function api_dispatch($method)
{
if (!$GLOBALS['cfg']['enable_feature_api']) {
api_output_error(999, 'API disabled');
}
$method = filter_strict($method);
$enc_method = htmlspecialchars($method);
$methods = $GLOBALS['cfg']['api']['methods'];
if (!$method || !isset($methods[$method])) {
api_output_error(404, "Method '{$enc_method}' not found");
}
$method_row = $methods[$method];
if (!$method_row['enabled']) {
api_output_error(404, "Method '{$enc_method}' not found");
}
$method_row['name'] = $method;
# TO DO: check API keys here
# TO DO: actually check auth here (whatever that means...)
if ($method_row['requires_auth']) {
api_auth_ensure_auth($method_row);
}
if ($method_row['requires_crumb']) {
api_auth_ensure_crumb($method_row);
}
loadlib($method_row['library']);
$parts = explode(".", $method);
$method = array_pop($parts);
$func = "{$method_row['library']}_{$method}";
call_user_func($func);
exit;
}
function rss_parse_fh($fh, $more = array())
{
$xml = fread($fh, filesize($more['file']['path']));
fclose($fh);
$xml = trim($xml);
$rss = new MagpieRSS($xml, 'utf-8', 'utf-8', true);
if (!$rss) {
return array('ok' => 0, 'error' => 'Failed to parse the RSS. Perhaps it is incorrect or squirrel-y XML?');
}
$data = array();
$record = 1;
foreach ($rss->items as $item) {
$record++;
if ($more['max_records'] && $record > $more['max_records']) {
break;
}
$has_latlon = 0;
if ($geo = $item['geo']) {
$lat = $geo['lat'];
$lon = isset($geo['long']) ? $geo['long'] : $geo['lon'];
list($lat, $lon) = import_ensure_valid_latlon($lat, $lon);
$has_latlon = $lat && $lon ? 1 : 0;
}
if (!$has_latlon && ($geo = $item['georss'])) {
$point = trim($geo['point']);
list($lat, $lon) = explode(" ", $point, 2);
list($lat, $lon) = import_ensure_valid_latlon($lat, $lon);
$has_latlon = $lat && $lon ? 1 : 0;
}
# What now? Maybe throw the description in to Placemaker ?
if (!$lat) {
$errors[] = array('record' => $record, 'error' => 'invalid or missing latitude', 'column' => 'latitude');
continue;
}
if (!$lon) {
$errors[] = array('record' => $record, 'error' => 'invalid or missing longitude', 'column' => 'longitude');
continue;
}
#
$tmp = array('guid' => filter_strict(sanitize($item['guid'], 'str')), 'title' => filter_strict(sanitize($item['title'], 'str')), 'link' => filter_strict(sanitize($item['link'], 'str')), 'created' => filter_strict(sanitize($item['pubdate'], 'str')), 'author' => filter_strict(sanitize($item['author'], 'str')), 'description' => filter_strict(sanitize($item['description'], 'str')), 'latitude' => $lat, 'longitude' => $lon);
# what to do about 'description' and other tags?
if (preg_match("/^tag:flickr.com,2004:\\/photo\\/(\\d+)\$/", $tmp['guid'], $m)) {
# remove 'foo posted a photo:' stuff here
$tmp['flickr:id'] = $m[1];
# Why did we (Flickr) ever do this kind of thing...
# (20101215/straup)
$author = str_replace("nobody@flickr.com (", "", $tmp['author']);
$author = rtrim($author, ")");
$tmp['author'] = $author;
if ($woe = $item['woe']) {
$tmp['yahoo:woeid'] = filter_strict(sanitize($woe['woeid'], 'str'));
}
if (isset($item['media']) && isset($item['media']['category'])) {
$tmp['tags'] = filter_strict(sanitize($item['media']['category'], 'str'));
}
}
$data[] = $tmp;
}
return array('ok' => 1, 'data' => &$data, 'errors' => &$errors);
}
function api_test_echo()
{
$out = array();
foreach ($_GET as $k => $ignore) {
if ($k = filter_strict($k)) {
$v = filter_strict(get_str($k));
$out[$k] = $v;
}
}
api_output_ok($out);
}
function api_test_echo()
{
$out = array();
foreach ($_GET as $k => $ignore) {
if ($GLOBALS['cfg']['api_auth_type'] == 'oauth2' && $k == 'access_token') {
continue;
}
if ($k = filter_strict($k)) {
$v = filter_strict(get_str($k));
$out[$k] = $v;
}
}
api_output_ok($out);
