public function init($extra) { $this->startTime = microtime(true); if (!Z_CONFIG::$API_ENABLED) { $this->e503(Z_CONFIG::$MAINTENANCE_MESSAGE); } set_exception_handler(array($this, 'handleException')); // TODO: Throw error on some notices but allow DB/Memcached/etc. failures? //set_error_handler(array($this, 'handleError'), E_ALL | E_USER_ERROR | E_RECOVERABLE_ERROR); set_error_handler(array($this, 'handleError'), E_USER_ERROR | E_RECOVERABLE_ERROR); require_once '../model/Error.inc.php'; // On testing sites, include notifications in headers if (Z_CONFIG::$TESTING_SITE) { Zotero_NotifierObserver::addMessageReceiver(function ($topic, $msg) { $header = "Zotero-Debug-Notifications"; if (!empty($this->headers[$header])) { $notifications = json_decode(base64_decode($this->headers[$header])); } else { $notifications = []; } $notifications[] = $msg; $this->headers[$header] = base64_encode(json_encode($notifications)); }); } register_shutdown_function(array($this, 'checkDBTransactionState')); register_shutdown_function(array($this, 'logTotalRequestTime')); register_shutdown_function(array($this, 'checkForFatalError')); register_shutdown_function(array($this, 'addHeaders')); $this->method = $_SERVER['REQUEST_METHOD']; if (!in_array($this->method, array('HEAD', 'OPTIONS', 'GET', 'PUT', 'POST', 'DELETE', 'PATCH'))) { $this->e501(); } StatsD::increment("api.request.method." . strtolower($this->method), 0.25); // There doesn't seem to be a way for PHP to start processing the request // before the entire body is sent, so an Expect: 100 Continue will, // depending on the client, either fail or cause a delay while the client // waits for the 100 response. To make this explicit, we return an error. if (!empty($_SERVER['HTTP_EXPECT'])) { header("HTTP/1.1 417 Expectation Failed"); die("Expect header is not supported"); } // CORS if (isset($_SERVER['HTTP_ORIGIN'])) { header("Access-Control-Allow-Origin: *"); header("Access-Control-Allow-Methods: HEAD, GET, POST, PUT, PATCH, DELETE"); header("Access-Control-Allow-Headers: Content-Type, If-Match, If-None-Match, If-Modified-Since-Version, If-Unmodified-Since-Version, Zotero-API-Version, Zotero-Write-Token"); header("Access-Control-Expose-Headers: Backoff, ETag, Last-Modified-Version, Link, Retry-After, Total-Results, Zotero-API-Version"); } if ($this->method == 'OPTIONS') { $this->end(); } if (in_array($this->method, array('POST', 'PUT', 'PATCH'))) { $this->ifUnmodifiedSince = isset($_SERVER['HTTP_IF_UNMODIFIED_SINCE']) ? strtotime($_SERVER['HTTP_IF_UNMODIFIED_SINCE']) : false; $this->body = file_get_contents("php://input"); if ($this->body == "" && !in_array($this->action, array('clear', 'laststoragesync', 'removestoragefiles', 'itemContent'))) { $this->e400("{$this->method} data not provided"); } } if ($this->profile) { Zotero_DB::profileStart(); } // If HTTP Basic Auth credentials provided, authenticate if (isset($_SERVER['PHP_AUTH_USER'])) { $username = $_SERVER['PHP_AUTH_USER']; $password = $_SERVER['PHP_AUTH_PW']; if ($username == Z_CONFIG::$API_SUPER_USERNAME && $password == Z_CONFIG::$API_SUPER_PASSWORD) { $this->userID = 0; $this->permissions = new Zotero_Permissions(); $this->permissions->setSuper(); } else { if (!empty($extra['allowHTTP']) || !empty($extra['auth'])) { $userID = Zotero_Users::authenticate('password', array('username' => $username, 'password' => $password)); if (!$userID) { $this->e401('Invalid login'); } $this->httpAuth = true; $this->userID = $userID; $this->grantUserPermissions($userID); } } } if (!isset($this->userID)) { $key = false; // Allow Zotero-API-Key header if (!empty($_SERVER['HTTP_ZOTERO_API_KEY'])) { $key = $_SERVER['HTTP_ZOTERO_API_KEY']; } // Allow ?key=<apikey> if (isset($_GET['key'])) { if (!$key) { $key = $_GET['key']; } else { if ($_GET['key'] !== $key) { $this->e400("Zotero-API-Key header and 'key' parameter differ"); } } } // If neither of the above passed, allow "Authorization: Bearer <apikey>" // // Apache/mod_php doesn't seem to make Authorization available for auth schemes // other than Basic/Digest, so use an Apache-specific method to get the header if (!