this->body);
$itemIDs = array();
foreach ($itemKeys as $key) {
try {
$item = Zotero_Items::getByLibraryAndKey($this->objectLibraryID, $key);
} catch (Exception $e) {
if ($e->getCode() == Z_ERROR_OBJECT_LIBRARY_MISMATCH) {
$item = false;
} else {
throw $e;
}
}
if (!$item) {
throw new Exception("Item '{$key}' not found in library", Z_ERROR_INVALID_INPUT);
}
if ($item->getSource()) {
throw new Exception("Child items cannot be added to collections directly", Z_ERROR_INVALID_INPUT);
}
$itemIDs[] = $item->id;
}
$collection->addItems($itemIDs);
$this->e204();
}
if ($this->subset == 'top' || $this->apiVersion < 2) {
$title = "Top-Level Items in Collection ‘" . $collection->name . "’";
$itemIDs = $collection->getItems();
} else {
$title = "Items in Collection ‘" . $collection->name . "’";
$itemIDs = $collection->getItems(true);
}
break;
case 'tags':
if ($this->apiVersion >= 2) {
$this->e404();
}
$this->allowMethods(array('GET'));
$tagIDs = Zotero_Tags::getIDs($this->objectLibraryID, $this->scopeObjectName);
if (!$tagIDs) {
$this->e404("Tag not found");
}
foreach ($tagIDs as $tagID) {
$tag = new Zotero_Tag();
$tag->libraryID = $this->objectLibraryID;
$tag->id = $tagID;
// Use a real tag name, in case case differs
if (!$title) {
$title = "Items of Tag ‘" . $tag->name . "’";
}
$itemKeys = array_merge($itemKeys, $tag->getLinkedItems(true));
}
$itemKeys = array_unique($itemKeys);
break;
default:
$this->e404();
}
} else {
// Top-level items
if ($this->subset == 'top') {
$this->allowMethods(array('GET'));
$title = "Top-Level Items";
$results = Zotero_Items::search($this->objectLibraryID, true, $this->queryParams, $includeTrashed, $this->permissions);
} else {
if ($this->subset == 'trash') {
$this->allowMethods(array('GET'));
$title = "Deleted Items";
$this->queryParams['trashedItemsOnly'] = true;
$includeTrashed = true;
$results = Zotero_Items::search($this->objectLibraryID, false, $this->queryParams, $includeTrashed, $this->permissions);
} else {
if ($this->subset == 'children') {
$item = Zotero_Items::getByLibraryAndKey($this->objectLibraryID, $this->objectKey);
if (!$item) {
$this->e404("Item not found");
}
if ($item->isAttachment()) {
$this->e400("/children cannot be called on attachment items");
}
if ($item->isNote()) {
$this->e400("/children cannot be called on note items");
}
if ($item->getSource()) {
$this->e400("/children cannot be called on child items");
}
// Create new child items
if ($this->method == 'POST') {
if ($this->apiVersion >= 2) {
$this->allowMethods(array('GET'));
}
Zotero_DB::beginTransaction();
$obj = $this->jsonDecode($this->body);
$results = Zotero_Items::updateMultipleFromJSON($obj, $this->queryParams, $this->objectLibraryID, $this->userID, $this->permissions, $libraryTimestampChecked ? 0 : 1, $item);
Zotero_DB::commit();
if ($cacheKey = $this->getWriteTokenCacheKey()) {
Z_Core::$MC->set($cacheKey, true, $this->writeTokenCacheTime);
}
$uri = Zotero_API::getItemsURI($this->objectLibraryID);
$keys = array_merge(get_object_vars($results['success']), get_object_vars($results['unchanged']));
$queryString = "itemKey=" . urlencode(implode(",", $keys)) . "&format=atom&content=json&order=itemKeyList&sort=asc";
if ($this->apiKey) {
$queryString .= "&key=" . $this->apiKey;
}
$uri .= "?" . $queryString;
$this->queryParams = Zotero_API::parseQueryParams($queryString, $this->action, false);
$this->responseCode = 201;
$title = "Items";
$results = Zotero_Items::search($this->objectLibraryID, false, $this->queryParams, $includeTrashed, $this->permissions);
} else {
$title = "Child Items of ‘" . $item->getDisplayTitle() . "’";
$notes = $item->getNotes();
$attachments = $item->getAttachments();
$itemIDs = array_merge($notes, $attachments);