}
# magic upload box...
$GLOBALS['smarty']->assign("include_url_upload", 1);
if (!$GLOBALS['cfg']['enable_feature_import']) {
$GLOBALS['error']['uploads_disabled'] = 1;
$smarty->display("page_upload_disabled.txt");
exit;
}
#################################################################
$crumb_key = 'upload';
$crumb_ok = crumb_check($crumb_key);
$GLOBALS['smarty']->assign("crumb_key", $crumb_key);
#
$label = filter_strict(post_str('label'));
$private = post_str('private') ? 1 : 0;
$dots_index_on = filter_strict(post_str('dots_index_on'));
$mime_type = filter_strict(post_str('mime_type'));
$GLOBALS['smarty']->assign("label", $label);
$GLOBALS['smarty']->assign("private", $private);
$GLOBALS['smarty']->assign("dots_index_on", $dots_index_on);
$GLOBALS['smarty']->assign("mime_type", $mime_type);
# This is here mostly in case we throw and error and need/want
# to tell users about valid import formats.
$import_map = formats_pretty_import_names_map();
$GLOBALS['smarty']->assign_by_ref("import_map", $import_map);
#
# First grab the file and do some basic validation
#
# Ideally the front end should remove the 'upload' parameter but
# just in case...
if ($crumb_ok && $_FILES['upload'] && !post_str('url')) {
$GLOBALS['smarty']->assign('step', 'process');
<?php
include "include/init.php";
loadlib("api_keys");
loadlib("api_keys_utils");
features_ensure_enabled("api");
features_ensure_enabled("api_register_keys");
login_ensure_loggedin();
$crumb_key = 'api_key';
$GLOBALS['smarty']->assign("crumb_key", $crumb_key);
$step = 1;
if (post_isset('done') && crumb_check($crumb_key)) {
$ok = 1;
$title = filter_strict(post_str("title"));
$description = filter_strict(post_str("description"));
$callback = filter_strict(post_str("callback"));
$conf = post_str("confirm");
if ($ok && !$title) {
$GLOBALS['smarty']->assign("error", "no_title");
$ok = 0;
} else {
$GLOBALS['smarty']->assign("title", $title);
}
if ($ok && !$description) {
$GLOBALS['smarty']->assign("error", "no_description");
$ok = 0;
} else {
$GLOBALS['smarty']->assign("description", $description);
}
if ($ok && $callback) {
if (!api_keys_utils_is_valid_callback($callback)) {
$ok = 1;
if ($url) {
$parsed_url = utils_parse_url($url);
if (!preg_match("/(www\\.)?flickr\\.com/", $parsed_url['host'])) {
$GLOBALS['error']['not_flickr'] = 1;
$ok = 0;
}
$GLOBALS['smarty']->assign("url", $url);
$GLOBALS['smarty']->assign("parsed_url", $parsed_url);
}
if ($url && $ok) {
$feed_url = flickr_get_georss_feed($url);
if (!$feed_url) {
$GLOBALS['error']['no_feed_url'] = 1;
$ok = 0;
}
}
#
if ($url && $ok && post_str('confirm') && crumb_check($crumb_key)) {
$label = filter_strict(post_str('label'));
$private = post_str('private') ? 1 : 0;
$more = array('label' => $label, 'mark_all_private' => $private, 'return_dots' => 0, 'assume_mime_type' => 'application/rss+xml');
if ($GLOBALS['cfg']['enable_feature_dots_indexing']) {
$more['dots_index_on'] = post_str('dots_index_on');
}
$import_rsp = import_import_uri($GLOBALS['cfg']['user'], $feed_url, $more);
$GLOBALS['smarty']->assign_by_ref("import_rsp", $import_rsp);
}
#
$GLOBALS['smarty']->display("page_upload_by_flickr.txt");
exit;
function _api_output_rest_send_jsonp(&$rsp)
{
$callback = request_str('callback');
$callback = filter_strict($callback);
if (!$callback) {
$callback = "makeItSo";
}
