[pLog-svn] r4443 - plog/trunk/class/net/xmlrpc
oscar at devel.lifetype.net
oscar at devel.lifetype.net
Thu Dec 28 19:23:56 GMT 2006
Author: oscar
Date: 2006-12-28 19:23:56 +0000 (Thu, 28 Dec 2006)
New Revision: 4443
Modified:
plog/trunk/class/net/xmlrpc/xmlrpcserver.class.php
Log:
Implemented permission checks in all other methods except metaWeblogNewMediaObject (I need to check whether this is still working after the changes in the implementation of resources), mt.getCategoryList and metaWeblog.getCategories (otherwise it would be impossible to post)
Paul, since you implemented the extended MovableType methods, can you have a look at them? They should be ok but my client (ecto in OS X) does not support them.
Modified: plog/trunk/class/net/xmlrpc/xmlrpcserver.class.php
===================================================================
--- plog/trunk/class/net/xmlrpc/xmlrpcserver.class.php 2006-12-28 18:55:40 UTC (rev 4442)
+++ plog/trunk/class/net/xmlrpc/xmlrpcserver.class.php 2006-12-28 19:23:56 UTC (rev 4443)
@@ -28,13 +28,13 @@
{
$this->IXR_Server(
array (
- "blogger.newPost" => "this:newPost", // ok
- "blogger.getPost" => "this:getPost", // ok
- "blogger.editPost" => "this:editPost", // ok
- "blogger.deletePost" => "this:deletePost", // ok
- "blogger.getRecentPosts" => "this:getRecentPosts", // ok
- "blogger.getUserInfo" => "this:getUserInfo", // ok
- "blogger.getUsersBlogs" => "this:getUsersBlogs", // ok
+ "blogger.newPost" => "this:newPost",
+ "blogger.getPost" => "this:getPost",
+ "blogger.editPost" => "this:editPost",
+ "blogger.deletePost" => "this:deletePost",
+ "blogger.getRecentPosts" => "this:getRecentPosts",
+ "blogger.getUserInfo" => "this:getUserInfo",
+ "blogger.getUsersBlogs" => "this:getUsersBlogs",
"metaWeblog.newPost" => "this:metaWeblogNewPost",
"metaWeblog.editPost" => "this:metaWeblogEditPost",
"metaWeblog.getPost" => "this:metaWeblogGetPost",
@@ -42,7 +42,7 @@
"metaWeblog.getCategories" => "this:metaWeblogGetCategories",
"metaWeblog.newMediaObject" => "this:metaWeblogNewMediaObject",
"mt.getCategoryList" => "this:mtGetCategoryList",
- "mt.supportedTextFilters" => "this:mtSupportedTextFilters",
+ "mt.supportedTextFilters" => "this:mtSupportedTextFilters",
"mt.getPostCategories" => "this:mtGetPostCategories",
"mt.setPostCategories" => "this:mtSetPostCategories"
));
@@ -194,29 +194,22 @@
int postid
*/
- // -mhe todo security
+ $userInfo = $users->getUserInfo( $username, $password);
- $auth = $users->authenticateUser( $username, $password);
-
- if ($auth)
- {
- if ($publish)
- {
+ if( $userInfo ) {
+
+ if ($publish) {
$status = POST_STATUS_PUBLISHED;
- } else
- {
+ }
+ else {
$status = POST_STATUS_DRAFT;
}
+
+ $blogInfo = $blogsG->getBlogInfo( $blogid );
+ if( !$this->userHasPermission( $userInfo, $blogInfo, "add_post" )) {
+ return new IXR_Error(-1, 'This user does not have enough permissions' );
+ }
- // Get the default category
- //$cats = $category->getBlogCategories($blogid);
- //foreach($cats as $cat)
- //{
- // $idCategory = $cat->_id;
- // // Stop here, we have a category
- // break;
- //}
-
$title = $content["title"];
// Check to see if the MovableType extnensions have been added
@@ -319,9 +312,6 @@
$article->setDate($articleDate);
- $blogInfo = $blogsG->getBlogInfo( $blogid );
-
-
// Get the plugin manager
$plugMgr =& PluginManager::getPluginManager();
$plugMgr->setBlogInfo( $blogInfo );
@@ -376,6 +366,13 @@
