diff options
Diffstat (limited to 'includes')
-rw-r--r-- | includes/controller/api.php | 355 | ||||
-rw-r--r-- | includes/engelsystem_provider.php | 3 | ||||
-rw-r--r-- | includes/helper/session_helper.php | 2 | ||||
-rw-r--r-- | includes/model/Room_model.php | 34 | ||||
-rw-r--r-- | includes/pages/admin_import.php | 4 | ||||
-rw-r--r-- | includes/pages/admin_rooms.php | 96 |
6 files changed, 80 insertions, 414 deletions
diff --git a/includes/controller/api.php b/includes/controller/api.php deleted file mode 100644 index 9ecd3a2f..00000000 --- a/includes/controller/api.php +++ /dev/null @@ -1,355 +0,0 @@ -<?php - -/************************************************************************************************ - * API Documentation - ************************************************************************************************ - -General: --------- -All API calls output JSON-encoded data. Client parameters should be passed encoded using JSON in HTTP POST data. -Every API Request must be contained the Api Key (using JSON parameter 'key') and the Command (using JSON parameter 'cmd'). - - -Testing API calls (using curl): -------------------------------- -$ curl -d '{"cmd":"getVersion"}' '<Address>/?p=api' -$ curl -d '{"cmd":"getApiKey","user":"admin","pw":"admin"}' '<Address>/?p=api' -$ curl -d '{"key":"<key>","cmd":"getRoom"}' '<Address>/?p=api' -$ curl -d '{"key":"<key>","cmd":"sendmessage","uid":"23","text":"test message"}' '<Address>/?p=api' - -Methods without key: --------------------- -getVersion - Description: - Returns API version. - Parameters: - nothing - Return Example: - {"status":"success","version": "1"} - -getApiKey - Description: - Returns API Key version. - Parameters: - user (string) - pw (string) - Return Example: - {"status":"success","Key":"1234567890123456789012"} - -Methods with Key: ------------------ -getRoom - Description: - Returns a list of all Rooms (no id set) or details of a single Room (requested id) - Parameters: - id (integer) - Room ID - Return Example: - [{"RID":"1"},{"RID":"23"},{"RID":"42"}] - {"RID":"1","Name":"Room Name","Man":null,"FromPentabarf":"","show":"Y","Number":"0"} - -getAngelType - Description: - Returns a list of all Angel Types (no id set) or details of a single Angel Type (requested id) - Parameters: - id (integer) - Type ID - Return Example: - [{"id":"8"},{"id":"9"}] - {"id":"9","name":"Angeltypes 2","restricted":"0"} - -getUser - Description: - Returns a list of all Users (no id set) or details of a single User (requested id) - Parameters: - id (integer) - User ID - Return Example: - [{"UID":"1"},{"UID":"23"},{"UID":"42"}] - {"UID":"1","Nick":"admin","Name":"Gates","Vorname":"Bill","Telefon":"","DECT":"","Handy":"","email":"","jabber":"","Avatar":"115"} - -getShift - Description: - Returns a list of all Shifte (no id set, filter is optional) or details of a single Shift (requested id) - Parameters: - id (integer) - Shift ID - filterRoom (Array of integer) - Array of Room IDs (optional, for list request) - filterTask (Array of integer) - Array if Task (optional, for list request) - filterOccupancy (integer) - Occupancy state: (optional, for list request) - 1 occupied - 2 free - 3 occupied and free - Return Example: - [{"SID":"1"},{"SID":"2"},{"SID":"3"}] - {"SID":"10","start":"1388264400","end":"1388271600","RID":"1","name":"Shift 1","URL":null,"PSID":null,\ - "ShiftEntry":[{"TID":"8","UID":"4","freeloaded":"0"}], - "NeedAngels":[{"TID":"8","count":"1","restricted":"0","taken":1},{"TID":"9","count":"2","restricted":"0","taken":0}]} - -getMessage - Description: - Returns a list of all Messages (no id set) or details of a single Message (requested id) - Parameters: - id (integer) - Message ID - Return Example: - [{"id":"1"},{"id":"2"},{"id":"3"}] - {"id":"3","Datum":"1388247583","SUID":"23","RUID":"42","isRead":"N","Text":"message text"} - -sendMessage - Description: - send a Message to an other angel - Parameters: - uid (integer) - User ID of the reciever - text (string) - Message Text - Return Example: - {"status":"success"} - -************************************************************************************************/ - -/** - * General API Controller - */ -function api_controller() { - global $user, $DataJson; - - header("Content-Type: application/json; charset=utf-8"); - - // decode JSON request - $input = file_get_contents("php://input"); - $input = json_decode($input, true); - $_REQUEST = $input; - - // get command - $cmd = ''; - if (isset($_REQUEST['cmd'])) - $cmd = strtolower($_REQUEST['cmd']); - - // decode commands, without key - switch ($cmd) { - case 'getversion': - getVersion(); - die(json_encode($DataJson)); - break; - case 'getapikey': - getApiKey(); - die(json_encode($DataJson)); - break; - } - - // get API KEY - if (isset($_REQUEST['key']) && preg_match("/^[0-9a-f]{32}$/", $_REQUEST['key'])) - $key = $_REQUEST['key']; - else - die(json_encode(array( - 'status' => 'failed', - 'error' => 'Missing parameter "key".' - ))); - - // check API key - $user = User_by_api_key($key); - if ($user === false) - die(json_encode(array( - 'status' => 'failed', - 'error' => 'Unable to find user' - ))); - if ($user == null) - die(json_encode(array( - 'status' => 'failed', - 'error' => 'Key invalid.' - ))); - - // decode command - switch ($cmd) { - case 'getroom': - getRoom(); - break; - case 'getangeltype': - getAngelType(); - break; - case 'getuser': - // TODO Dataleak! Only coordinators are allowed to see so much user informations. - //getUser(); - break; - case 'getshift': - getShift(); - break; - case 'getmessage': - // TODO Dataleak! - //getMessage(); - break; - case 'sendmessage': - sendMessage(); - break; - default: - $DataJson = array( - 'status' => 'failed', - 'error' => 'Unknown Command "' . $cmd . '"' - ); - } - - // check - if ($DataJson === false) { - $DataJson = array( - 'status' => 'failed', - 'error' => 'DataJson === false' - ); - } elseif ($DataJson == null) { - $DataJson = array( - 'status' => 'failed', - 'error' => 'DataJson == null' - ); - } - - echo json_encode($DataJson); - die(); -} - -/** - * Get Version of API - */ -function getVersion() { - global $DataJson; - - $DataJson = array( - 'status' => 'success', - 'Version' => 1 - ); -} - -/** - * Get API Key - */ -function getApiKey() { - global $DataJson; - - if (! isset($_REQUEST['user'])) { - $DataJson = array( - 'status' => 'failed', - 'error' => 'Missing parameter "user".' - ); - } elseif (! isset($_REQUEST['pw'])) { - $DataJson = array( - 'status' => 'failed', - 'error' => 'Missing parameter "pw".' - ); - } else { - $Erg = sql_select("SELECT `UID`, `Passwort`, `api_key` FROM `User` WHERE `Nick`='" . sql_escape($_REQUEST['user']) . "'"); - - if (count($Erg) == 1) { - $Erg = $Erg[0]; - if (verify_password($_REQUEST['pw'], $Erg["Passwort"], $Erg["UID"])) { - $key = $Erg["api_key"]; - $DataJson = array( - 'status' => 'success', - 'Key' => $key - ); - } else { - $DataJson = array( - 'status' => 'failed', - 'error' => 'PW wrong' - ); - } - } else { - $DataJson = array( - 'status' => 'failed', - 'error' => 'User not found.' - ); - } - } - - sleep(1); -} - -/** - * Get Room - */ -function getRoom() { - global $DataJson; - - if (isset($_REQUEST['id'])) { - $DataJson = Room($_REQUEST['id']); - } else { - $DataJson = Room_ids(); - } -} - -/** - * Get AngelType - */ -function getAngelType() { - global $DataJson; - - if (isset($_REQUEST['id'])) { - $DataJson = AngelType($_REQUEST['id']); - } else { - $DataJson = AngelType_ids(); - } -} - -/** - * Get