[pLog-svn] r4443 - plog/trunk/class/net/xmlrpc
Paul Westbrook
paul at westbrooks.org
Thu Dec 28 19:59:53 GMT 2006
Hello,
Sure, I can take a look at the MovableType. I probably will not
be able to look at this until this weekend, though.
--Paul
On Dec 28, 2006, at 11:23 AM, oscar at devel.lifetype.net wrote:
> Author: oscar
> Date: 2006-12-28 19:23:56 +0000 (Thu, 28 Dec 2006)
> New Revision: 4443
>
> Modified:
> plog/trunk/class/net/xmlrpc/xmlrpcserver.class.php
> Log:
> Implemented permission checks in all other methods except
> metaWeblogNewMediaObject (I need to check whether this is still
> working after the changes in the implementation of resources),
> mt.getCategoryList and metaWeblog.getCategories (otherwise it would
> be impossible to post)
>
> Paul, since you implemented the extended MovableType methods, can
> you have a look at them? They should be ok but my client (ecto in
> OS X) does not support them.
>
> Modified: plog/trunk/class/net/xmlrpc/xmlrpcserver.class.php
> ===================================================================
> --- plog/trunk/class/net/xmlrpc/xmlrpcserver.class.php 2006-12-28
> 18:55:40 UTC (rev 4442)
> +++ plog/trunk/class/net/xmlrpc/xmlrpcserver.class.php 2006-12-28
> 19:23:56 UTC (rev 4443)
> @@ -28,13 +28,13 @@
> {
> $this->IXR_Server(
> array (
> - "blogger.newPost" => "this:newPost", // ok
> - "blogger.getPost" => "this:getPost", // ok
> - "blogger.editPost" => "this:editPost", // ok
> - "blogger.deletePost" => "this:deletePost", // ok
> - "blogger.getRecentPosts" =>
> "this:getRecentPosts", // ok
> - "blogger.getUserInfo" =>
> "this:getUserInfo", // ok
> - "blogger.getUsersBlogs" =>
> "this:getUsersBlogs", // ok
> + "blogger.newPost" => "this:newPost",
> + "blogger.getPost" => "this:getPost",
> + "blogger.editPost" => "this:editPost",
> + "blogger.deletePost" => "this:deletePost",
> + "blogger.getRecentPosts" => "this:getRecentPosts",
> + "blogger.getUserInfo" => "this:getUserInfo",
> + "blogger.getUsersBlogs" => "this:getUsersBlogs",
> "metaWeblog.newPost" =>
> "this:metaWeblogNewPost",
> "metaWeblog.editPost" =>
> "this:metaWeblogEditPost",
> "metaWeblog.getPost" =>
> "this:metaWeblogGetPost",
> @@ -42,7 +42,7 @@
> "metaWeblog.getCategories" =>
> "this:metaWeblogGetCategories",
> "metaWeblog.newMediaObject" =>
> "this:metaWeblogNewMediaObject",
> "mt.getCategoryList" =>
> "this:mtGetCategoryList",
> - "mt.supportedTextFilters" =>
> "this:mtSupportedTextFilters",
> + "mt.supportedTextFilters" =>
> "this:mtSupportedTextFilters",
> "mt.getPostCategories" =>
> "this:mtGetPostCategories",
> "mt.setPostCategories" =>
> "this:mtSetPostCategories"
> ));
> @@ -194,29 +194,22 @@
> int postid
> */
>
> - // -mhe todo security
> + $userInfo = $users->getUserInfo( $username, $password);
>
> - $auth = $users->authenticateUser( $username, $password);
> -
> - if ($auth)
> - {
> - if ($publish)
> - {
> + if( $userInfo ) {
> +
> + if ($publish) {
> $status = POST_STATUS_PUBLISHED;
> - } else
> - {
> + }
> + else {
> $status = POST_STATUS_DRAFT;
> }
> +
> + $blogInfo = $blogsG->getBlogInfo( $blogid );
> + if( !$this->userHasPermission( $userInfo, $blogInfo,
> "add_post" )) {
> + return new IXR_Error(-1, 'This user does not have enough
> permissions' );
> + }
>
> - // Get the default category
