[pLog-svn] r4441 - plog/trunk/class/net/xmlrpc
oscar at devel.lifetype.net
oscar at devel.lifetype.net
Thu Dec 28 18:43:59 GMT 2006
Author: oscar
Date: 2006-12-28 18:43:58 +0000 (Thu, 28 Dec 2006)
New Revision: 4441
Modified:
plog/trunk/class/net/xmlrpc/xmlrpcserver.class.php
Log:
Added support for permissions in all the Blogger API calls
Modified: plog/trunk/class/net/xmlrpc/xmlrpcserver.class.php
===================================================================
--- plog/trunk/class/net/xmlrpc/xmlrpcserver.class.php 2006-12-28 12:48:54 UTC (rev 4440)
+++ plog/trunk/class/net/xmlrpc/xmlrpcserver.class.php 2006-12-28 18:43:58 UTC (rev 4441)
@@ -12,7 +12,12 @@
lt_include( PLOG_CLASS_PATH."class/template/cachecontrol.class.php" );
lt_include( PLOG_CLASS_PATH."class/gallery/dao/galleryalbums.class.php" );
lt_include( PLOG_CLASS_PATH."class/gallery/dao/galleryresources.class.php" );
- lt_include( PLOG_CLASS_PATH."class/plugin/pluginmanager.class.php" );
+ lt_include( PLOG_CLASS_PATH."class/plugin/pluginmanager.class.php" );
+
+ if( !defined( "ADMIN_PERMISSION" ))
+ define( "ADMIN_PERMISSION", 1 );
+ if( !defined( "BLOG_PERMISSION" ))
+ define( "BLOG_PERMISSION", 2 );
class XmlRpcServer extends IXR_Server
{
@@ -23,14 +28,13 @@
{
$this->IXR_Server(
array (
- "blogger.newPost" => "this:newPost",
- "blogger.getUserInfo" => "this:getUserInfo",
- "blogger.getPost" => "this:getPost",
- "blogger.editPost" => "this:editPost",
- "blogger.deletePost" => "this:deletePost",
- "blogger.getRecentPosts" => "this:getRecentPosts",
- "blogger.getUserInfo" => "this:getUserInfo",
- "blogger.getUsersBlogs" => "this:getUsersBlogs",
+ "blogger.newPost" => "this:newPost", // ok
+ "blogger.getPost" => "this:getPost", // ok
+ "blogger.editPost" => "this:editPost", // ok
+ "blogger.deletePost" => "this:deletePost", // ok
+ "blogger.getRecentPosts" => "this:getRecentPosts", // ok
+ "blogger.getUserInfo" => "this:getUserInfo", // ok
+ "blogger.getUsersBlogs" => "this:getUsersBlogs", // ok
"metaWeblog.newPost" => "this:metaWeblogNewPost",
"metaWeblog.editPost" => "this:metaWeblogEditPost",
"metaWeblog.getPost" => "this:metaWeblogGetPost",
@@ -68,15 +72,24 @@
// -mhe todo security
- $auth = $users->authenticateUser( $username, $password );
+ $userInfo = $users->getUserInfo( $username, $password );
- if ($auth)
- {
- if ($publish)
- {
+ if ($userInfo) {
+
+ $blogInfo = $blogsG->getBlogInfo( $blogid );
+ if( !$blogInfo ) {
+ return new IXR_Error(-1, 'Error loading blog' );
+ }
+
+ // check this user's permissions before proceeding
+ if( !$this->userHasPermission( $userInfo, $blogInfo, "add_post" )) {
+ return new IXR_Error(-1, 'This user does not have enough permissions' );
+ }
+
+ if ($publish) {
$status = POST_STATUS_PUBLISHED;
- } else
- {
+ }
+ else {
$status = POST_STATUS_DRAFT;
}
@@ -88,8 +101,7 @@
return new IXR_Error(-1, 'This blog does not have categories!');
}
- foreach($cats as $cat)
- {
+ foreach($cats as $cat) {
$idCategory = $cat->getId();
// Stop here, we have a category
break;
@@ -113,8 +125,6 @@
}
}
- $userInfo = $users->getUserInfoFromUsername( $username );
-
$article = new Article(
$title,
$content, // text
@@ -128,8 +138,6 @@
$article->setDate(date("YmdHis"));
- $blogInfo = $blogsG->getBlogInfo( $blogid );
-
// Get the plugin manager
$plugMgr =& PluginManager::getPluginManager();
$plugMgr->setBlogInfo( $blogInfo);
@@ -455,6 +463,8 @@
function getPost($args)
{
+ include_once( PLOG_CLASS_PATH."class/data/timestamp.class.php" );
+
$users = new Users();
$articles = new Articles();
@@ -470,11 +480,8 @@
"postid" =>
*/
- $auth = $users->authenticateUser($username,$password);
- if ($auth)
- {
