public function __construct($action, $settings, $extra) { if (!Z_CONFIG::$API_ENABLED) { $this->e503(Z_CONFIG::$MAINTENANCE_MESSAGE); } set_exception_handler(array($this, 'handleException')); set_error_handler(array($this, 'handleError'), E_USER_ERROR); require_once '../model/Error.inc.php'; $this->startTime = microtime(true); $this->method = $_SERVER['REQUEST_METHOD']; /*if (isset($_SERVER['REMOTE_ADDR']) && in_array($_SERVER['REMOTE_ADDR'], array(''))) { header("HTTP/1.1 429 Rate Limited"); die("Too many requests"); }*/ if (!in_array($this->method, array('HEAD', 'GET', 'PUT', 'POST', 'DELETE', 'PATCH'))) { header("HTTP/1.1 501 Not Implemented"); die("Method is not implemented"); } // There doesn't seem to be a way for PHP to start processing the request // before the entire body is sent, so an Expect: 100 Continue will, // depending on the client, either fail or cause a delay while the client // waits for the 100 response. To make this explicit, we return an error. if (!empty($_SERVER['HTTP_EXPECT'])) { header("HTTP/1.1 417 Expectation Failed"); die("Expect header is not supported"); } if (in_array($this->method, array('POST', 'PUT', 'PATCH'))) { $this->ifUnmodifiedSince = isset($_SERVER['HTTP_IF_UNMODIFIED_SINCE']) ? strtotime($_SERVER['HTTP_IF_UNMODIFIED_SINCE']) : false; $this->body = file_get_contents("php://input"); } if ($this->profile) { Zotero_DB::profileStart($this->profileShard); } // If HTTP Basic Auth credentials provided, authenticate if (isset($_SERVER['PHP_AUTH_USER'])) { $username = $_SERVER['PHP_AUTH_USER']; $password = $_SERVER['PHP_AUTH_PW']; if ($username == Z_CONFIG::$API_SUPER_USERNAME && $password == Z_CONFIG::$API_SUPER_PASSWORD) { $this->userID = 0; $this->permissions = new Zotero_Permissions(); $this->permissions->setSuper(); } else { if (!empty($extra['allowHTTP'])) { $userID = Zotero_Users::authenticate('password', array('username' => $username, 'password' => $password)); if (!$userID) { $this->e401('Invalid login'); } $this->httpAuth = true; $this->userID = $userID; $this->grantUserPermissions($userID); } else { $this->e401('Invalid login'); } } } else { if (isset($_GET['key'])) { $keyObj = Zotero_Keys::authenticate($_GET['key']); if (!$keyObj) { $this->e403('Invalid key'); } $this->apiKey = $_GET['key']; $this->userID = $keyObj->userID; $this->permissions = $keyObj->getPermissions(); // Check X-Zotero-Write-Token if it exists to make sure if ($this->method == 'POST' || $this->method == 'PUT') { if ($cacheKey = $this->getWriteTokenCacheKey()) { if (Z_Core::$MC->get($cacheKey)) { $this->e412("Write token already used"); } } } } else { if (!empty($_COOKIE) && !empty($_GET['session']) && ($this->userID = Zotero_Users::getUserIDFromSession($_COOKIE, $_GET['session']))) { $this->grantUserPermissions($this->userID); $this->cookieAuth = true; } else { if (!empty($_GET['auth'])) { $this->e401(); } // Always challenge a 'me' request if (!empty($extra['userID']) && $extra['userID'] == 'me') { $this->e403('You must specify a key when making a /me request.'); } // Explicit auth request or not a GET request if ($this->method != "GET") { $this->e403('You must specify a key to access the Zotero API.'); } // Anonymous request $this->permissions = new Zotero_Permissions(); $this->permissions->setAnonymous(); } } } // Get the API version if (empty($_REQUEST['version'])) { $this->apiVersion = $this->defaultAPIVersion; } else { if (!in_array($_REQUEST['version'], $this->validAPIVersions)) { $this->e400("Invalid request API version '{$_REQUEST['version']}'"); } $this->apiVersion = (int) $_REQUEST['version']; } $this->uri = Z_CONFIG::$API_BASE_URI . substr($_SERVER["REQUEST_URI"], 1); // Get object user if (!empty($extra['userID'])) { // Possibly temporary shortcut for viewing one's own data via HTTP Auth if ($extra['userID'] == 'me') { $objectUserID = $this->userID; } else { $objectUserID = (int) $extra['userID']; if (!