コード例 #1
0
 /**
  * Processes a POST (if there was one) of the registration form. If there was not a successful registration, then modifies
  * the data passed in to contain the values which WERE posted (to make form re-submission easier).  Returns 'true' if there
  * was a successful registration, false if there was no registration attempt or an error.
  *
  * If registration is successful, also sets 'apiKey' key in the 'data' array to the new API key that was created.
  *
  * @param data - array - an associative array whose keys are the names of the the variables for the template, and whose values should
  *                       be the default values for those fields.  This will be modified (overridden) by any of those values which were posted
  *                       to this page.
  * @return mixed - boolean true if there was a successful registration, false if there was no registration or a failed attempt. If there was
  *                 an error, that will be added to the 'data' array under the key 'errorString'.
  */
 public static function processPost(&$data)
 {
     $didRegister = false;
     if (ApiGate::getPost('formName') == "apiGate_register") {
         $firstName = ApiGate::getPost('firstName');
         $lastName = ApiGate::getPost('lastName');
         $email_1 = ApiGate::getPost('email_1');
         $email_2 = ApiGate::getPost('email_2');
         // Validate the input.
         $errorString = "";
         $errorString = ApiGate_Register::validateNameAndEmail($firstName, $lastName, $email_1, $email_2, $errorString);
         // If input was valid, attempt to create a key.
         if ($errorString == "") {
             // Create a new API key and store it to the database with the values provided.
             $apiKey = self::generateKey();
             $userId = ApiGate_Config::getUserId();
             // This is in library-code (not MediaWiki) so build the query by hand.
             $dbw = ApiGate_Config::getMasterDb();
             $queryString = "INSERT INTO /* ApiGate_Register::processPost() */" . ApiGate::TABLE_KEYS . " (user_id, apiKey, email, firstName, lastName) VALUES (";
             $queryString .= "'" . mysql_real_escape_string($userId, $dbw) . "', ";
             $queryString .= "'" . mysql_real_escape_string($apiKey, $dbw) . "', ";
             $queryString .= "'" . mysql_real_escape_string($email_1, $dbw) . "', ";
             $queryString .= "'" . mysql_real_escape_string($firstName, $dbw) . "', ";
             $queryString .= "'" . mysql_real_escape_string($lastName, $dbw) . "')";
             if (ApiGate::sendQuery($queryString)) {
                 ApiGate::sendQuery("COMMIT");
                 // MediaWiki was randomly not saving the row without this.
                 $data['apiKey'] = $apiKey;
                 $didRegister = true;
             } else {
                 $errorString .= "\n" . i18n('apigate-mysql-error');
                 $errorString .= "\n<br/><br/>" . mysql_error($dbw);
             }
         }
         if ($errorString != "") {
             $errorString = trim($errorString);
             $errorString = str_replace("\n", "<br/>", $errorString);
             $data['errorString'] = $errorString;
         }
     }
     return $didRegister;
 }
コード例 #2
0
 /**
  * If the form in the 'key' template was posted, this will process it and apply any updates.
  *
  * @return string - a string containing any errors that occurred while trying to update the key info.
  */
 public static function processPost()
 {
     $errorString = "";
     if (ApiGate::getPost('formName') == "apiGate_apiKey_updateKeyInfo") {
         $apiKey = ApiGate::getPost('apiKey');
         $apiKeyObject = ApiGate_ApiKey::newFromDb($apiKey);
         if (is_object($apiKeyObject)) {
             if ($apiKeyObject->canBeEditedByCurrentUser()) {
                 $nickName = ApiGate::getPost('nickName');
                 $firstName = ApiGate::getPost('firstName');
                 $lastName = ApiGate::getPost('lastName');
                 $email_1 = ApiGate::getPost('email_1');
                 $email_2 = ApiGate::getPost('email_2');
                 // Validate input (same business logic as ApiGate_Register::processPost()).
                 global $API_GATE_DIR;
                 include_once "{$API_GATE_DIR}/ApiGate_Register.class.php";
                 $errorString = ApiGate_Register::validateNameAndEmail($firstName, $lastName, $email_1, $email_2, $errorString);
                 // If there were no errors, update the key info in the database.
                 if ($errorString == "") {
                     $dbw = ApiGate_Config::getMasterDb();
                     $queryString = "UPDATE " . ApiGate::TABLE_KEYS . " SET ";
                     $queryString .= "nickName='" . mysql_real_escape_string($nickName, $dbw) . "'";
                     $queryString .= ", firstName='" . mysql_real_escape_string($firstName, $dbw) . "'";
                     $queryString .= ", lastName='" . mysql_real_escape_string($lastName, $dbw) . "'";
                     $queryString .= ", email='" . mysql_real_escape_string($email_1, $dbw) . "'";
                     // If this is an admin, also allow changing of the enabled/disabled field from this form.
                     if (ApiGate_Config::isAdmin()) {
                         $enabled = intval(ApiGate::getPost('enabled'));
                         $setToEnabled = $enabled !== 0;
                         // If there was a change, update the log and apply it.
                         if ($setToEnabled != $apiKeyObject->isEnabled()) {
                             $queryString .= ", enabled='{$enabled}'";
                             $reason = ApiGate::getPost('reason');
                             $logQuery = "INSERT INTO " . ApiGate::TABLE_BANLOG . " (apiKey, action, username, reason) VALUES (";
                             $logQuery .= "'" . $apiKeyObject->getApiKeySqlSafe() . "'";
                             $logQuery .= ", '" . ($setToEnabled ? "enabled" : "disabled") . "'";
                             $logQuery .= ", '" . mysql_real_escape_string(ApiGate_Config::getUsername(), $dbw) . "'";
                             $logQuery .= ", 'MANUAL CHANGE: " . mysql_real_escape_string($reason, $dbw) . "'";
                             $logQuery .= ")";
                             ApiGate::sendQuery($logQuery);
                             // Purge the remote cache of this key's validity (for example, Fastly's cached call to check if the key is allowed to access the API).
                             ApiGate::purgeKey($apiKey);
                         }
                     }
                     $queryString .= " WHERE apiKey='{$apiKeyObject->getApiKeySqlSafe()}'";
                     if (ApiGate::sendQuery($queryString)) {
                         ApiGate::sendQuery("COMMIT");
                         // MediaWiki was randomly not saving some rows without this (the registration queries, so I'm assuming it's the same everywhere).
                     } else {
                         $errorString .= "\n" . i18n('apigate-register-error-mysql_error');
                         $errorString .= "\n<br/><br/>" . mysql_error($dbw);
                     }
                 }
             } else {
                 $errorString .= ApiGate::getErrorHtml(i18n('apigate-error-keyaccess-denied', $apiKey));
             }
         } else {
             // NOTE: This message which says essentially "not found or you don't have access" is intentionally vauge.
             // If we had access-denied and key-not-found be different errors, attackers could just iterate through a bunch of possibilities
             // until they found a key that exists & then they could spoof as being that app.
             $errorString .= ApiGate::getErrorHtml(i18n('apigate-error-keyaccess-denied', $apiKey));
         }
     }
     return $errorString;
 }