- $userInfo = $users->getUserInfoFromUsername( $username );
-
+ $userInfo = $users->getUserInfo($username,$password);
+ if( $userInfo ) {
$item = $articles->getBlogArticle($postid,
-1, // blogId
true, // includeHiddenFields
@@ -482,7 +489,6 @@
-1, // categoryId
$userInfo->getId());
$dateObject = $item->getDateObject();
- lt_include( PLOG_CLASS_PATH."class/data/timestamp.class.php" );
// Get the unix time stamp
$time = $dateObject->getTimestamp(DATE_FORMAT_UNIXTIME);
@@ -494,6 +500,11 @@
$dummy["postid"] = $item->getId();
$blogInfo = $item->getBlogInfo();
+
+ // check the permissions
+ if( !$this->userHasPermission( $userInfo, $blogInfo, "view_posts" )) {
+ return new IXR_Error(-1, 'This user does not have enough permissions' );
+ }
$this->setResponseCharset( $blogInfo );
@@ -598,19 +609,9 @@
boolean, true or false
*/
- $auth = $users->authenticateUser($username,$password);
- if ($auth)
- {
- $userInfo = $users->getUserInfoFromUsername( $username );
+ $userInfo = $users->getUserInfo( $username, $password );
+ if( $userInfo ) {
- if ($publish)
- {
- $status = POST_STATUS_PUBLISHED;
- } else
- {
- $status = POST_STATUS_DRAFT;
- }
-
// fake topic
$dummy = explode("\n", $content);
if( count($dummy) == 1 ) {
@@ -629,13 +630,32 @@
-1, // date
-1, // categoryId
$userInfo->getId());
+
+ if( !$article ) {
+ return( new IXR_Error(-1, 'The article is not correct' ));
+ }
+
+ $blogInfo = $article->getBlogInfo();
+
+ // check the permissions
+ if( !$this->userHasPermission( $userInfo, $blogInfo, "update_post" )) {
+ return new IXR_Error(-1, 'This user does not have enough permissions' );
+ }
+
+ if ($publish) {
+ $status = POST_STATUS_PUBLISHED;
+ }
+ else {
+ $status = POST_STATUS_DRAFT;
+ }
+
$article->setText($content);
$article->setTopic($title);
$article->setStatus($status);
// Get the plugin manager
$plugMgr =& PluginManager::getPluginManager();
- $plugMgr->setBlogInfo( $blogsG->getBlogInfo( $article->getBlog() ) );
+ $plugMgr->setBlogInfo( $blogInfo );
$plugMgr->setUserInfo( $userInfo );
$plugMgr->loadPlugins();
// Send the EVENT_PRE_POST_UPDATE message
@@ -646,9 +666,7 @@
// Send the EVENT_POST_POST_UPDATE messages to the plugins
$plugMgr->notifyEvent( EVENT_POST_POST_UPDATE, Array( "article" => &$article ));
- $blogid = $article->getBlog();
- $blogInfo = $article->getBlogInfo();
- CacheControl::resetBlogCache( $blogid );
+ CacheControl::resetBlogCache( $blogInfo->getId());
$this->setResponseCharset( $blogInfo );
@@ -783,30 +801,34 @@
$password = $args[3];
$publish = $args[4];
- // -mhe todo
- $auth = $users->authenticateUser($username,$password);
- if ($auth)
- {
- $userInfo = $users->getUserInfoFromUsername( $username );
-
+ $userInfo = $users->getUserInfo( $username, $password );
+ if( $userInfo ) {
$article = $articles->getBlogArticle($postid,
-1, // blogId
true, // includeHiddenFields
-1, // date
-1, // categoryId
$userInfo->getId());
+
+ // check if the article that was pulled is valid at all
+ if( !$article ) {
+ return( new IXR_Error(-1, 'The article is not correct' ));
+ }
+
+ // check the permissions
+ $blogInfo = $article->getBlogInfo();
+ if( !$this->userHasPermission( $userInfo, $blogInfo, "update_post" )) {
+ return( new IXR_Error(-1, 'This user does not have enough permissions' ));
+ }
// Get the plugin manager
$plugMgr =& PluginManager::getPluginManager();
- $plugMgr->setBlogInfo( $blogsG->getBlogInfo( $article->getBlog() ) );
+ $plugMgr->setBlogInfo( $blogInfo );
$plugMgr->setUserInfo( $userInfo );
$plugMgr->loadPlugins();
// Send the EVENT_PRE_POST_DELETE message
$plugMgr->notifyEvent( EVENT_PRE_POST_DELETE, Array( "article" => &$article ));
- $blogid = $article->getBlog();