$key && function_exists('apache_request_headers')) { $headers = apache_request_headers(); if (isset($headers['Authorization'])) { // Look for "Authorization: Bearer" from OAuth 2.0, and ignore everything else if (preg_match('/^bearer/i', $headers['Authorization'], $matches)) { if (preg_match('/^bearer +([a-z0-9]+)$/i', $headers['Authorization'], $matches)) { $key = $matches[1]; } else { $this->e400("Invalid Authorization header format"); } } } } if ($key) { $keyObj = Zotero_Keys::authenticate($key); if (!$keyObj) { $this->e403('Invalid key'); } $this->apiKey = $key; $this->userID = $keyObj->userID; $this->permissions = $keyObj->getPermissions(); // Check Zotero-Write-Token if it exists to make sure // this isn't a duplicate request if ($this->isWriteMethod()) { if ($cacheKey = $this->getWriteTokenCacheKey()) { if (Z_Core::$MC->get($cacheKey)) { $this->e412("Write token already used"); } } } } else { if (!empty($_GET['session']) && ($this->userID = Zotero_Users::getUserIDFromSessionID($_GET['session']))) { // Users who haven't synced may not exist in our DB if (!Zotero_Users::exists($this->userID)) { Zotero_Users::add($this->userID); } $this->grantUserPermissions($this->userID); $this->cookieAuth = true; } else { if (!empty($_GET['auth']) || !empty($extra['auth'])) { $this->e401(); } // Explicit auth request or not a GET request // // /users/<id>/keys is an exception, since the key is embedded in the URL if ($this->method != "GET" && $this->action != 'keys') { $this->e403('An API key is required for write requests.'); } // Anonymous request $this->permissions = new Zotero_Permissions(); $this->permissions->setAnonymous(); } } } $this->uri = Z_CONFIG::$API_BASE_URI . substr($_SERVER["REQUEST_URI"], 1); // Get object user if (isset($this->objectUserID)) { if (!$this->objectUserID) { $this->e400("Invalid user ID", Z_ERROR_INVALID_INPUT); } try { $this->objectLibraryID = Zotero_Users::getLibraryIDFromUserID($this->objectUserID); } catch (Exception $e) { if ($e->getCode() == Z_ERROR_USER_NOT_FOUND) { try { Zotero_Users::addFromWWW($this->objectUserID); } catch (Exception $e) { if ($e->getCode() == Z_ERROR_USER_NOT_FOUND) { $this->e404("User {$this->objectUserID} not found"); } throw $e; } $this->objectLibraryID = Zotero_Users::getLibraryIDFromUserID($this->objectUserID); } else { throw $e; } } // Make sure user isn't banned if (!Zotero_Users::isValidUser($this->objectUserID)) { $this->e404(); } } else { if (isset($this->objectGroupID)) { if (!$this->objectGroupID) { $this->e400("Invalid group ID", Z_ERROR_INVALID_INPUT); } // Make sure group exists $group = Zotero_Groups::get($this->objectGroupID); if (!$group) { $this->e404(); } // Don't show groups owned by banned users if (!Zotero_Users::isValidUser($group->ownerUserID)) { $this->e404(); } $this->objectLibraryID = Zotero_Groups::getLibraryIDFromGroupID($this->objectGroupID); } } $apiVersion = !empty($_SERVER['HTTP_ZOTERO_API_VERSION']) ? (int) $_SERVER['HTTP_ZOTERO_API_VERSION'] : false; // Serve v1 to ZotPad 1.x, at Mikko's request if (!$apiVersion && !empty($_SERVER['HTTP_USER_AGENT']) && strpos($_SERVER['HTTP_USER_AGENT'], 'ZotPad 1') === 0) { $apiVersion = 1; } // For publications URLs (e.g., /users/:userID/publications/items), swap in // objectLibraryID of user's publications library if (!empty($extra['publications'])) { // Query parameters not yet parsed, so check version parameter if ($apiVersion && $apiVersion < 3 || !empty($_REQUEST['v']) && $_REQUEST['v'] < 3 || !empty($_REQUEST['version']) && $_REQUEST['version'] == 1) { $this->e404(); } $userLibraryID = $this->objectLibraryID; $this->objectLibraryID = Zotero_Users::getLibraryIDFromUserID($this->objectUserID, 'publications'); // If one doesn't exist, for write requests create a library if the key // has write permission to the user library. For read requests, just // return a 404. if (!