// delete the specified entity echo delete_content($_POST['delete'], $kind); } else { if (array_key_exists('id', $_POST)) { // update content (single entity) if (array_key_exists('file_comment', $_POST)) { $kind = 'file_upload'; } else { if (array_key_exists('content', $_POST)) { $kind = 'user_comment'; } else { page_fail(BAD_REQUEST); } } // verify that the user can access the entity if (!abet_is_admin_authenticated() && !check_general_content_item_access($_SESSION['id'], $_POST['id'], $kind, $found)) { page_fail($found ? UNAUTHORIZED : NOT_FOUND); } // for security's sake I create these manually $updates = array(); $updates['id'] = $_POST['id']; if (array_key_exists('file_comment', $_POST)) { $updates['file_comment'] = "s:{$_POST['file_comment']}"; } else { $updates['content'] = "s:{$_POST['content']}"; } update_content($kind, $updates); echo "{\"success\":true}"; } else { page_fail(BAD_REQUEST); }
a file_upload entity as the GET argument. The script checks access to the file before allowing it to be downloaded. */ // check general authentication mode if (!abet_is_authenticated()) { http_response_code(UNAUTHORIZED); header('Content-Type: text/html'); echo "<h1>Access to the specified object is unauthorized.</h1>"; exit; } // check for correct GET variables if (!array_key_exists('id', $_GET)) { http_response_code(BAD_REQUEST); header('Content-Type: text/html'); echo "<h1>Bad request: try again..."; exit; } // check access to specific file resource if (!abet_is_admin_authenticated() && !abet_is_observer() && !check_general_content_item_access($_SESSION['id'], $_GET['id'], 'file_upload', $found)) { header('Content-Type: text/html'); if ($found) { http_response_code(UNAUTHORIZED); echo "<h1>Access to the specified object is unauthorized or it has been removed.</h1>"; } else { http_response_code(NOT_FOUND); echo "<h1>The specified object was not found. It's possible it was removed.</h1>"; } exit; } // call routine to output file file_download($_GET['id']);