- $blogInfo = $article->getBlogInfo();
-
$articles->deleteArticle(
$postid,
$userInfo->getId(), // userid
@@ -816,13 +838,13 @@
// Send the EVENT_POST_POST_DELETE messages to the plugins
$plugMgr->notifyEvent( EVENT_POST_POST_DELETE, Array( "article" => &$article ));
- CacheControl::resetBlogCache( $blogid );
+ CacheControl::resetBlogCache( $blogInfo->getId());
$this->setResponseCharset( $blogInfo );
return true;
- } else
- {
+ }
+ else {
return new IXR_Error(-1, 'You did not provide the correct password');
}
}
@@ -845,24 +867,28 @@
$password = $args[3];
$number = $args[4];
- $auth = $users->authenticateUser($username,$password);
- if ($auth)
+ $userInfo = $users->getUserInfo($username,$password);
+ if( $userInfo )
{
$blogInfo = $blogs->getBlogInfo( $blogid );
if( !$blogInfo ) {
return new IXR_Error(-1, 'Incorrect blog id');
}
+ // check this user's permissions
+ if( !$this->userHasPermission( $userInfo, $blogInfo, "view_posts" )) {
+ return new IXR_Error(-1, 'This user does not have enough permissions' );
+ }
+
$ret = array();
$list = $articles->getBlogArticles(
$blogid,
- -1,
- $number,
- -1
+ -1, // date
+ $number, // amount
+ -1 // any category id
);
- foreach($list as $item)
- {
+ foreach( $list as $item ) {
$dateObject = $item->getDateObject();
lt_include( PLOG_CLASS_PATH."class/data/timestamp.class.php" );
// Get the unix time stamp
@@ -1054,12 +1080,10 @@
$users = new Users();
- $auth = $users->authenticateUser( $username, $password );
+ $userInfo = $users->getUserInfo( $username, $password );
- if ($auth)
+ if ($userInfo)
{
- $userInfo = $users->getUserInfoFromUsername( $username );
-
$ret = array();
$ret["nickname"] = $userInfo->getUsername();
$ret["firstname"] = $userInfo->getUsername();
@@ -1069,9 +1093,9 @@
$ret["url"] = "";
// set the response encoding according to one of the blogs owned by this user
- $blogs = $userInfo->getOwnBlogs();
- if( count($blogs) > 0 ) {
- $blogInfo = array_pop( $blogs );
+ $userBlogs = $users->getUsersBlogs( $userInfo->getId(), BLOG_STATUS_ACTIVE );
+ if( count($userBlogs) > 0 ) {
+ $blogInfo = array_pop( $userBlogs );
$this->setResponseCharset( $blogInfo );
}
@@ -1096,13 +1120,11 @@
"blogid" =>
*/
- $auth = $users->authenticateUser( $username, $password );
+ $userInfo = $users->getUserInfo( $username, $password );
- if ($auth)
+ if ($userInfo)
{
- $userInfo = $users->getUserInfoFromUsername( $username );
-
- $blogs = $users->getUsersBlogs($userInfo->getId());
+ $blogs = $users->getUsersBlogs($userInfo->getId(), BLOG_STATUS_ACTIVE );
$ret = array();
foreach($blogs as $blog)
{
@@ -1247,6 +1269,34 @@
return new IXR_Error(-1, 'You did not provide the correct password');
}
}
+
+ /**
+ * Extra helper method to check permissions
+ *
+ * @param user A UserInfo object
+ * @param blog A BlogInfo object
+ * @param permName Name of the permission
+ * @param mode Either BLOG_PERMISSION or ADMIN_PERMISSION, depending on whether
+ * we're checking the user's permissions in this blog or an admin permission
+ */
+ function userHasPermission( $userInfo, $blogInfo, $permName, $mode = BLOG_PERMISSION )
+ {
+ // check for the permission, whether the user is the blog owner or
+ // whether the user is a site administrator
+ $hasPermission = false;
+ if( $mode == BLOG_PERMISSION ) {
+ $hasPermission = (
+ $userInfo->hasPermissionByName( $permName, $blogInfo->getId()) ||
+ $blogInfo->getOwnerId() == $userInfo->getId() ||
+ $userInfo->hasPermissionByName( "edit_blog_admin_mode", 0 )
+ );
+ }
+ else {
+ $hasPermission = ( $userInfo->hasPermissionByName( $permName, 0 ));
+ }
+
+ return( $hasPermission );
+ }
}
?>
\ No newline at end of file
More information about the pLog-svn
mailing list