> - //$cats = $category->getBlogCategories($blogid);
> - //foreach($cats as $cat)
> - //{
> - // $idCategory = $cat->_id;
> - // // Stop here, we have a category
> - // break;
> - //}
> -
> $title = $content["title"];
>
> // Check to see if the MovableType extnensions
> have been added
> @@ -319,9 +312,6 @@
>
> $article->setDate($articleDate);
>
> - $blogInfo = $blogsG->getBlogInfo( $blogid );
> -
> -
> // Get the plugin manager
> $plugMgr =& PluginManager::getPluginManager();
> $plugMgr->setBlogInfo( $blogInfo );
> @@ -376,6 +366,13 @@
> }
>
>
> + /**
> + * NOTE: this method does not perform permission checking since
> if it did,
> + * it would be impossible to post: no categories would be
> available if the
> + * view_categories is not available. This is in line with the
> browser-based UI,
> + * there it is not necessary to have this permission in order
> to post new articles,
> + * only add_post is needed
> + */
> function metaWeblogGetCategories($args)
> {
> $users = new Users();
> @@ -524,20 +521,29 @@
> $username = $args[1];
> $password = $args[2];
>
> - $auth = $users->authenticateUser($username,$password);
> + $userInfo = $users->getUserInfo( $username, $password );
>
> - if ($auth)
> + if( $userInfo )
> {
> lt_include( PLOG_CLASS_PATH."class/data/
> timestamp.class.php" );
>
> - $userInfo = $users->getUserInfoFromUsername
> ( $username );
> -
> $item = $articles->getBlogArticle($postid,
> -1, // blogId
> true, //
> includeHiddenFields
> -1, // date
> -1, // categoryId
> $userInfo->getId());
> +
> + // check if the article is valid
> + if( !$item ) {
> + return( new IXR_Error(-1, 'The article is not valid' ));
> + }
> +
> + // check permissions
> + $blogInfo = $item->getBlogInfo();
> + if( !$this->userHasPermission( $userInfo, $blogInfo,
> "view_posts" )) {
> + return( new IXR_Error(-1, 'This user does not have enough
> permissions' ));
> + }
>
> $dateObject = $item->getDateObject();
> // Get the unix time stamp
> @@ -547,7 +553,6 @@
>
> $blogId = $item->getBlog();
> $blogs = new Blogs();
> - $blogInfo = $blogs->getBlogInfo( $blogId );
> $url = $blogInfo->getBlogRequestGenerator();
>
> $dummy = array();
> @@ -559,12 +564,10 @@
> $blogSettings = $blogInfo->getSettings();
>
> $useMovableType = $blogSettings->getValue
> ( "xmlrpc_movabletype_enabled" );
> - if ( $useMovableType )
> - {
> + if ( $useMovableType ) {
> $dummy["description"] = $item->getIntroText();
> }
> - else
> - {
> + else {
> $dummy["description"] = $item->getText(false);
> }
> $dummy["postid"] = $item->getId();
> @@ -693,16 +696,13 @@
> boolean, true or false
> */
>
> - $auth = $users->authenticateUser($username,$password);
> - if ($auth)
> - {
> - $userInfo = $users->getUserInfoFromUsername
> ( $username );
> -
> - if ($publish)
> - {
> + $userInfo = $users->getUserInfo( $username, $password );
> + if( $userInfo ) {
> +
> + if ($publish) {
> $status = POST_STATUS_PUBLISHED;
> - } else
> - {
> + }
> + else {
> $status = POST_STATUS_DRAFT;
> }
>
> @@ -713,12 +713,10 @@
> $mt_text_more = $content["mt_text_more"];
> $mt_allow_comments = $content["mt_allow_comments"];
>
> - if ( $mt_text_more != NULL && trim($mt_text_more) !
> = "")
> - {
> + if ( $mt_text_more != NULL && trim($mt_text_more) !
> = "") {
> $body = $content["description"] .