User - */ -function getUser() { - global $DataJson; - - if (isset($_REQUEST['id'])) { - $DataJson = mUser_Limit($_REQUEST['id']); - } else { - $DataJson = User_ids(); - } -} - -/** - * Get Shift - */ -function getShift() { - global $DataJson; - - if (isset($_REQUEST['id'])) { - $DataJson = Shift($_REQUEST['id']); - } else { - $DataJson = Shifts_filtered(); - } -} - -/** - * @TODO: Why are ALL messages of ALL users returned? Data leak. It is not checked if this is my message! - * Get Message - */ -function getMessage() { - global $DataJson; - - if (isset($_REQUEST['id'])) { - $DataJson = Message($_REQUEST['id']); - } else { - $DataJson = Message_ids(); - } -} - -/** - * Send Message - */ -function sendMessage() { - global $DataJson; - - if (! isset($_REQUEST['uid'])) { - $DataJson = array( - 'status' => 'failed', - 'error' => 'Missing parameter "uid".' - ); - } elseif (! isset($_REQUEST['text'])) { - $DataJson = array( - 'status' => 'failed', - 'error' => 'Missing parameter "text".' - ); - } else { - if (Message_send($_REQUEST['uid'], $_REQUEST['text']) === true) { - $DataJson = array( - 'status' => 'success' - ); - } else { - $DataJson = array( - 'status' => 'failed', - 'error' => 'Transmitting was terminated with an Error.' - ); - } - } -} - -?> diff --git a/includes/engelsystem_provider.php b/includes/engelsystem_provider.php index 56d12de6..cbc1cb1d 100644 --- a/includes/engelsystem_provider.php +++ b/includes/engelsystem_provider.php @@ -71,9 +71,6 @@ require_once realpath(__DIR__ . '/../includes/pages/user_shifts.php'); require_once realpath(__DIR__ . '/../vendor/parsedown/Parsedown.php'); -session_lifetime(24 * 60, preg_replace("/[^a-z0-9-]/", '', md5(__DIR__))); -session_start(); - gettext_init(); sql_connect($config['host'], $config['user'], $config['pw'], $config['db']); diff --git a/includes/helper/session_helper.php b/includes/helper/session_helper.php index 4063ff69..7a3b551e 100644 --- a/includes/helper/session_helper.php +++ b/includes/helper/session_helper.php @@ -22,7 +22,7 @@ function session_lifetime($lifetime, $application_name) { ini_set('session.gc_divisor', 100); // Cookie settings (lifetime) - ini_set('session.cookie_secure', ! (preg_match("/^localhost/", $_SERVER["HTTP_HOST"]) || isset($_GET['debug']))); + ini_set('session.cookie_secure', ! (isset($_SERVER['HTTP_HOST']) && preg_match("/^localhost/", $_SERVER["HTTP_HOST"]) || isset($_GET['debug']))); ini_set('session.use_only_cookies', true); ini_set('session.cookie_lifetime', $lifetime * 60); } diff --git a/includes/model/Room_model.php b/includes/model/Room_model.php index 523436c6..2868916e 100644 --- a/includes/model/Room_model.php +++ b/includes/model/Room_model.php @@ -1,15 +1,33 @@ <?php /** - * Returns room id array + * Delete a room + * @param int $room_id */ -function Room_ids() { - $room_source = sql_select("SELECT `RID` FROM `Room` WHERE `show` = 'Y'"); - if ($room_source === false) +function Room_delete($room_id) { + return sql_query("DELETE FROM `Room` WHERE `RID`=" . sql_escape($room_id)); +} + +/** + * Create a new room + * + * @param string $name + * Name of the room + * @param boolean $from_frab + * Is this a frab imported room? + * @param boolean $public + * Is the room visible for angels? + */ +function Room_create($name, $from_frab, $public) { + $result = sql_query(" + INSERT INTO `Room` SET + `Name`='" . sql_escape($name) . "', + `FromPentabarf`='" . sql_escape($from_frab ? 'Y' : 'N') . "', + `show`='" . sql_escape($public ? 