$this->objectLibraryID) { if ($this->isWriteMethod()) { if (!$this->permissions->canAccess($userLibraryID) || !$this->permissions->canWrite($userLibraryID)) { $this->e403(); } $this->objectLibraryID = Zotero_Publications::add($this->objectUserID); } else { $this->objectLibraryID = 0; } } } // Return 409 if target library is locked switch ($this->method) { case 'POST': case 'PUT': case 'DELETE': switch ($this->action) { // Library lock doesn't matter for some admin requests case 'keys': case 'storageadmin': break; default: if ($this->objectLibraryID && Zotero_Libraries::isLocked($this->objectLibraryID)) { $this->e409("Target library is locked"); } break; } } $this->scopeObject = !empty($extra['scopeObject']) ? $extra['scopeObject'] : $this->scopeObject; $this->subset = !empty($extra['subset']) ? $extra['subset'] : $this->subset; $this->fileMode = !empty($extra['file']) ? !empty($_GET['info']) ? 'info' : 'download' : false; $this->fileView = !empty($extra['view']); $this->singleObject = $this->objectKey && !$this->subset; $this->checkLibraryIfModifiedSinceVersion($this->action); // If Accept header includes application/atom+xml, send Atom, as long as there's no 'format' $atomAccepted = false; if (!empty($_SERVER['HTTP_ACCEPT'])) { $accept = preg_split('/\\s*,\\s*/', $_SERVER['HTTP_ACCEPT']); $atomAccepted = in_array('application/atom+xml', $accept); } $this->queryParams = Zotero_API::parseQueryParams($_SERVER['QUERY_STRING'], $this->action, $this->singleObject, $apiVersion, $atomAccepted); // Sorting by Item Type or Added By currently require writing to shard tables, so don't // send those to the read replicas if ($this->queryParams['sort'] == 'itemType' || $this->queryParams['sort'] == 'addedBy') { Zotero_DB::readOnly(false); } $this->apiVersion = $version = $this->queryParams['v']; header("Zotero-API-Version: " . $version); StatsD::increment("api.request.version.v" . $version, 0.25); }
public function collections() { // Check for general library access if (!$this->permissions->canAccess($this->objectLibraryID)) { $this->e403(); } if ($this->isWriteMethod()) { // Check for library write access if (!$this->permissions->canWrite($this->objectLibraryID)) { $this->e403("Write access denied"); } // Make sure library hasn't been modified if (!$this->singleObject) { $libraryTimestampChecked = $this->checkLibraryIfUnmodifiedSinceVersion(); } Zotero_Libraries::updateVersionAndTimestamp($this->objectLibraryID); } $collectionIDs = array(); $collectionKeys = array(); $results = array(); // Single collection if ($this->singleObject) { $this->allowMethods(['HEAD', 'GET', 'PUT', 'PATCH', 'DELETE']); if (!Zotero_ID::isValidKey($this->objectKey)) { $this->e404(); } $collection = Zotero_Collections::getByLibraryAndKey($this->objectLibraryID, $this->objectKey); if ($this->isWriteMethod()) { $collection = $this->handleObjectWrite('collection', $collection ? $collection : null); $this->queryParams['content'] = ['json']; } if (!$collection) { $this->e404("Collection not found"); } $this->libraryVersion = $collection->version; if ($this->method == 'HEAD') { $this->end(); } switch ($this->queryParams['format']) { case 'atom': $this->responseXML = Zotero_Collections::convertCollectionToAtom($collection, $this->queryParams); break; case 'json': $json = $collection->toResponseJSON($this->queryParams, $this->permissions); echo Zotero_Utilities::formatJSON($json); break; default: throw new Exception("Unexpected format '" . $this->queryParams['format'] . "'"); } } else { $this->allowMethods(['HEAD', 'GET', 'POST', 'DELETE']); $this->libraryVersion = Zotero_Libraries::getUpdatedVersion($this->objectLibraryID); if ($this->scopeObject) { $this->allowMethods(array('GET')); switch ($this->scopeObject) { case 'collections': $collection = Zotero_Collections::getByLibraryAndKey($this->objectLibraryID, $this->scopeObjectKey); if (!