$statusMsg = i18n('apigate-keyinfo-status-enabled'); } else { $statusClass = "disabled"; $statusMsg = i18n('apigate-keyinfo-status-disabled'); } $statusHtml = "<span class='status {$statusClass}'>{$statusMsg}</span>"; } print i18n('apigate-keyinfo-status', $statusHtml); // If the key is disabled, show the user why. if (!$apiKeyObject->isEnabled()) { $reasonBanned = $apiKeyObject->getReasonBanned(); $reasonBanned = $reasonBanned == null ? i18n('apigate-keyinfo-no-reason-found') : $apiKeyObject->getReasonBanned(); print "<div class='reasonDisabled'>\n" . i18n('apigate-keyinfo-reason-disabled', $reasonBanned) . "\n</div>\n"; } // Always display the full banlog to admins if there are any events in it. if (ApiGate_Config::isAdmin()) { print "<div class='banLog'>\n" . i18n('apigate-keyinfo-banlog-heading') . "\n<br/>\n"; print $apiKeyObject->getBanLogHtml() . "</div>\n"; } ?> <br/> <?php echo i18n('apigate-keyinfo-name'); ?> <br/> <input type='text' name='firstName' value='<?php echo $apiKeyObject->getFirstName(); ?> ' style='width:192px'/> <input type='text' name='lastName' value='<?php echo $apiKeyObject->getLastName();
/** * Displays usage stats (as interactive javscript charts) for a specific API key. Re-uses * some of our SponsorshipDashboard code, so it's not reusable by ApiGate and isn't very customizable * yet, but using SD saved a TON by getting us a decent amount of features in almost no time. * * The calling code is responsible for checking whether the user should be allowed to see the html * that this function returns. * * @param apiKey - string - api key whose usage stats should be shown. * @param html - string - the html for showing the charts of stats. Can be thrown right into wgOut. */ public function subpage_keyStats($apiKey) { wfProfileIn(__METHOD__); global $wgCacheBuster; $html = ""; // TODO: LATER: When API Gate has its own charting, use that instead of this SponsorshipDashboard-dependent code. $metricName = wfMsg('apigate-chart-metric-requests'); // Will just show daily and monthly to users for now (and hourly will just be for admins to detect anything weird). if (ApiGate_Config::isAdmin()) { $html .= wfMsg('apigate-hourly-admin-only') . "<br/><br/>\n"; // to avoid confusion, mention on the page that only admins see the hourly graph $chartName = wfMsg('apigate-chart-name-hourly'); $html .= $this->getChartHtmlByPeriod($apiKey, "hourly", $metricName, $chartName); } $chartName = wfMsg('apigate-chart-name-daily'); $html .= $this->getChartHtmlByPeriod($apiKey, "daily", $metricName, $chartName); $chartName = wfMsg('apigate-chart-name-monthly'); $html .= $this->getChartHtmlByPeriod($apiKey, "monthly", $metricName, $chartName); wfProfileOut(__METHOD__); return $html; }
/** * If the form in the 'key' template was posted, this will process it and apply any updates. * * @return string - a string containing any errors that occurred while trying to update the key info. */ public static function processPost() { $errorString = ""; if (ApiGate::getPost('formName') == "apiGate_apiKey_updateKeyInfo") { $apiKey = ApiGate::getPost('apiKey'); $apiKeyObject = ApiGate_ApiKey::newFromDb($apiKey); if (is_object($apiKeyObject)) { if ($apiKeyObject->canBeEditedByCurrentUser()) { $nickName = ApiGate::getPost('nickName'); $firstName = ApiGate::getPost('firstName'); $lastName = ApiGate::getPost('lastName'); $email_1 = ApiGate::getPost('email_1'); $email_2 = ApiGate::getPost('email_2'); // Validate input (same business logic as ApiGate_Register::processPost()). global $API_GATE_DIR; include_once "{$API_GATE_DIR}/ApiGate_Register.class.php"; $errorString = ApiGate_Register::validateNameAndEmail($firstName, $lastName, $email_1, $email_2, $errorString); // If there were no errors, update the key info in the database. if ($errorString == "") { $dbw = ApiGate_Config::getMasterDb(); $queryString = "UPDATE " . ApiGate::TABLE_KEYS . " SET "; $queryString .= "nickName='" . mysql_real_escape_string($nickName, $dbw) . "'"; $queryString .= ", firstName='" . mysql_real_escape_string($firstName, $dbw) . "'"; $queryString .= ", lastName='" . mysql_real_escape_string($lastName, $dbw) . "'"; $queryString .= ", email='" . mysql_real_escape_string($email_1, $dbw) . "'"; // If this is an admin, also allow changing of the enabled/disabled field from this form. if (ApiGate_Config::isAdmin()) { $enabled = intval(ApiGate::getPost('enabled')); $setToEnabled = $enabled !== 0; // If there was a change, update the log and apply it. if ($setToEnabled != $apiKeyObject->isEnabled()) { $queryString .= ", enabled='{$enabled}'"; $reason = ApiGate::getPost('reason'); $logQuery = "INSERT INTO " . ApiGate::TABLE_BANLOG . " (apiKey, action, username, reason) VALUES ("; $logQuery .= "'" . $apiKeyObject->getApiKeySqlSafe() . "'"; $logQuery .= ", '" . ($setToEnabled ? "enabled" : "disabled") . "'"; $logQuery .= ", '" . mysql_real_escape_string(ApiGate_Config::getUsername(), $dbw) . "'"; $logQuery .= ", 'MANUAL CHANGE: " . mysql_real_escape_string($reason, $dbw) . "'"; $logQuery .= ")"; ApiGate::sendQuery($logQuery); // Purge the remote cache of this key's validity (for example, Fastly's cached call to check if the key is allowed to access the API). ApiGate::purgeKey($apiKey); } } $queryString .= " WHERE apiKey='{$apiKeyObject->getApiKeySqlSafe()}'"; if (ApiGate::sendQuery($queryString)) { ApiGate::sendQuery("COMMIT"); // MediaWiki was randomly not saving some rows without this (the registration queries, so I'm assuming it's the same everywhere). } else { $errorString .= "\n" . i18n('apigate-register-error-mysql_error'); $errorString .= "\n<br/><br/>" . mysql_error($dbw); } } } else { $errorString .= ApiGate::getErrorHtml(i18n('apigate-error-keyaccess-denied', $apiKey)); } } else { // NOTE: This message which says essentially "not found or you don't have access" is intentionally vauge. // If we had access-denied and key-not-found be different errors, attackers could just iterate through a bunch of possibilities // until they found a key that exists & then they could spoof as being that app. $errorString .= ApiGate::getErrorHtml(i18n('apigate-error-keyaccess-denied', $apiKey)); } } return $errorString; }