We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

api.php 6.8 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12
<?php
/*
 * Laconica - a distributed open-source microblogging tool
 * Copyright (C) 2008, Controlez-Vous, Inc.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.     See the
14 15 16
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
17
 * along with this program.     If not, see <http://www.gnu.org/licenses/>.
18 19 20 21
 */

if (!defined('LACONICA')) { exit(1); }

22 23
class ApiAction extends Action
{
24

25 26 27 28 29 30
    var $user;
    var $content_type;
    var $api_arg;
    var $api_method;
    var $api_action;

31 32
    function handle($args)
    {
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83
        parent::handle($args);

        $this->api_action = $this->arg('apiaction');
        $method = $this->arg('method');
        $argument = $this->arg('argument');

        if (isset($argument)) {
            $cmdext = explode('.', $argument);
            $this->api_arg =  $cmdext[0];
            $this->api_method = $method;
            $this->content_type = strtolower($cmdext[1]);
        } else {

            # Requested format / content-type will be an extension on the method
            $cmdext = explode('.', $method);
            $this->api_method = $cmdext[0];
            $this->content_type = strtolower($cmdext[1]);
        }

        if ($this->requires_auth()) {
            if (!isset($_SERVER['PHP_AUTH_USER'])) {

                # This header makes basic auth go
                header('WWW-Authenticate: Basic realm="Laconica API"');

                # If the user hits cancel -- bam!
                $this->show_basic_auth_error();
            } else {
                $nickname = $_SERVER['PHP_AUTH_USER'];
                $password = $_SERVER['PHP_AUTH_PW'];
                $user = common_check_user($nickname, $password);

                if ($user) {
                    $this->user = $user;
                    $this->process_command();
                } else {
                    # basic authentication failed
                    $this->show_basic_auth_error();
                }
            }
        } else {

            # Look for the user in the session
            if (common_logged_in()) {
                 $this->user = common_current_user();
            }

            $this->process_command();
        }
    }

84 85
    function process_command()
    {
86 87 88 89 90 91 92
        $action = "twitapi$this->api_action";
        $actionfile = INSTALLDIR."/actions/$action.php";

        if (file_exists($actionfile)) {
            require_once($actionfile);
            $action_class = ucfirst($action)."Action";
            $action_obj = new $action_class();
93

94 95 96 97
            if (!$action_obj->prepare($this->args)) {
                return;
            }

98 99 100 101 102 103 104 105
            if (method_exists($action_obj, $this->api_method)) {
                $apidata = array(    'content-type' => $this->content_type,
                                    'api_method' => $this->api_method,
                                    'api_arg' => $this->api_arg,
                                    'user' => $this->user);

                call_user_func(array($action_obj, $this->api_method), $_REQUEST, $apidata);
            } else {
106
                $this->clientError("API method not found!", $code=404);
107 108
            }
        } else {
109
            $this->clientError("API method not found!", $code=404);
110 111 112 113
        }
    }

    # Whitelist of API methods that don't need authentication
114 115
    function requires_auth()
    {
116 117 118 119
        static $noauth = array( 'statuses/public_timeline',
                                'statuses/show',
                                'users/show',
                                'help/test',
120 121 122 123
                                'help/downtime_schedule',
                                'laconica/version',
                                'laconica/config',
                                'laconica/wadl');
124 125 126 127 128

        static $bareauth = array('statuses/user_timeline',
                                 'statuses/friends',
                                 'statuses/followers',
                                 'favorites/favorites');
129

Evan Prodromou's avatar
Evan Prodromou committed
130 131 132 133 134 135
        # If the site is "private", all API methods need authentication

        if (common_config('site', 'private')) {
            return true;
        }

136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153
        $fullname = "$this->api_action/$this->api_method";

        if (in_array($fullname, $bareauth)) {
            # bareauth: only needs auth if without an argument
            if ($this->api_arg) {
                return false;
            } else {
                return true;
            }
        } else if (in_array($fullname, $noauth)) {
            # noauth: never needs auth
            return false;
        } else {
            # everybody else needs auth
            return true;
        }
    }

154 155
    function show_basic_auth_error()
    {
156 157 158 159 160 161
        header('HTTP/1.1 401 Unauthorized');
        $msg = 'Could not authenticate you.';

        if ($this->content_type == 'xml') {
            header('Content-Type: application/xml; charset=utf-8');
            common_start_xml();
162 163 164 165
            $this->elementStart('hash');
            $this->element('error', null, $msg);
            $this->element('request', null, $_SERVER['REQUEST_URI']);
            $this->elementEnd('hash');
166 167 168 169 170 171 172 173 174 175 176
            common_end_xml();
        } else if ($this->content_type == 'json')  {
            header('Content-Type: application/json; charset=utf-8');
            $error_array = array('error' => $msg, 'request' => $_SERVER['REQUEST_URI']);
            print(json_encode($error_array));
        } else {
            header('Content-type: text/plain');
            print "$msg\n";
        }
    }

177 178
    function is_readonly()
    {
179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203
        # NOTE: before handle(), can't use $this->arg
        $apiaction = $_REQUEST['apiaction'];
        $method = $_REQUEST['method'];
        list($cmdtext, $fmt) = explode('.', $method);

        static $write_methods = array(
            'account' => array('update_location', 'update_delivery_device', 'end_session'),
            'blocks' => array('create', 'destroy'),
            'direct_messages' => array('create', 'destroy'),
            'favorites' => array('create', 'destroy'),
            'friendships' => array('create', 'destroy'),
            'help' => array(),
            'notifications' => array('follow', 'leave'),
            'statuses' => array('update', 'destroy'),
            'users' => array()
        );

        if (array_key_exists($apiaction, $write_methods)) {
            if (!in_array($cmdtext, $write_methods[$apiaction])) {
                return true;
            }
        }

        return false;
    }
204

205
}