$collection) { $this->e404("Collection not found"); } $title = "Child Collections of ‘{$collection->name}'’"; $collectionIDs = $collection->getChildCollections(); break; default: throw new Exception("Invalid collections scope object '{$this->scopeObject}'"); } } else { // Top-level items if ($this->subset == 'top') { $this->allowMethods(array('GET')); $title = "Top-Level Collections"; $results = Zotero_Collections::search($this->objectLibraryID, true, $this->queryParams); } else { // Create a collection if ($this->method == 'POST') { $this->queryParams['format'] = 'writereport'; $obj = $this->jsonDecode($this->body); $results = Zotero_Collections::updateMultipleFromJSON($obj, $this->queryParams, $this->objectLibraryID, $this->userID, $this->permissions, $libraryTimestampChecked ? 0 : 1, null); if ($cacheKey = $this->getWriteTokenCacheKey()) { Z_Core::$MC->set($cacheKey, true, $this->writeTokenCacheTime); } if ($this->apiVersion < 2) { $uri = Zotero_API::getCollectionsURI($this->objectLibraryID); $keys = array_merge(get_object_vars($results['success']), get_object_vars($results['unchanged'])); $queryString = "collectionKey=" . urlencode(implode(",", $keys)) . "&format=atom&content=json&order=collectionKeyList&sort=asc"; if ($this->apiKey) { $queryString .= "&key=" . $this->apiKey; } $uri .= "?" . $queryString; $this->queryParams = Zotero_API::parseQueryParams($queryString, $this->action, true, $this->apiVersion); $title = "Collections"; $results = Zotero_Collections::search($this->objectLibraryID, false, $this->queryParams); } } else { if ($this->method == 'DELETE') { Zotero_DB::beginTransaction(); foreach ($this->queryParams['collectionKey'] as $collectionKey) { Zotero_Collections::delete($this->objectLibraryID, $collectionKey); } Zotero_DB::commit(); $this->e204(); } else { $title = "Collections"; $results = Zotero_Collections::search($this->objectLibraryID, false, $this->queryParams); } } } } if ($collectionIDs) { $this->queryParams['collectionIDs'] = $collectionIDs; $results = Zotero_Collections::search($this->objectLibraryID, false, $this->queryParams); } $options = ['action' => $this->action, 'uri' => $this->uri, 'results' => $results, 'requestParams' => $this->queryParams, 'permissions' => $this->permissions, 'head' => $this->method == 'HEAD']; switch ($this->queryParams['format']) { case 'atom': $this->responseXML = Zotero_API::multiResponse(array_merge($options, ['title' => $this->getFeedNamePrefix($this->objectLibraryID) . $title])); break; case 'json': case 'keys': case 'versions': case 'writereport': Zotero_API::multiResponse($options); break; default: throw new Exception("Unexpected format '" . $this->queryParams['format'] . "'"); } } $this->end(); }
public function collections() { if (($this->method == 'POST' || $this->method == 'PUT') && !$this->body) { $this->e400("{$this->method} data not provided"); } $collections = array(); // Single collection if (($this->objectID || $this->objectKey) && $this->subset != 'collections') { $this->allowMethods(array('GET', 'PUT', 'DELETE')); // If id, redirect to key URL if ($this->objectID) { $this->allowMethods(array('GET')); $collection = Zotero_Collections::get($this->objectLibraryID, $this->objectID); if (!$collection) { $this->e404("Collection not found"); } $qs = !empty($_SERVER['QUERY_STRING']) ? '?' . $_SERVER['QUERY_STRING'] : ''; header("Location: " . Zotero_API::getCollectionURI($collection) . $qs); exit; } $collection = Zotero_Collections::getByLibraryAndKey($this->objectLibraryID, $this->objectKey); if (!$collection) { $this->e404("Collection not found"); } // In single-collection mode, require public pref to be enabled if (!$this->permissions->canAccess($this->objectLibraryID)) { $this->e403(); } if ($this->method == 'PUT' || $this->method == 'DELETE') { if (!$this->permissions->canWrite($this->objectLibraryID)) { $this->e403("Write access denied"); } if (!Z_CONFIG::$TESTING_SITE || empty($_GET['skipetag'])) { if (empty($_SERVER['HTTP_IF_MATCH'])) { $this->e400("If-Match header not provided"); } if (!preg_match('/^"?([a-f0-9]{32})"?