$callback = htmlspecialchars($callback);
_api_output_rest_send_json_headers();
echo $callback . "(" . json_encode($rsp) . ")";
}
function filter_strict_quot($str)
{
$str = filter_strict($str);
$str = str_replace(""", "\"", $str);
return $str;
}
function import_scrub($input, $sanitize_as = 'str')
{
$input = html_entity_decode($input, ENT_QUOTES, 'UTF-8');
$input = sanitize($input, $sanitize_as);
$input = filter_strict($input);
$input = trim($input);
return $input;
}
<?php
include "include/init.php";
loadlib("flickr_users_path_aliases");
if (!$GLOBALS['cfg']['enable_feature_path_alias_redirects']) {
error_disabled();
}
login_ensure_loggedin("/account/url/");
$crumb_key = 'pathalias';
$smarty->assign("crumb_key", $crumb_key);
$crumb_ok = crumb_check($crumb_key);
if ($crumb_ok) {
$ok = 1;
$new_alias = post_str("path_alias");
$new_alias = filter_strict($new_alias);
$new_alias = trim($new_alias);
if (!$new_alias) {
$GLOBALS['smarty']->assign("error", "invalid alias");
$ok = 0;
}
if ($ok && !flickr_users_path_aliases_is_available($new_alias)) {
$GLOBALS['smarty']->assign("error", "alias taken");
$ok = 0;
}
if ($ok) {
if (post_str("confirm")) {
$rsp = flickr_users_path_aliases_create($GLOBALS['cfg']['user'], $new_alias);
if (!$rsp['ok']) {
$GLOBALS['smarty']->assign("error", "db error");
$ok = 0;
}
}
}
#
# Okay, you buy?
#
if (!$ok) {
$GLOBALS['error']['invalid_url'] = 1;
$GLOBALS['error']['details'] = $error_details;
$GLOBALS['smarty']->display('page_upload_by_url_form.txt');
exit;
}
#
# Confirmation and/or remote fetching
#
$smarty->assign_by_ref('parsed_url', $parsed);
$smarty->assign('url', $url);
if (post_isset('confirm') && crumb_check($crumb_key)) {
$label = filter_strict(post_str('label'));
$private = post_str('private') ? 1 : 0;
$dots_index_on = filter_strict(post_str('dots_index_on'));
$more = array('label' => $label, 'mark_all_private' => $private, 'return_dots' => 0, 'dots_index_on' => $dots_index_on);
if ($mime_type = post_str('mime_type')) {
$more['assume_mime_type'] = $mime_type;
}
$rsp = import_import_uri($GLOBALS['cfg']['user'], $url, $more);
$smarty->assign_by_ref('import', $rsp);
}
$import_formats = formats_valid_import_map('key by extension');
$GLOBALS['smarty']->assign_by_ref("import_formats", $import_formats);
$smarty->display("page_upload_by_url.txt");
exit;
function api_dispatch($method)
{
if (!$GLOBALS['cfg']['enable_feature_api']) {
api_output_error(999, 'API disabled');
}
$method = filter_strict($method);
$api_key = request_str("api_key");
$access_token = request_str("access_token");
# Log the basics
api_log(array('api_key' => $api_key, 'method' => $method, 'access_token' => $access_token, 'remote_addr' => $_SERVER['REMOTE_ADDR']));
$methods = $GLOBALS['cfg']['api']['methods'];
if (!$method || !isset($methods[$method])) {
$enc_method = htmlspecialchars($method);
api_output_error(404, "Method '{$enc_method}' not found");
}
apache_setenv("API_METHOD", $method);
$method_row = $methods[$method];
$key_row = null;
$token_row = null;
if (!$method_row['enabled']) {
$enc_method = htmlspecialchars($method);
api_output_error(404, "Method '{$enc_method}' not found");
}
$method_row['name'] = $method;
if ($GLOBALS['cfg']['api_auth_type'] == 'oauth2') {
if ($_SERVER['REQUEST_METHOD'] != 'POST' && !$GLOBALS['cfg']['api_oauth2_allow_get_parameters']) {
api_output_error(405, 'Method not allowed');