}
+ /**
+ * NOTE: this method does not perform permission checking since if it did,
+ * it would be impossible to post: no categories would be available if the
+ * view_categories is not available. This is in line with the browser-based UI,
+ * there it is not necessary to have this permission in order to post new articles,
+ * only add_post is needed
+ */
function metaWeblogGetCategories($args)
{
$users = new Users();
@@ -524,20 +521,29 @@
$username = $args[1];
$password = $args[2];
- $auth = $users->authenticateUser($username,$password);
+ $userInfo = $users->getUserInfo( $username, $password );
- if ($auth)
+ if( $userInfo )
{
lt_include( PLOG_CLASS_PATH."class/data/timestamp.class.php" );
- $userInfo = $users->getUserInfoFromUsername( $username );
-
$item = $articles->getBlogArticle($postid,
-1, // blogId
true, // includeHiddenFields
-1, // date
-1, // categoryId
$userInfo->getId());
+
+ // check if the article is valid
+ if( !$item ) {
+ return( new IXR_Error(-1, 'The article is not valid' ));
+ }
+
+ // check permissions
+ $blogInfo = $item->getBlogInfo();
+ if( !$this->userHasPermission( $userInfo, $blogInfo, "view_posts" )) {
+ return( new IXR_Error(-1, 'This user does not have enough permissions' ));
+ }
$dateObject = $item->getDateObject();
// Get the unix time stamp
@@ -547,7 +553,6 @@
$blogId = $item->getBlog();
$blogs = new Blogs();
- $blogInfo = $blogs->getBlogInfo( $blogId );
$url = $blogInfo->getBlogRequestGenerator();
$dummy = array();
@@ -559,12 +564,10 @@
$blogSettings = $blogInfo->getSettings();
$useMovableType = $blogSettings->getValue( "xmlrpc_movabletype_enabled" );
- if ( $useMovableType )
- {
+ if ( $useMovableType ) {
$dummy["description"] = $item->getIntroText();
}
- else
- {
+ else {
$dummy["description"] = $item->getText(false);
}
$dummy["postid"] = $item->getId();
@@ -693,16 +696,13 @@
boolean, true or false
*/
- $auth = $users->authenticateUser($username,$password);
- if ($auth)
- {
- $userInfo = $users->getUserInfoFromUsername( $username );
-
- if ($publish)
- {
+ $userInfo = $users->getUserInfo( $username, $password );
+ if( $userInfo ) {
+
+ if ($publish) {
$status = POST_STATUS_PUBLISHED;
- } else
- {
+ }
+ else {
$status = POST_STATUS_DRAFT;
}
@@ -713,12 +713,10 @@
$mt_text_more = $content["mt_text_more"];
$mt_allow_comments = $content["mt_allow_comments"];
- if ( $mt_text_more != NULL && trim($mt_text_more) != "")
- {
+ if ( $mt_text_more != NULL && trim($mt_text_more) != "") {
$body = $content["description"] . POST_EXTENDED_TEXT_MODIFIER . $mt_text_more;
}
- else
- {
+ else {
$body = $content["description"];
}
@@ -728,6 +726,18 @@
-1, // date
-1, // categoryId
$userInfo->getId());
+
+ // check that the article is valid
+ if( !$article ) {
+ return( new IXR_Error(-1, 'Incorrect article' ));
+ }
+
+ // see that the user can update articles
+ $blogid = $article->getBlog();
+ $blogInfo = $article->getBlogInfo();
+ if( !$this->userHasPermission( $userInfo, $blogInfo, "update_post" )) {
+ return( new IXR_Error(-1, 'This user does not have enough permissions' ));
+ }
$catList = $content["categories"];
//
@@ -735,8 +745,6 @@
// not exactly the smartest and fastest bit of code ever but it seems to work :-)
//
$categories = Array();
- $blogid = $article->getBlog();
- $blogInfo = $article->getBlogInfo();
$cats = $category->getBlogCategories($blogid);
if ( $catList != NULL )
{
@@ -923,10 +931,9 @@