$/', $_SERVER['HTTP_IF_MATCH'], $matches)) { $this->e400("Invalid ETag in If-Match header"); } if ($collection->etag != $matches[1]) { $this->e412("ETag does not match current version of collection"); } } if ($this->method == 'PUT') { $obj = $this->jsonDecode($this->body); Zotero_Collections::updateFromJSON($collection, $obj); $this->queryParams['format'] = 'atom'; $this->queryParams['content'] = array('json'); if ($cacheKey = $this->getWriteTokenCacheKey()) { Z_Core::$MC->set($cacheKey, true, $this->writeTokenCacheTime); } } else { Zotero_Collections::delete($this->objectLibraryID, $this->objectKey, true); $this->e204(); } } $this->responseXML = Zotero_Collections::convertCollectionToAtom($collection, $this->queryParams['content']); } else { $this->allowMethods(array('GET', 'POST')); if (!$this->permissions->canAccess($this->objectLibraryID)) { $this->e403(); } if ($this->scopeObject) { $this->allowMethods(array('GET')); switch ($this->scopeObject) { case 'collections': // If id, redirect to key URL if ($this->scopeObjectID) { $collection = Zotero_Collections::get($this->objectLibraryID, $this->scopeObjectID); if (!$collection) { $this->e404("Collection not found"); } $qs = !empty($_SERVER['QUERY_STRING']) ? '?' . $_SERVER['QUERY_STRING'] : ''; header("Location: " . Zotero_API::getCollectionURI($collection) . $qs); exit; } $collection = Zotero_Collections::getByLibraryAndKey($this->objectLibraryID, $this->scopeObjectKey); if (!$collection) { $this->e404("Collection not found"); } $title = "Child Collections of ‘{$collection->name}'’"; $collectionIDs = $collection->getChildCollections(); break; default: throw new Exception("Invalid collections scope object '{$this->scopeObject}'"); } } else { // Top-level items if ($this->subset == 'top') { $this->allowMethods(array('GET')); $title = "Top-Level Collections"; $results = Zotero_Collections::getAllAdvanced($this->objectLibraryID, true, $this->queryParams); } else { // Create a collection if ($this->method == 'POST') { if (!$this->permissions->canWrite($this->objectLibraryID)) { $this->e403("Write access denied"); } $obj = $this->jsonDecode($this->body); $collection = Zotero_Collections::addFromJSON($obj, $this->objectLibraryID); if ($cacheKey = $this->getWriteTokenCacheKey()) { Z_Core::$MC->set($cacheKey, true, $this->writeTokenCacheTime); } $uri = Zotero_API::getCollectionURI($collection); $queryString = "content=json"; if ($this->apiKey) { $queryString .= "&key=" . $this->apiKey; } $uri .= "?" . $queryString; $this->queryParams = Zotero_API::parseQueryParams($queryString, $this->action, true); } $title = "Collections"; $results = Zotero_Collections::getAllAdvanced($this->objectLibraryID, false, $this->queryParams); } $collections = $results['collections']; $totalResults = $results['total']; } if (!empty($collectionIDs)) { foreach ($collectionIDs as $collectionID) { $collections[] = Zotero_Collections::get($this->objectLibraryID, $collectionID); } // Fake sorting and limiting $totalResults = sizeOf($collections); $key = $this->queryParams['order']; if ($key == 'title') { $key = 'name'; } $dir = $this->queryParams['sort']; usort($collections, function ($a, $b) use($key, $dir) { $dir = $dir == "asc" ? 1 : -1; if ($a->{$key} == $b->{$key}) { return 0; } else { return $a->{$key} > $b->{$key} ? $dir : $dir * -1; } }); $collections = array_slice($collections, $this->queryParams['start'], $this->queryParams['limit']); } $this->responseXML = Zotero_Atom::createAtomFeed($this->getFeedNamePrefix($this->objectLibraryID) . $title, $this->uri, $collections, $totalResults, $this->queryParams, $this->apiVersion, $this->permissions); } $this->end(); }