'Y' : 'N') . "', + `Number`=0"); + if ($result === false) return false; - if (count($room_source) > 0) - return $room_source; - return null; + return sql_id(); } /** @@ -18,7 +36,7 @@ function Room_ids() { * @param $id RID */ function Room($id) { - $room_source = sql_select("SELECT * FROM `Room` WHERE `RID`='" . sql_escape($id) . "' AND `show` = 'Y' LIMIT 1"); + $room_source = sql_select("SELECT * FROM `Room` WHERE `RID`='" . sql_escape($id) . "' AND `show` = 'Y'"); if ($room_source === false) return false; diff --git a/includes/pages/admin_import.php b/includes/pages/admin_import.php index 786ea08b..0ed2bea9 100644 --- a/includes/pages/admin_import.php +++ b/includes/pages/admin_import.php @@ -162,7 +162,9 @@ function admin_import() { list($rooms_new, $rooms_deleted) = prepare_rooms($import_file); foreach ($rooms_new as $room) { - sql_query("INSERT INTO `Room` SET `Name`='" . sql_escape($room) . "', `FromPentabarf`='Y', `Show`='Y'"); + $result = Room_create($name, true, true); + if ($result === false) + engelsystem_error('Unable to create room.'); $rooms_import[trim($room)] = sql_id(); } foreach ($rooms_deleted as $room) diff --git a/includes/pages/admin_rooms.php b/includes/pages/admin_rooms.php index 777ff6be..7f2e3db0 100644 --- a/includes/pages/admin_rooms.php +++ b/includes/pages/admin_rooms.php @@ -1,11 +1,12 @@ <?php + function admin_rooms_title() { return _("Rooms"); } function admin_rooms() { global $user; - + $rooms_source = sql_select("SELECT * FROM `Room` ORDER BY `Name`"); $rooms = array(); foreach ($rooms_source as $room) @@ -15,17 +16,17 @@ function admin_rooms() { 'public' => $room['show'] == 'Y' ? '✓' : '', 'actions' => buttons(array( button(page_link_to('admin_rooms') . '&show=edit&id=' . $room['RID'], _("edit"), 'btn-xs'), - button(page_link_to('admin_rooms') . '&show=delete&id=' . $room['RID'], _("delete"), 'btn-xs') - )) + button(page_link_to('admin_rooms') . '&show=delete&id=' . $room['RID'], _("delete"), 'btn-xs') + )) ); - + if (isset($_REQUEST['show'])) { $msg = ""; $name = ""; $from_pentabarf = ""; $public = 'Y'; $number = ""; - + $angeltypes_source = sql_select("SELECT * FROM `AngelTypes` ORDER BY `name`"); $angeltypes = array(); $angeltypes_count = array(); @@ -33,7 +34,7 @@ function admin_rooms() { $angeltypes[$angeltype['id']] = $angeltype['name']; $angeltypes_count[$angeltype['id']] = 0; } - + if (test_request_int('id')) { $room = sql_select("SELECT * FROM `Room` WHERE `RID`='" . sql_escape($_REQUEST['id']) . "'"); if (count($room) > 0) { @@ -47,33 +48,33 @@ function admin_rooms() { } else redirect(page_link_to('admin_rooms')); } - + if ($_REQUEST['show'] == 'edit') { if (isset($_REQUEST['submit'])) { $ok = true; - + if (isset($_REQUEST['name']) && strlen(strip_request_item('name')) > 0) $name = strip_request_item('name'); else { $ok = false; $msg .= error(_("Please enter a name."), true); } - + if (isset($_REQUEST['from_pentabarf'])) $from_pentabarf = 'Y'; else $from_pentabarf = ''; - + if (isset($_REQUEST['public'])) $public = 'Y'; else $public = ''; - + if (isset($_REQUEST['number'])) $number = strip_request_item('number'); else $ok = false; - + foreach ($angeltypes as $angeltype_id => $angeltype) { if (isset($_REQUEST['angeltype_count_' . $angeltype_id]) && preg_match("/^[0-9]{1,4}$/", $_REQUEST['angeltype_count_' . $angeltype_id])) $angeltypes_count[$angeltype_id] = $_REQUEST['angeltype_count_' . $angeltype_id]; @@ -82,17 +83,18 @@ function admin_rooms() { $msg .= error(sprintf(_("Please enter needed angels for type %s.", $angeltype)), true); } } - + if ($ok) { if (isset($id)) { sql_query("UPDATE `Room` SET `Name`='" . sql_escape($name) . "', `FromPentabarf`='" . sql_escape($from_pentabarf) . "', `show`='" . sql_escape($public) . "', `Number`='" . sql_escape($number) . "' WHERE `RID`='" . sql_escape($id) . "' LIMIT 1"); engelsystem_log("Room updated: " . $name . ", pentabarf import: " . $from_pentabarf . ", public: " . $public . ", number: " . $number); } else { - sql_query("INSERT INTO `Room` SET `Name`='" . sql_escape($name) . "', `FromPentabarf`='" . sql_escape($from_pentabarf) . "', `show`='" . sql_escape($public) . "', `Number`='" . sql_escape($number) . "'"); - $id = sql_id(); + $id = Room_create($name, $from_pentabarf, $public, $number); + if ($id === false) + engelsystem_error("Unable to create room."); engelsystem_log("Room created: " . $name . ", pentabarf import: " . $from_pentabarf . ", public: " . $public . ", number: " . $number); } - + sql_query("DELETE FROM `NeededAngelTypes` WHERE `room_id`='" . sql_escape($id) . "'"); $needed_angeltype_info = array(); foreach ($angeltypes_count as $angeltype_id => $angeltype_count) { @@ -102,7 +104,7 @@ function admin_rooms() { $needed_angeltype_info[] = $angeltypes_source[0]['name'] . ": " . $angeltype_count; } } - + engelsystem_log("Set needed angeltypes of room " . $name . " to: " . join(", ", $needed_angeltype_info)); success(_("Room saved.")); redirect(page_link_to("admin_rooms")); @@ -110,66 +112,68 @@ function admin_rooms() { } $angeltypes_count_form = array(); foreach ($angeltypes as $angeltype_id => $angeltype) - $angeltypes_count_form[] = div('col-lg-4 col-md-6 col-xs-6', array(form_spinner('angeltype_count_' . $angeltype_id, $angeltype, $angeltypes_count[$angeltype_id]))); - + $angeltypes_count_form[] = div('col-lg-4 col-md-6 col-xs-6', array( + form_spinner('angeltype_count_' . $angeltype_id, $angeltype, $angeltypes_count[$angeltype_id]) + )); + return page_with_title(admin_rooms_title(), array( buttons(array( - button(page_link_to('admin_rooms'), _("back"), 'back') + button(page_link_to('admin_rooms'), _("back"), 'back') )), $msg, form(array( - div('row', array( - div('col-md-6', array( - form_text('name', _("Name"), $name), - form_checkbox('from_pentabarf', _("Frab import"), $from_pentabarf), - form_checkbox('public', _("Public"), $public), - form_text('number', _("Room number"), $number) - )), - div('col-md-6', array( - div('row', array( - div('col-md-12', array( - form_info(_("Needed angels:")), + div('row', array( + div('col-md-6', array( + form_text('name', _("Name"), $name), + form_checkbox('from_pentabarf', _("Frab import"), $from_pentabarf), + form_checkbox('public', _("Public"), $public), + form_text('number', _("Room number"), $number) )), - join($angeltypes_count_form) - )) - )) - )), - form_submit('submit', _("Save")) - )) + div('col-md-6', array( + div('row', array( + div('col-md-12', array( + form_info(_("Needed angels:")) + )), + join($angeltypes_count_form) + )) + )) + )), + form_submit('submit', _("Save")) + )) )); } elseif ($_REQUEST['show'] == 'delete') { if (isset($_REQUEST['ack'])) { sql_query("DELETE FROM `Room` WHERE `RID`='" . sql_escape($id) . "' LIMIT 1"); sql_query("DELETE FROM `NeededAngelTypes` WHERE `room_id`='" . sql_escape($id) . "' LIMIT 1"); - + engelsystem_log("Room deleted: " . $name); success(sprintf(_("Room %s deleted."), $name)); redirect(page_link_to('admin_rooms')); } - + return page_with_title(admin_rooms_title(), array( buttons(array( - button(page_link_to('admin_rooms'), _("back"), 'back') + button(page_link_to('admin_rooms'), _("back"), 'back') )), sprintf(_("Do you want to delete room %s?"), $name), buttons(array( - button(page_link_to('admin_rooms') . '&show=delete&id=' . $id . '&ack', _("Delete"), 'delete') - )) + button(page_link_to('admin_rooms') . '&show=delete&id=' . $id . '&ack', _("Delete"), 'delete') + )) )); } } - + return page_with_title(admin_rooms_title(), array( buttons(array( - button(page_link_to('admin_rooms') . '&show=edit', _("add")) + button(page_link_to('admin_rooms') . '&show=edit', _("add")) )), msg(), table(array( 'name' => _("Name"), 'from_pentabarf' => _("Frab import"), 'public' => _("Public"), - 'actions' => "" - ), $rooms) + 'actions' => "" + ), $rooms) )); } ?> |