$keyword = isset($matches[1]) ? $matches[1] : ''; $keyword = yourls_sanitize_keyword($keyword); $aggregate = isset($matches[2]) ? (bool) $matches[2] && yourls_allow_duplicate_longurls() : false; // Variables should be defined in yourls-loader.php, if not try GET request (old behavior of yourls-infos.php) if (!isset($keyword) && isset($_GET['id'])) { $keyword = $_GET['id']; } if (!isset($aggregate) && isset($_GET['all']) && $_GET['all'] == 1 && yourls_allow_duplicate_longurls()) { $aggregate = true; } if (!isset($keyword)) { yourls_do_action('infos_no_keyword'); yourls_redirect(YOURLS_SITE, 302); } $user = $_SESSION["user"]; if (verifyUrlOwner($keyword, $user["id"]) && YOURLS_MULTIUSER_PROTECTED === true || YOURLS_MULTIUSER_PROTECTED === false) { // Get basic infos for this shortened URL $keyword = yourls_sanitize_string($keyword); $longurl = yourls_get_keyword_longurl($keyword); $clicks = yourls_get_keyword_clicks($keyword); $timestamp = yourls_get_keyword_timestamp($keyword); $title = yourls_get_keyword_title($keyword); // Update title if it hasn't been stored yet if ($title == '') { $title = yourls_get_remote_title($longurl); yourls_edit_link_title($keyword, $title); } if ($longurl === false) { yourls_do_action('infos_keyword_not_found'); yourls_redirect(YOURLS_SITE, 302); }
case 'edit_save': yourls_verify_nonce('edit-save_' . $_REQUEST['id'], $_REQUEST['nonce'], false, 'omg error'); $user = $_SESSION["user"]; if (verifyUrlOwner(yourls_sanitize_keyword($_REQUEST['keyword']), $user["id"])) { $return = yourls_edit_link($_REQUEST['url'], $_REQUEST['keyword'], $_REQUEST['newkeyword'], $_REQUEST['title']); echo json_encode($return); } else { // TODO: SHOW ERROR! $keyword = $_REQUEST['keyword']; die("THE {$keyword} url does not seems to be from " . $user["id"]); } break; case 'delete': yourls_verify_nonce('delete-link_' . $_REQUEST['id'], $_REQUEST['nonce'], false, 'omg error'); $user = $_SESSION["user"]; if (verifyUrlOwner(yourls_sanitize_keyword($_REQUEST['keyword']), $user["id"])) { $query = yourls_delete_link_by_keyword($_REQUEST['keyword']); echo json_encode(array('success' => $query)); } else { // TODO: SHOW ERROR! die; } break; case 'logout': // unused for the moment yourls_logout(); break; default: yourls_do_action('yourls_ajax_' . $action); } die;
function trapApi($args) { $action = $args[0]; $admin = yourls_is_valid_user(); // Uses this name but REFERS to ADMIN! if ($admin === true || $action == "expand") { return; } if (YOURLS_MULTUSER_PROTECTED === false && ($action == "stats" || $action == "db-stats" || $action == 'url-stats')) { return; } switch ($action) { case "shorturl": if (YOURLS_MULTIUSER_ANONYMOUS === true) { return; } else { $token = isset($_REQUEST['token']) ? yourls_sanitize_string($_REQUEST['token']) : ''; $user = getUserIdByToken($token); if ($user == false) { $u = $_SESSION["user"]; $user = getUserIdByToken($u["token"]); } if ($user == false) { $return = array('simple' => 'You can\'t be anonymous', 'message' => 'You can\'t be anonymous', 'errorCode' => 403); } else { return; } } break; // Stats for a shorturl // Stats for a shorturl case 'url-stats': $token = isset($_REQUEST['token']) ? yourls_sanitize_string($_REQUEST['token']) : ''; $user = getUserIdByToken($token); if ($user == false) { $u = $_SESSION["user"]; $user = getUserIdByToken($u["token"]); } if ($user == false) { $return = array('simple' => 'Invalid username or password', 'message' => 'Invalid username or password', 'errorCode' => 403); } else { if (verifyUrlOwner($keyword, $user)) { $shorturl = isset($_REQUEST['shorturl']) ? $_REQUEST['shorturl'] : ''; $return = yourls_api_url_stats($shorturl); } else { $return = array('simple' => 'Invalid username or password', 'message' => 'Invalid username or password', 'errorCode' => 403); } } break; default: $return = array('errorCode' => 400, 'message' => 'Unknown or missing or forbidden "action" parameter', 'simple' => 'Unknown or missing or forbidden "action" parameter'); } $format = isset($_REQUEST['format']) ? $_REQUEST['format'] : 'xml'; yourls_api_output($format, $return); die; }