// delete the specified entity
echo delete_content($_POST['delete'], $kind);
} else {
if (array_key_exists('id', $_POST)) {
// update content (single entity)
if (array_key_exists('file_comment', $_POST)) {
$kind = 'file_upload';
} else {
if (array_key_exists('content', $_POST)) {
$kind = 'user_comment';
} else {
page_fail(BAD_REQUEST);
}
}
// verify that the user can access the entity
if (!abet_is_admin_authenticated() && !check_general_content_item_access($_SESSION['id'], $_POST['id'], $kind, $found)) {
page_fail($found ? UNAUTHORIZED : NOT_FOUND);
}
// for security's sake I create these manually
$updates = array();
$updates['id'] = $_POST['id'];
if (array_key_exists('file_comment', $_POST)) {
$updates['file_comment'] = "s:{$_POST['file_comment']}";
} else {
$updates['content'] = "s:{$_POST['content']}";
}
update_content($kind, $updates);
echo "{\"success\":true}";
} else {
page_fail(BAD_REQUEST);
}
a file_upload entity as the GET argument. The script checks access to the
file before allowing it to be downloaded.
*/
// check general authentication mode
if (!abet_is_authenticated()) {
http_response_code(UNAUTHORIZED);
header('Content-Type: text/html');
echo "<h1>Access to the specified object is unauthorized.</h1>";
exit;
}
// check for correct GET variables
if (!array_key_exists('id', $_GET)) {
http_response_code(BAD_REQUEST);
header('Content-Type: text/html');
echo "<h1>Bad request: try again...";
exit;
}
// check access to specific file resource
if (!abet_is_admin_authenticated() && !abet_is_observer() && !check_general_content_item_access($_SESSION['id'], $_GET['id'], 'file_upload', $found)) {
header('Content-Type: text/html');
if ($found) {
http_response_code(UNAUTHORIZED);
echo "<h1>Access to the specified object is unauthorized or it has been removed.</h1>";
} else {
http_response_code(NOT_FOUND);
echo "<h1>The specified object was not found. It's possible it was removed.</h1>";
}
exit;
}
// call routine to output file
file_download($_GET['id']);