public function items() { // Check for general library access if (!$this->permissions->canAccess($this->objectLibraryID)) { $this->e403(); } if ($this->isWriteMethod()) { // Check for library write access if (!$this->permissions->canWrite($this->objectLibraryID)) { $this->e403("Write access denied"); } // Make sure library hasn't been modified if (!$this->singleObject) { $libraryTimestampChecked = $this->checkLibraryIfUnmodifiedSinceVersion(); } // We don't update the library version in file mode, because currently // to avoid conflicts in the client the timestamp can't change // when the client updates file metadata if (!$this->fileMode) { Zotero_Libraries::updateVersionAndTimestamp($this->objectLibraryID); } } $itemIDs = array(); $itemKeys = array(); $results = array(); $title = ""; // // Single item // if ($this->singleObject) { if ($this->fileMode) { if ($this->fileView) { $this->allowMethods(array('HEAD', 'GET', 'POST')); } else { $this->allowMethods(array('HEAD', 'GET', 'PUT', 'POST', 'PATCH')); } } else { $this->allowMethods(array('HEAD', 'GET', 'PUT', 'PATCH', 'DELETE')); } if (!$this->objectLibraryID || !Zotero_ID::isValidKey($this->objectKey)) { $this->e404(); } $item = Zotero_Items::getByLibraryAndKey($this->objectLibraryID, $this->objectKey); if ($item) { // If no access to the note, don't show that it exists if ($item->isNote() && !$this->permissions->canAccess($this->objectLibraryID, 'notes')) { $this->e404(); } // Make sure URL libraryID matches item libraryID if ($this->objectLibraryID != $item->libraryID) { $this->e404("Item does not exist"); } // File access mode if ($this->fileMode) { $this->_handleFileRequest($item); } if ($this->scopeObject) { switch ($this->scopeObject) { // Remove item from collection case 'collections': $this->allowMethods(array('DELETE')); $collection = Zotero_Collections::getByLibraryAndKey($this->objectLibraryID, $this->scopeObjectKey); if (!$collection) { $this->e404("Collection not found"); } if (!$collection->hasItem($item->id)) { $this->e404("Item not found in collection"); } $collection->removeItem($item->id); $this->e204(); default: $this->e400(); } } } else { // Possibly temporary workaround to block unnecessary full syncs if ($this->fileMode && $this->httpAuth && $this->method == 'POST') { // If > 2 requests for missing file, trigger a full sync via 404 $cacheKey = "apiMissingFile_" . $this->objectLibraryID . "_" . $this->objectKey; $set = Z_Core::$MC->get($cacheKey); if (!$set) { Z_Core::$MC->set($cacheKey, 1, 86400); } else { if ($set < 2) { Z_Core::$MC->increment($cacheKey); } else { Z_Core::$MC->delete($cacheKey); $this->e404("A file sync error occurred. Please sync again."); } } $this->e500("A file sync error occurred. Please sync again."); } } if ($this->isWriteMethod()) { $item = $this->handleObjectWrite('item', $item ? $item : null); if ($this->apiVersion < 2 && ($this->method == 'PUT' || $this->method == 'PATCH')) { $this->queryParams['format'] = 'atom'; $this->queryParams['content'] = ['json']; } } if (!$item) { $this->e404("Item does not exist"); } $this->libraryVersion = $item->version; if ($this->method == 'HEAD') { $this->end(); } // Display item switch ($this->queryParams['format']) { case 'atom': $this->responseXML = Zotero_Items::convertItemToAtom($item, $this->queryParams, $this->permissions); break; case 'bib': echo Zotero_Cite::getBibliographyFromCitationServer(array($item), $this->queryParams); break; case 'csljson': $json = Zotero_Cite::getJSONFromItems(array($item), true); echo Zotero_Utilities::formatJSON($json); break; case 'json': $json = $item->toResponseJSON($this->queryParams, $this->permissions); echo Zotero_Utilities::formatJSON($json); break; default: $export = Zotero_Translate::doExport(array($item), $this->queryParams['format']); $this->queryParams['format'] = null; header("Content-Type: " . $export['mimeType']); echo $export['body']; break; } } else { $this->allowMethods(array('HEAD', 'GET', 'POST', 'DELETE')); $this->libraryVersion = Zotero_Libraries::getUpdatedVersion($this->objectLibraryID); $includeTrashed = $this->queryParams['includeTrashed']; if ($this->scopeObject) { $this->allowMethods(array('GET', 'POST')); switch ($this->scopeObject) { case 'collections': // TEMP if (Zotero_ID::isValidKey($this->scopeObjectKey)) { $collection = Zotero_Collections::getByLibraryAndKey($this->objectLibraryID, $this->scopeObjectKey); } else { $collection = false; } if (!