$objectUserID) { $this->e400("Invalid user ID", Z_ERROR_INVALID_INPUT); } } $this->objectUserID = $objectUserID; try { $this->objectLibraryID = Zotero_Users::getLibraryIDFromUserID($objectUserID); } catch (Exception $e) { if ($e->getCode() == Z_ERROR_USER_NOT_FOUND) { try { Zotero_Users::addFromWWW($objectUserID); } catch (Exception $e) { if ($e->getCode() == Z_ERROR_USER_NOT_FOUND) { $this->e404(); } throw $e; } $this->objectLibraryID = Zotero_Users::getLibraryIDFromUserID($objectUserID); } else { throw $e; } } // Make sure user isn't banned if (!Zotero_Users::isValidUser($objectUserID)) { $this->e404(); } } else { if (!empty($extra['groupID'])) { $objectGroupID = (int) $extra['groupID']; if (!$objectGroupID) { $this->e400("Invalid group ID", Z_ERROR_INVALID_INPUT); } // Make sure group exists $group = Zotero_Groups::get($objectGroupID); if (!$group) { $this->e404(); } // Don't show groups owned by banned users if (!Zotero_Users::isValidUser($group->ownerUserID)) { $this->e404(); } $this->objectGroupID = $objectGroupID; $this->objectLibraryID = Zotero_Groups::getLibraryIDFromGroupID($objectGroupID); } } // Return 409 if target library is locked switch ($this->method) { case 'POST': case 'PUT': case 'DELETE': switch ($action) { // Library lock doesn't matter for some admin requests case 'storageadmin': break; default: if ($this->objectLibraryID && Zotero_Libraries::isLocked($this->objectLibraryID)) { $this->e409("Target library is locked"); } break; } } $this->scopeObject = !empty($extra['scopeObject']) ? $extra['scopeObject'] : null; $this->scopeObjectID = !empty($extra['scopeObjectID']) ? (int) $extra['scopeObjectID'] : null; if (!empty($extra['scopeObjectKey'])) { // Handle incoming requests using ids instead of keys // - Keys might be all numeric, so only do this if length != 8 if (preg_match('/^[0-9]+$/', $extra['scopeObjectKey']) && strlen($extra['scopeObjectKey']) != 8) { $this->scopeObjectID = (int) $extra['scopeObjectKey']; } else { if (preg_match('/[A-Z0-9]{8}/', $extra['scopeObjectKey'])) { $this->scopeObjectKey = $extra['scopeObjectKey']; } } } $this->scopeObjectName = !empty($extra['scopeObjectName']) ? urldecode($extra['scopeObjectName']) : null; // Can be either id or key if (!empty($extra['key'])) { if (!empty($_GET['key']) && strlen($_GET['key']) == 8) { $this->objectKey = $extra['key']; } else { if (!empty($_GET['iskey'])) { $this->objectKey = $extra['key']; } else { if (preg_match('/^[0-9]+$/', $extra['key'])) { $this->objectID = (int) $extra['key']; } else { if (preg_match('/^[A-Z0-9]{8}$/', $extra['key'])) { $this->objectKey = $extra['key']; } else { if ($extra['key'] != 'top') { Z_Core::logError("============="); Z_Core::logError("Invalid key"); Z_Core::logError($extra['key']); } } } } } } if (!empty($extra['id'])) { $this->objectID = (int) $extra['id']; } $this->objectName = !empty($extra['name']) ? urldecode($extra['name']) : null; $this->subset = !empty($extra['subset']) ? $extra['subset'] : null; $this->fileMode = !empty($extra['file']) ? !empty($_GET['info']) ? 'info' : 'download' : false; $this->fileView = !empty($extra['view']); $singleObject = ($this->objectID || $this->objectKey) && !$this->subset; $this->queryParams = Zotero_API::parseQueryParams($_SERVER['QUERY_STRING'], $action, $singleObject); }