1
|
|
|
<?php |
2
|
|
|
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1; |
3
|
|
|
|
4
|
|
|
/** |
5
|
|
|
* Helper class for our API |
6
|
|
|
**/ |
7
|
|
|
class Api extends Base { |
8
|
|
|
private $api_version = '1.0.0'; |
9
|
|
|
|
10
|
|
|
function setStartTime($dStartTime) { |
11
|
|
|
$this->dStartTime = $dStartTime; |
12
|
|
|
} |
13
|
|
|
function isActive($error=true) { |
14
|
|
|
if (!$this->setting->getValue('disable_api')) { |
15
|
|
|
return true; |
16
|
|
|
} else { |
17
|
|
|
if ($error == true) { |
|
|
|
|
18
|
|
|
unset($_SESSION['POPUP']); |
19
|
|
|
header('HTTP/1.1 501 Not implemented'); |
20
|
|
|
die('501 Not implemented'); |
21
|
|
|
} |
22
|
|
|
} |
23
|
|
|
} |
24
|
|
|
|
25
|
|
|
/** |
26
|
|
|
* Create API json object from input array |
27
|
|
|
* @param data Array data to create JSON for |
28
|
|
|
* @param force bool Enforce a JSON object |
29
|
|
|
* @return string JSON object |
30
|
|
|
**/ |
31
|
|
|
function get_json($data, $force=false) { |
32
|
|
|
$json = json_encode( |
33
|
|
|
array( $_REQUEST['action'] => array( |
34
|
|
|
'version' => $this->api_version, |
35
|
|
|
'runtime' => (microtime(true) - $this->dStartTime) * 1000, |
36
|
|
|
'data' => $data |
37
|
|
|
)), $force ? JSON_FORCE_OBJECT : 0 |
38
|
|
|
); |
39
|
|
|
// JSONP support issue #1700 |
40
|
|
|
if (isset($_REQUEST['callback']) && ctype_alpha($_REQUEST['callback'])) { |
41
|
|
|
header('Content-type: application/json; charset=utf-8'); |
42
|
|
|
return $_REQUEST['callback'] . '(' . $json . ');'; |
43
|
|
|
} |
44
|
|
|
return $json; |
45
|
|
|
} |
46
|
|
|
|
47
|
|
|
/** |
48
|
|
|
* Check user access level to the API call |
49
|
|
|
**/ |
50
|
|
|
function checkAccess($user_id, $get_id=NULL) { |
51
|
|
|
if (!empty($get_id) && is_array($get_id)) die("Access denied"); |
52
|
|
|
if (is_array($user_id)) die("Access denied"); |
53
|
|
|
if ( ! $this->user->isAdmin($user_id) && (!empty($get_id) && $get_id != $user_id || !is_int($user_id))) { |
54
|
|
|
// User is NOT admin and tries to access an ID that is not their own |
55
|
|
|
header("HTTP/1.1 401 Unauthorized"); |
56
|
|
|
die("Access denied"); |
57
|
|
|
} else if ($this->user->isAdmin($user_id) && !empty($get_id)) { |
58
|
|
|
// User is an admin and tries to fetch another users data |
59
|
|
|
$id = $get_id; |
60
|
|
|
// Is it a username or a user ID |
61
|
|
|
ctype_digit($_REQUEST['id']) ? $id = $get_id : $id = $this->user->getUserId($get_id); |
62
|
|
|
} else { |
63
|
|
|
$id = $user_id; |
64
|
|
|
} |
65
|
|
|
return $id; |
66
|
|
|
} |
67
|
|
|
} |
68
|
|
|
|
69
|
|
|
$api = new Api(); |
70
|
|
|
$api->setConfig($config); |
71
|
|
|
$api->setUser($user); |
72
|
|
|
$api->setSetting($setting); |
73
|
|
|
$api->setStartTime($dStartTime=microtime(true)); |
74
|
|
|
|
When comparing two booleans, it is generally considered safer to use the strict comparison operator.