$collection) { // If old collectionID, redirect if ($this->method == 'GET' && Zotero_Utilities::isPosInt($this->scopeObjectKey)) { $collection = Zotero_Collections::get($this->objectLibraryID, $this->scopeObjectKey); if ($collection) { $qs = !empty($_SERVER['QUERY_STRING']) ? '?' . $_SERVER['QUERY_STRING'] : ''; $base = Zotero_API::getCollectionURI($collection); $this->redirect($base . "/items" . $qs, 301); } } $this->e404("Collection not found"); } // Add items to collection if ($this->method == 'POST') { $itemKeys = explode(' ', $this->body); $itemIDs = array(); foreach ($itemKeys as $key) { try { $item = Zotero_Items::getByLibraryAndKey($this->objectLibraryID, $key); } catch (Exception $e) { if ($e->getCode() == Z_ERROR_OBJECT_LIBRARY_MISMATCH) { $item = false; } else { throw $e; } } if (!$item) { throw new Exception("Item '{$key}' not found in library", Z_ERROR_INVALID_INPUT); } if ($item->getSource()) { throw new Exception("Child items cannot be added to collections directly", Z_ERROR_INVALID_INPUT); } $itemIDs[] = $item->id; } $collection->addItems($itemIDs); $this->e204(); } if ($this->subset == 'top' || $this->apiVersion < 2) { $title = "Top-Level Items in Collection ‘" . $collection->name . "’"; $itemIDs = $collection->getItems(); } else { $title = "Items in Collection ‘" . $collection->name . "’"; $itemIDs = $collection->getItems(true); } break; case 'tags': if ($this->apiVersion >= 2) { $this->e404(); } $this->allowMethods(array('GET')); $tagIDs = Zotero_Tags::getIDs($this->objectLibraryID, $this->scopeObjectName); if (!$tagIDs) { $this->e404("Tag not found"); } foreach ($tagIDs as $tagID) { $tag = new Zotero_Tag(); $tag->libraryID = $this->objectLibraryID; $tag->id = $tagID; // Use a real tag name, in case case differs if (!$title) { $title = "Items of Tag ‘" . $tag->name . "’"; } $itemKeys = array_merge($itemKeys, $tag->getLinkedItems(true)); } $itemKeys = array_unique($itemKeys); break; default: $this->e404(); } } else { // Top-level items if ($this->subset == 'top') { $this->allowMethods(array('GET')); $title = "Top-Level Items"; $results = Zotero_Items::search($this->objectLibraryID, true, $this->queryParams, $includeTrashed, $this->permissions); } else { if ($this->subset == 'trash') { $this->allowMethods(array('GET')); $title = "Deleted Items"; $this->queryParams['trashedItemsOnly'] = true; $includeTrashed = true; $results = Zotero_Items::search($this->objectLibraryID, false, $this->queryParams, $includeTrashed, $this->permissions); } else { if ($this->subset == 'children') { $item = Zotero_Items::getByLibraryAndKey($this->objectLibraryID, $this->objectKey); if (!$item) { $this->e404("Item not found"); } if ($item->isAttachment()) { $this->e400("/children cannot be called on attachment items"); } if ($item->isNote()) { $this->e400("/children cannot be called on note items"); } if ($item->getSource()) { $this->e400("/children cannot be called on child items"); } // Create new child items if ($this->method == 'POST') { if ($this->apiVersion >= 2) { $this->allowMethods(array('GET')); } Zotero_DB::beginTransaction(); $obj = $this->jsonDecode($this->body); $results = Zotero_Items::updateMultipleFromJSON($obj, $this->queryParams, $this->objectLibraryID, $this->userID, $this->permissions, $libraryTimestampChecked ? 0 : 1, $item); Zotero_DB::commit(); if ($cacheKey = $this->getWriteTokenCacheKey()) { Z_Core::$MC->set($cacheKey, true, $this->writeTokenCacheTime); } $uri = Zotero_API::getItemsURI($this->objectLibraryID); $keys = array_merge(get_object_vars($results['success']), get_object_vars($results['unchanged'])); $queryString = "itemKey=" . urlencode(implode(",", $keys)) . "&format=atom&content=json&order=itemKeyList&sort=asc"; if ($this->apiKey) { $queryString .= "&key=" . $this->apiKey; } $uri .