}
} else {
// Create new items
if ($this->method == 'POST') {
$this->queryParams['format'] = 'writereport';
$obj = $this->jsonDecode($this->body);
// Server-side translation
if (isset($obj->url)) {
if ($this->apiVersion == 1) {
Zotero_DB::beginTransaction();
}
$token = $this->getTranslationToken($obj);
$results = Zotero_Items::addFromURL($obj, $this->queryParams, $this->objectLibraryID, $this->userID, $this->permissions, $token);
if ($this->apiVersion == 1) {
Zotero_DB::commit();
}
// Multiple choices
if ($results instanceof stdClass) {
$this->queryParams['format'] = null;
header("Content-Type: application/json");
if ($this->queryParams['v'] >= 2) {
echo Zotero_Utilities::formatJSON(['url' => $obj->url, 'token' => $token, 'items' => $results->select]);
} else {
echo Zotero_Utilities::formatJSON($results->select);
}
$this->e300();
} else {
if (is_int($results)) {
switch ($results) {
case 501:
$this->e501("No translators found for URL");
break;
default:
$this->e500("Error translating URL");
}
} else {
if ($this->apiVersion == 1) {
$uri = Zotero_API::getItemsURI($this->objectLibraryID);
$keys = array_merge(get_object_vars($results['success']), get_object_vars($results['unchanged']));
$queryString = "itemKey=" . urlencode(implode(",", $keys)) . "&format=atom&content=json&order=itemKeyList&sort=asc";
if ($this->apiKey) {
$queryString .= "&key=" . $this->apiKey;
}
$uri .= "?" . $queryString;
$this->queryParams = Zotero_API::parseQueryParams($queryString, $this->action, false);
$this->responseCode = 201;
$title = "Items";
$results = Zotero_Items::search($this->objectLibraryID, false, $this->queryParams, $includeTrashed, $this->permissions);
}
}
}
// Otherwise return write status report
} else {
if ($this->apiVersion < 2) {
Zotero_DB::beginTransaction();
}
$results = Zotero_Items::updateMultipleFromJSON($obj, $this->queryParams, $this->objectLibraryID, $this->userID, $this->permissions, $libraryTimestampChecked ? 0 : 1, null);
if ($this->apiVersion < 2) {
Zotero_DB::commit();
$uri = Zotero_API::getItemsURI($this->objectLibraryID);
$keys = array_merge(get_object_vars($results['success']), get_object_vars($results['unchanged']));
$queryString = "itemKey=" . urlencode(implode(",", $keys)) . "&format=atom&content=json&order=itemKeyList&sort=asc";
if ($this->apiKey) {
$queryString .= "&key=" . $this->apiKey;
}
$uri .= "?" . $queryString;
$this->queryParams = Zotero_API::parseQueryParams($queryString, $this->action, false);
$this->responseCode = 201;
$title = "Items";
$results = Zotero_Items::search($this->objectLibraryID, false, $this->queryParams, $includeTrashed, $this->permissions);
}
}
if ($cacheKey = $this->getWriteTokenCacheKey()) {
Z_Core::$MC->set($cacheKey, true, $this->writeTokenCacheTime);
}
} else {
if ($this->method == 'DELETE') {
Zotero_DB::beginTransaction();
foreach ($this->queryParams['itemKey'] as $itemKey) {
Zotero_Items::delete($this->objectLibraryID, $itemKey);
}
Zotero_DB::commit();
$this->e204();
} else {
$title = "Items";
$results = Zotero_Items::search($this->objectLibraryID, false, $this->queryParams, $includeTrashed, $this->permissions);
}
}
}
}
}
}
if ($itemIDs || $itemKeys) {
if ($itemIDs) {
$this->queryParams['itemIDs'] = $itemIDs;
}
if ($itemKeys) {
$this->queryParams['itemKey'] = $itemKeys;
}
$results = Zotero_Items::search($this->objectLibraryID, false, $this->queryParams, $includeTrashed, $this->permissions);
}
if ($this->queryParams['format'] == 'bib') {
$maxBibItems = Zotero_API::MAX_BIBLIOGRAPHY_ITEMS;
if ($results['total'] > $maxBibItems) {
$this->e413("Cannot generate bibliography with more than {$maxBibItems} items");
}
}
$this->generateMultiResponse($results, $title);
}
$this->end();
}