}
}
if (isset($method_row['request_method'])) {
if ($_SERVER['REQUEST_METHOD'] != $method_row['request_method']) {
api_output_error(405, 'Method not allowed');
}
}
# Okay – now we get in to validation and authorization. Which means a
# whole world of pedantic stupid if we're using Oauth2. Note that you
# could use OAuth2 and require API keys be passed explictly but since
# that's not part of the spec if you enable the two features simultaneously
# don't be surprised when hilarity ensues. Good times. (20121026/straup)
# First API keys
if (features_is_enabled("api_require_keys")) {
if (!$api_key) {
api_output_error(999, "Required API key is missing");
}
$key_row = api_keys_get_by_key($api_key);
api_keys_utils_ensure_valid_key($key_row);
}
# Second auth-y bits
$auth_rsp = api_auth_ensure_auth($method_row, $key_row);
if (isset($auth_rsp['api_key'])) {
$key_row = $auth_rsp['api_key'];
}
if (isset($auth_rsp['access_token'])) {
$token_row = $auth_rsp['access_token'];
}
if ($auth_rsp['user']) {
$GLOBALS['cfg']['user'] = $auth_rsp['user'];
}
apache_setenv("API_KEY", $key_row['api_key']);
# Check for require-iness of users here ?
# Roles - for API keys (things like only the site keys)
api_config_ensure_role($method_row, $key_row, $token_row);
# Blessings and other method specific access controls
api_config_ensure_blessing($method_row, $key_row, $token_row);
# Finally, crumbs - because they are tastey
if ($method_row['requires_crumb']) {
api_auth_ensure_crumb($method_row);
}
# GO!
loadlib($method_row['library']);
$parts = explode(".", $method);
$method = array_pop($parts);
$func = "{$method_row['library']}_{$method}";
if (!function_exists($func)) {
api_output_error(404, "Method not found");
}
call_user_func($func);
exit;
}
function dots_create_dot(&$user, &$sheet, &$data, $more = array())
{
# if we've gotten here via lib_uploads then
# we will have already done validation.
if (!$more['skip_validation']) {
$rsp = dots_ensure_valid_data($row);
if (!$rsp['ok']) {
return $rsp;
}
}
#
$id = dbtickets_create(64);
if (!$id) {
return array('ok' => 0, 'error' => 'Ticket server failed');
}
#
# Assign basic geo bits - keep track of stuff that has
# been derived so that we can flag them accordingly in
# the DotsExtras table.
#
list($data, $derived) = dots_derive_location_data($data);
# Note that we return $derived with the response below
# (assuming everything else works) and check for any errors
# out of band, read: the _import_dots function (20110311/straup)
#
# creation date for the point (different from import date)
# should this be stored/flagged as an extra?
#
$now = time();
if ($created = $data['created']) {
#
# Because intval("2010-09-23T00:18:55Z") returns '2010' ...
# Because is_numeric(20101029154025.000) returns true ...
# Because strtotime(time()) returns false ...
# BECAUSE GOD HATES YOU ...
#
$created = preg_match("/^\\d+\$/", $created) ? $created : strtotime($created);
# if ! $created then reassign $now ?
# Now convert everything back in to a datetime string
if ($created) {
$data['created'] = gmdate('Y-m-d H:i:s', $created);
}
} else {
$data['created'] = gmdate('Y-m-d H:i:s', $now);
}
#
# permissions
#
$perms_map = dots_permissions_map('string keys');
$perms = $perms_map['public'];
if ($data['perms'] == 'private' || $more['mark_all_private']) {
$perms = $perms_map['private'];