= "?" . $queryString; $this->queryParams = Zotero_API::parseQueryParams($queryString, $this->action, false); $this->responseCode = 201; $title = "Items"; $results = Zotero_Items::search($this->objectLibraryID, false, $this->queryParams, $includeTrashed, $this->permissions); } else { $title = "Child Items of ‘" . $item->getDisplayTitle() . "’"; $notes = $item->getNotes(); $attachments = $item->getAttachments(); $itemIDs = array_merge($notes, $attachments); } } else { // Create new items if ($this->method == 'POST') { $this->queryParams['format'] = 'writereport'; $obj = $this->jsonDecode($this->body); // Server-side translation if (isset($obj->url)) { if ($this->apiVersion == 1) { Zotero_DB::beginTransaction(); } $token = $this->getTranslationToken($obj); $results = Zotero_Items::addFromURL($obj, $this->queryParams, $this->objectLibraryID, $this->userID, $this->permissions, $token); if ($this->apiVersion == 1) { Zotero_DB::commit(); } // Multiple choices if ($results instanceof stdClass) { $this->queryParams['format'] = null; header("Content-Type: application/json"); if ($this->queryParams['v'] >= 2) { echo Zotero_Utilities::formatJSON(['url' => $obj->url, 'token' => $token, 'items' => $results->select]); } else { echo Zotero_Utilities::formatJSON($results->select); } $this->e300(); } else { if (is_int($results)) { switch ($results) { case 501: $this->e501("No translators found for URL"); break; default: $this->e500("Error translating URL"); } } else { if ($this->apiVersion == 1) { $uri = Zotero_API::getItemsURI($this->objectLibraryID); $keys = array_merge(get_object_vars($results['success']), get_object_vars($results['unchanged'])); $queryString = "itemKey=" . urlencode(implode(",", $keys)) . "&format=atom&content=json&order=itemKeyList&sort=asc"; if ($this->apiKey) { $queryString .= "&key=" . $this->apiKey; } $uri .= "?" . $queryString; $this->queryParams = Zotero_API::parseQueryParams($queryString, $this->action, false); $this->responseCode = 201; $title = "Items"; $results = Zotero_Items::search($this->objectLibraryID, false, $this->queryParams, $includeTrashed, $this->permissions); } } } // Otherwise return write status report } else { if ($this->apiVersion < 2) { Zotero_DB::beginTransaction(); } $results = Zotero_Items::updateMultipleFromJSON($obj, $this->queryParams, $this->objectLibraryID, $this->userID, $this->permissions, $libraryTimestampChecked ? 0 : 1, null); if ($this->apiVersion < 2) { Zotero_DB::commit(); $uri = Zotero_API::getItemsURI($this->objectLibraryID); $keys = array_merge(get_object_vars($results['success']), get_object_vars($results['unchanged'])); $queryString = "itemKey=" . urlencode(implode(",", $keys)) . "&format=atom&content=json&order=itemKeyList&sort=asc"; if ($this->apiKey) { $queryString .= "&key=" . $this->apiKey; } $uri .= "?" . $queryString; $this->queryParams = Zotero_API::parseQueryParams($queryString, $this->action, false); $this->responseCode = 201; $title = "Items"; $results = Zotero_Items::search($this->objectLibraryID, false, $this->queryParams, $includeTrashed, $this->permissions); } } if ($cacheKey = $this->getWriteTokenCacheKey()) { Z_Core::$MC->set($cacheKey, true, $this->writeTokenCacheTime); } } else { if ($this->method == 'DELETE') { Zotero_DB::beginTransaction(); foreach ($this->queryParams['itemKey'] as $itemKey) { Zotero_Items::delete($this->objectLibraryID, $itemKey); } Zotero_DB::commit(); $this->e204(); } else { $title = "Items"; $results = Zotero_Items::search($this->objectLibraryID, false, $this->queryParams, $includeTrashed, $this->permissions); } } } } } } if ($itemIDs || $itemKeys) { if ($itemIDs) { $this->queryParams['itemIDs'] = $itemIDs; } if ($itemKeys) { $this->queryParams['itemKey'] = $itemKeys; } $results = Zotero_Items::search($this->objectLibraryID, false, $this->queryParams, $includeTrashed, $this->permissions); } if ($this->queryParams['format'] == 'bib') { $maxBibItems = Zotero_API::MAX_BIBLIOGRAPHY_ITEMS; if ($results['total'] > $maxBibItems) { $this->e413("Cannot generate bibliography with more than {$maxBibItems} items"); } } $this->generateMultiResponse($results, $title); } $this->end(); }