function api_dispatch($method) { if (!$GLOBALS['cfg']['enable_feature_api']) { api_output_error(999, 'API disabled'); } $method = filter_strict($method); $enc_method = htmlspecialchars($method); $methods = $GLOBALS['cfg']['api']['methods']; if (!$method || !isset($methods[$method])) { api_output_error(404, "Method '{$enc_method}' not found"); } $method_row = $methods[$method]; if (!$method_row['enabled']) { api_output_error(404, "Method '{$enc_method}' not found"); } $method_row['name'] = $method; # TO DO: check API keys here # TO DO: actually check auth here (whatever that means...) if ($method_row['requires_auth']) { api_auth_ensure_auth($method_row); } if ($method_row['requires_crumb']) { api_auth_ensure_crumb($method_row); } loadlib($method_row['library']); $parts = explode(".", $method); $method = array_pop($parts); $func = "{$method_row['library']}_{$method}"; call_user_func($func); exit; }
function api_dispatch($method) { if (!$GLOBALS['cfg']['enable_feature_api']) { api_output_error(999, 'API disabled'); } $method = filter_strict($method); $api_key = request_str("api_key"); $access_token = request_str("access_token"); # Log the basics api_log(array('api_key' => $api_key, 'method' => $method, 'access_token' => $access_token, 'remote_addr' => $_SERVER['REMOTE_ADDR'])); $methods = $GLOBALS['cfg']['api']['methods']; if (!$method || !isset($methods[$method])) { $enc_method = htmlspecialchars($method); api_output_error(404, "Method '{$enc_method}' not found"); } apache_setenv("API_METHOD", $method); $method_row = $methods[$method]; $key_row = null; $token_row = null; if (!$method_row['enabled']) { $enc_method = htmlspecialchars($method); api_output_error(404, "Method '{$enc_method}' not found"); } $method_row['name'] = $method; if ($GLOBALS['cfg']['api_auth_type'] == 'oauth2') { if ($_SERVER['REQUEST_METHOD'] != 'POST' && !$GLOBALS['cfg']['api_oauth2_allow_get_parameters']) { api_output_error(405, 'Method not allowed'); } } if (isset($method_row['request_method'])) { if ($_SERVER['REQUEST_METHOD'] != $method_row['request_method']) { api_output_error(405, 'Method not allowed'); } } # Okay – now we get in to validation and authorization. Which means a # whole world of pedantic stupid if we're using Oauth2. Note that you # could use OAuth2 and require API keys be passed explictly but since # that's not part of the spec if you enable the two features simultaneously # don't be surprised when hilarity ensues. Good times. (20121026/straup) # First API keys if (features_is_enabled("api_require_keys")) { if (!$api_key) { api_output_error(999, "Required API key is missing"); } $key_row = api_keys_get_by_key($api_key); api_keys_utils_ensure_valid_key($key_row); } # Second auth-y bits $auth_rsp = api_auth_ensure_auth($method_row, $key_row); if (isset($auth_rsp['api_key'])) { $key_row = $auth_rsp['api_key']; } if (isset($auth_rsp['access_token'])) { $token_row = $auth_rsp['access_token']; } if ($auth_rsp['user']) { $GLOBALS['cfg']['user'] = $auth_rsp['user']; } apache_setenv("API_KEY", $key_row['api_key']); # Check for require-iness of users here ? # Roles - for API keys (things like only the site keys) api_config_ensure_role($method_row, $key_row, $token_row); # Blessings and other method specific access controls api_config_ensure_blessing($method_row, $key_row, $token_row); # Finally, crumbs - because they are tastey if ($method_row['requires_crumb']) { api_auth_ensure_crumb($method_row); } # GO! loadlib($method_row['library']); $parts = explode(".", $method); $method = array_pop($parts); $func = "{$method_row['library']}_{$method}"; if (!function_exists($func)) { api_output_error(404, "Method not found"); } call_user_func($func); exit; }