> POST_EXTENDED_TEXT_MODIFIER . $mt_text_more;
> }
> - else
> - {
> + else {
> $body = $content["description"];
> }
>
> @@ -728,6 +726,18 @@
> -1, // date
> -1, // categoryId
> $userInfo->getId
> ());
> +
> + // check that the article is valid
> + if( !$article ) {
> + return( new IXR_Error(-1, 'Incorrect article' ));
> + }
> +
> + // see that the user can update articles
> + $blogid = $article->getBlog();
> + $blogInfo = $article->getBlogInfo();
> + if( !$this->userHasPermission( $userInfo, $blogInfo,
> "update_post" )) {
> + return( new IXR_Error(-1, 'This user does not have enough
> permissions' ));
> + }
>
> $catList = $content["categories"];
> //
> @@ -735,8 +745,6 @@
> // not exactly the smartest and fastest bit of code
> ever but it seems to work :-)
> //
> $categories = Array();
> - $blogid = $article->getBlog();
> - $blogInfo = $article->getBlogInfo();
> $cats = $category->getBlogCategories($blogid);
> if ( $catList != NULL )
> {
> @@ -923,10 +931,9 @@
> $password = $args[2];
> $number = $args[3];
>
> - $auth = $users->authenticateUser($username,$password);
> + $userInfo = $users->getUserInfo( $username, $password );
>
> - if ($auth)
> - {
> + if( $userInfo ) {
> $ret = array();
> $list = $articles->getBlogArticles(
> $blogid,
> @@ -937,6 +944,17 @@
>
> $blogs = new Blogs();
> $blogInfo = $blogs->getBlogInfo( $blogid );
> +
> + // check if the blog is valid
> + if( !$blogInfo ) {
> + return new IXR_Error(-1, 'The blog identifier is not valid' );
> + }
> +
> + // check this user's permissions
> + if( !$this->userHasPermission( $userInfo, $blogInfo,
> "view_posts" )) {
> + return new IXR_Error(-1, 'This user does not have enough
> permissions' );
> + }
> +
> $url = $blogInfo->getBlogRequestGenerator();
>
> $blogSettings = $blogInfo->getSettings();
> @@ -948,7 +966,7 @@
> $dateObject = $item->getDateObject();
> lt_include( PLOG_CLASS_PATH."class/data/
> timestamp.class.php" );
> // Get the unix time stamp
> - $time = $dateObject->getTimestamp
> (DATE_FORMAT_UNIXTIME);
> + $time = $dateObject->getTimestamp
> ( DATE_FORMAT_UNIXTIME );
>
> $articleCat = $item->getCategory();
>
> @@ -987,8 +1005,8 @@
> $ret[] = $dummy;
> }
> return $ret;
> - } else
> - {
> + }
> + else {
> return new IXR_Error(-1, 'You did not provide the
> correct password');
> }
> }
> @@ -1165,25 +1183,31 @@
> $username = $args[1];
> $password = $args[2];
>
> - $auth = $users->authenticateUser($username,$password);
> + $userInfo = $users->getUserInfo( $username, $password );
>
> - if ($auth)
> + if( $userInfo )
> {
> include_once( PLOG_CLASS_PATH."class/data/
> timestamp.class.php" );
>
> - $userInfo = $users->getUserInfoFromUsername
> ( $username );
> -
> $item = $articles->getBlogArticle($postid,
> -1, // blogId
> true, //
> includeHiddenFields
> -1, // date
> -1, // categoryId
> $userInfo->getId());
> +
> + // check if the article is valid
> + if( !$article ) {
> + return( new IXR_Error(-1, 'The article is not valid' ));
> + }
> +
> + // and permissions
> + $blogInfo = $item->getBlogInfo();
> + $blogId = $blog->getId();
> + if( !$this->userHasPermission( $userInfo, $blogInfo,
> "view_posts" )) {
> + return new IXR_Error(-1, 'This user does not have enough
> permissions' );
> + }
>
> - $blogId = $item->getBlog();
> - $blogs = new Blogs();
> - $blogInfo = $blogs->getBlogInfo( $blogId );
> -
> $catArray = array();
> foreach( $item->getCategories() as $category ) {
> $dummy = array();
> @@ -1202,7 +1226,7 @@
> return new IXR_Error(-1, 'You did not provide the
> correct password');
> }
> }
> -
> +
> function mtSetPostCategories($args)
> {
> $users = new Users();
> @@ -1213,23 +1237,30 @@
> $password = $args[2];
> $categories = $args[3];
>
> - $auth = $users->authenticateUser($username,$password);
> + $userInfo = $users->getUserInfo( $username, $password );
>
> - if ($auth)
> - {
> + if( $userInfo ) {
> include_once( PLOG_CLASS_PATH."class/data/
> timestamp.class.php" );
>
> - $userInfo = $users->getUserInfoFromUsername
> ( $username );
> -
> $article = $articles->getBlogArticle($postid,
> -1, // blogId
> true, //
> includeHiddenFields
> -1, // date
> -1, // categoryId
> $userInfo->getId());
> +
> + // check that the article is valid
> + if( !$article ) {
> + return( new IXR_Error(-1, 'The article is not correct' ));
> + }
>
> +
> + // check the permissions
> $blogId = $article->getBlog();
> - $blogInfo = $article->getBlogInfo();
> + $blogInfo = $article->getBlogInfo();
> + if( !$this->userHasPermission( $userInfo, $blogInfo,
> "update_post" )) {
> + return new IXR_Error(-1, 'This user does not have enough
> permissions' );
> + }
>
> $articleCategories = new ArticleCategories();
>
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
--
Paul Westbrook
paul at westbrooks.org
<http://www.westbrooks.org>
More information about the pLog-svn
mailing list