Changeset 1709

Show
Ignore:
Timestamp:
08/29/08 22:09:40 (3 months ago)
Author:
vollmerk
Message:

adjust the logic on the api so that username does not have to be passed after the initial handshake

Files:
1 modified

Legend:

Unmodified
Added
Removed

  • trunk/server/xml.server.php

    r1583 r1709  
    4949 * login via this interface so we do have an exception for action=login 
    5050 */ 
    51 if (!Access::check_network('init-api',$_SERVER['REMOTE_ADDR'],$_REQUEST['user'],'5')) {  
    52         debug_event('Access Denied','Unathorized access attempt to API [' . $_SERVER['REMOTE_ADDR'] . ']', '3'); 
    53         ob_end_clean();  
     51if ((!vauth::session_exists('api', $_REQUEST['auth']) AND $_REQUEST['action'] != 'handshake')) { 
     52        debug_event('Access Denied','Invalid Session attempt to API [' . $_REQUEST['action'] . ']','3'); 
     53        ob_end_clean(); 
     54        echo xmlData::error('401','Session Expired'); 
     55        exit(); 
     56} 
     57 
     58// If the session exists then let's try to pull some data from it to see if we're still allowed to do this 
     59$session = vauth::get_session_data($_REQUEST['auth']); 
     60$username = ($_REQUEST['action'] == 'handshake') ? $_REQUEST['user'] : $session['username']; 
     61 
     62if (!Access::check_network('init-api',$_SERVER['REMOTE_ADDR'],$username,'5')) {  
     63        debug_event('Access Denied','Unathorized access attempt to API [' . $_SERVER['REMOTE_ADDR'] . ']', '3'); 
     64        ob_end_clean();  
    5465        echo xmlData::error('403','ACL Error'); 
    55         exit();  
     66        exit();  
    5667} 
    5768 
    58 if ((!vauth::session_exists('api', $_REQUEST['auth']) AND $_REQUEST['action'] != 'handshake')) {  
    59         debug_event('Access Denied','Invalid Session attempt to API [' . $_REQUEST['action'] . ']','3');  
    60         ob_end_clean();  
    61         echo xmlData::error('401','Session Expired'); 
    62         exit();  
    63 } 
    64  
    65 // If we make it past the check and we're not a hand-shaking then we should extend the session 
    66 if ($_REQUEST['action'] != 'handshake') {  
    67         vauth::session_extend($_REQUEST['auth']);  
    68         $session = vauth::get_session_data($_REQUEST['auth']); 
    69         $GLOBALS['user'] = User::get_from_username($session['username']); 
     69if (!$_REQUEST['action'] != 'handshake') {  
     70        vauth::session_extend($_REQUEST['auth']);  
     71        $GLOBALS['user'] = User::get_from_username($session['username']); 
    7072}  
    7173