}
#
# Go! Or rather... start!
#
$dot = array('id' => $id, 'user_id' => $user['id'], 'sheet_id' => $sheet['id'], 'perms' => $perms);
# Always store created date in the user Sheets table; it's
# not clear how this relates/works with the dots extras
# stuff yet (20101210/straup)
$to_denormalize = array('created');
foreach ($to_denormalize as $key) {
if (isset($data[$key]) && !empty($data[$key])) {
$dot[$key] = $data[$key];
}
}
# Please to write me: A discussion on the relationship between
# details, extras, 'indexed' and search. (20101213/straup)
#
# Dots extras (as in: extra things you can search for)
#
$details = array();
$extras = array();
if ($GLOBALS['cfg']['enable_feature_dots_indexing']) {
$index_on = array();
if ($GLOBALS['cfg']['dots_indexing_index_all']) {
$tmp = array();
$skip = array('latitude', 'longitude', 'created', 'title_internal');
foreach (array_keys($data) as $f) {
if (!in_array($f, $skip)) {
$tmp[] = $f;
}
}
} else {
$tmp = explode(",", $more['dots_index_on'], $GLOBALS['cfg']['dots_indexing_max_cols']);
}
#
foreach ($tmp as $field) {
$field = trim($field);
if (!isset($data[$field])) {
continue;
}
$extras[] = array('dot_id' => $id, 'sheet_id' => $sheet['id'], 'user_id' => $user['id'], 'name' => $field, 'value' => $data[$field]);
$index_on[] = AddSlashes($field);
}
$dot['index_on'] = implode(",", $index_on);
}
#
# Store any remaining fields in a big old JSON blob
#
foreach (array_keys($data) as $label) {
$label = filter_strict(trim($label));
if (!$label) {
continue;
}
$value = $data[$label];
$value = filter_strict(trim($value));
if (!$value) {
continue;
}
$ns = null;
$pred = $label;
if (strpos($label, ':')) {
list($ns, $pred) = explode(':', $label, 2);
}
$detail = array('namespace' => $ns, 'label' => $pred, 'value' => $data[$label]);
if (isset($derived[$label])) {
$extra['derived_from'] = $derived[$label];
}
if (!is_array($details[$label])) {
$details[$label] = array();
}
$details[$label][] = $detail;
}
$dot['details_json'] = json_encode($details);
#
# Look, we are FINALLY NOW creating the dot
#
$insert = array();
foreach ($dot as $key => $value) {
$insert[$key] = AddSlashes($value);
}
$rsp = db_insert_users($user['cluster_id'], 'Dots', $insert);
if (!$rsp['ok']) {
return $rsp;
}
$dot['details'] = $details;
#
# Update the DotsLookup table
#
$lookup = array('dot_id' => $id, 'sheet_id' => $sheet['id'], 'user_id' => $user['id'], 'imported' => $now, 'last_modified' => $now);
if ($more['buffer_lookup_inserts']) {
$rsp['lookup'] = $lookup;
} else {
$lookup_rsp = dots_lookup_create($lookup);
if (!$lookup_rsp['ok']) {
# What then...
}
}
#
# Now the searching (first the basics then any 'extras' specific to this dot)
#
$search = array('dot_id' => $id, 'sheet_id' => $sheet['id'], 'user_id' => $user['id'], 'imported' => $now, 'created' => $data['created'], 'perms' => $perms, 'geohash' => $data['geohash'], 'latitude' => $data['latitude'], 'longitude' => $data['longitude']);
if ($more['buffer_search_inserts']) {
$rsp['search'] =& $search;
} else {
$search_rsp = dots_search_add_dot($search);
if (!$search_rsp['ok']) {
# What then...
}
}
# extras
if ($more['buffer_extras_inserts']) {
$rsp['extras'] = $extras;
} else {
$extras_rsp = dots_search_extras_add_lots_of_extras($extras);
if (!$extras_rsp['ok']) {
# What then...
}
}
#
# Happy happy
#
$rsp['dot'] =& $dot;
$rsp['derived'] =& $derived;
return $rsp;
}
#
# carry this argument through
#
$smarty->assign('redir', request_str('redir'));
#
# are we signing up?
#
if (post_str('signup')){
$ok = 1;
$username = filter_strict(post_str('username'));
$email = post_str('email');
$password = post_str('password');
$redir = post_str('redir');
$smarty->assign('email', $email);
$smarty->assign('password', $password);
$smarty->assign('username', $username);
$smarty->assign('redir', $redir);
#
# all fields are in order?
#