$password = $args[2];
$number = $args[3];
- $auth = $users->authenticateUser($username,$password);
+ $userInfo = $users->getUserInfo( $username, $password );
- if ($auth)
- {
+ if( $userInfo ) {
$ret = array();
$list = $articles->getBlogArticles(
$blogid,
@@ -937,6 +944,17 @@
$blogs = new Blogs();
$blogInfo = $blogs->getBlogInfo( $blogid );
+
+ // check if the blog is valid
+ if( !$blogInfo ) {
+ return new IXR_Error(-1, 'The blog identifier is not valid' );
+ }
+
+ // check this user's permissions
+ if( !$this->userHasPermission( $userInfo, $blogInfo, "view_posts" )) {
+ return new IXR_Error(-1, 'This user does not have enough permissions' );
+ }
+
$url = $blogInfo->getBlogRequestGenerator();
$blogSettings = $blogInfo->getSettings();
@@ -948,7 +966,7 @@
$dateObject = $item->getDateObject();
lt_include( PLOG_CLASS_PATH."class/data/timestamp.class.php" );
// Get the unix time stamp
- $time = $dateObject->getTimestamp(DATE_FORMAT_UNIXTIME);
+ $time = $dateObject->getTimestamp( DATE_FORMAT_UNIXTIME );
$articleCat = $item->getCategory();
@@ -987,8 +1005,8 @@
$ret[] = $dummy;
}
return $ret;
- } else
- {
+ }
+ else {
return new IXR_Error(-1, 'You did not provide the correct password');
}
}
@@ -1165,25 +1183,31 @@
$username = $args[1];
$password = $args[2];
- $auth = $users->authenticateUser($username,$password);
+ $userInfo = $users->getUserInfo( $username, $password );
- if ($auth)
+ if( $userInfo )
{
include_once( PLOG_CLASS_PATH."class/data/timestamp.class.php" );
- $userInfo = $users->getUserInfoFromUsername( $username );
-
$item = $articles->getBlogArticle($postid,
-1, // blogId
true, // includeHiddenFields
-1, // date
-1, // categoryId
$userInfo->getId());
+
+ // check if the article is valid
+ if( !$article ) {
+ return( new IXR_Error(-1, 'The article is not valid' ));
+ }
+
+ // and permissions
+ $blogInfo = $item->getBlogInfo();
+ $blogId = $blog->getId();
+ if( !$this->userHasPermission( $userInfo, $blogInfo, "view_posts" )) {
+ return new IXR_Error(-1, 'This user does not have enough permissions' );
+ }
- $blogId = $item->getBlog();
- $blogs = new Blogs();
- $blogInfo = $blogs->getBlogInfo( $blogId );
-
$catArray = array();
foreach( $item->getCategories() as $category ) {
$dummy = array();
@@ -1202,7 +1226,7 @@
return new IXR_Error(-1, 'You did not provide the correct password');
}
}
-
+
function mtSetPostCategories($args)
{
$users = new Users();
@@ -1213,23 +1237,30 @@
$password = $args[2];
$categories = $args[3];
- $auth = $users->authenticateUser($username,$password);
+ $userInfo = $users->getUserInfo( $username, $password );
- if ($auth)
- {
+ if( $userInfo ) {
include_once( PLOG_CLASS_PATH."class/data/timestamp.class.php" );
- $userInfo = $users->getUserInfoFromUsername( $username );
-
$article = $articles->getBlogArticle($postid,
-1, // blogId
true, // includeHiddenFields
-1, // date
-1, // categoryId
$userInfo->getId());
+
+ // check that the article is valid
+ if( !$article ) {
+ return( new IXR_Error(-1, 'The article is not correct' ));
+ }
+
+ // check the permissions
$blogId = $article->getBlog();
- $blogInfo = $article->getBlogInfo();
+ $blogInfo = $article->getBlogInfo();
+ if( !$this->userHasPermission( $userInfo, $blogInfo, "update_post" )) {
+ return new IXR_Error(-1, 'This user does not have enough permissions' );
+ }
$articleCategories = new ArticleCategories();
More information about the pLog-svn
mailing list