actions/api.php

   1 <?php
   2 /*
   3  * Laconica - a distributed open-source microblogging tool
   4  * Copyright (C) 2008, Controlez-Vous, Inc.
   5  *
   6  * This program is free software: you can redistribute it and/or modify
   7  * it under the terms of the GNU Affero General Public License as published by
   8  * the Free Software Foundation, either version 3 of the License, or
   9  * (at your option) any later version.
  10  *
  11  * This program is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  * GNU Affero General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU Affero General Public License
  17  * along with this program.      If not, see <http://www.gnu.org/licenses/>.
  18  */
  19
  20 if (!defined('LACONICA')) { exit(1); }
  21
  22 class ApiAction extends Action {
  23
  24         var $user;
  25         var $content_type;
  26         var $api_arg;
  27         var $api_method;
  28         var $api_action;
  29
  30         function handle($args) {
  31                 parent::handle($args);
  32
  33                 $this->api_action = $this->arg('apiaction');
  34                 $method = $this->arg('method');
  35                 $argument = $this->arg('argument');
  36
  37                 if (isset($argument)) {
  38                         $cmdext = explode('.', $argument);
  39                         $this->api_arg =  $cmdext[0];
  40                         $this->api_method = $method;
  41                         $this->content_type = strtolower($cmdext[1]);
  42                 } else {
  43
  44                         # Requested format / content-type will be an extension on the method
  45                         $cmdext = explode('.', $method);
  46                         $this->api_method = $cmdext[0];
  47                         $this->content_type = strtolower($cmdext[1]);
  48                 }
  49
  50                 if($this->requires_auth()) {
  51                         if (!isset($_SERVER['PHP_AUTH_USER'])) {
  52
  53                                 # This header makes basic auth go
  54                                 header('WWW-Authenticate: Basic realm="Laconica API"');
  55
  56                                 # If the user hits cancel -- bam!
  57                                 $this->show_basic_auth_error();
  58                         } else {
  59                                 $nickname = $_SERVER['PHP_AUTH_USER'];
  60                                 $password = $_SERVER['PHP_AUTH_PW'];
  61                                 $user = common_check_user($nickname, $password);
  62
  63                                 if ($user) {
  64                                         $this->user = $user;
  65                                         $this->process_command();
  66                                 } else {
  67                                         # basic authentication failed
  68                                         $this->show_basic_auth_error();
  69                                 }
  70                         }
  71                 } else {
  72
  73                         # Caller might give us a username even if not required
  74                         if (isset($_SERVER['PHP_AUTH_USER'])) {
  75                                 $user = User::staticGet('nickname', $_SERVER['PHP_AUTH_USER']);
  76                                 if ($user) {
  77                                         $this->user = $user;
  78                                 }
  79                                 # Twitter doesn't throw an error if the user isn't found
  80                         }
  81
  82                         $this->process_command();
  83                 }
  84         }
  85
  86         function process_command() {
  87                 $action = "twitapi$this->api_action";
  88                 $actionfile = INSTALLDIR."/actions/$action.php";
  89
  90                 if (file_exists($actionfile)) {
  91                         require_once($actionfile);
  92                         $action_class = ucfirst($action)."Action";
  93                         $action_obj = new $action_class();
  94
  95             if (!$action_obj->prepare($this->args)) {
  96                 return;
  97             }
  98
  99                         if (method_exists($action_obj, $this->api_method)) {
 100                                 $apidata = array(       'content-type' => $this->content_type,
 101                                                                         'api_method' => $this->api_method,
 102                                                                         'api_arg' => $this->api_arg,
 103                                                                         'user' => $this->user);
 104
 105                                 call_user_func(array($action_obj, $this->api_method), $_REQUEST, $apidata);
 106                         } else {
 107                                 common_user_error("API method not found!", $code=404);
 108                         }
 109                 } else {
 110                         common_user_error("API method not found!", $code=404);
 111                 }
 112         }
 113
 114         # Whitelist of API methods that don't need authentication
 115         function requires_auth() {
 116                 static $noauth = array( 'statuses/public_timeline',
 117                                                                 'statuses/show',
 118                                                                 'users/show',
 119                                                                 'help/test',
 120                                                                 'help/downtime_schedule');
 121
 122                 static $bareauth = array('statuses/user_timeline',
 123                                                                  'statuses/friends',
 124                                                                  'statuses/followers',
 125                                                                  'favorites/favorites');
 126
 127         # If the site is "private", all API methods need authentication
 128
 129         if (common_config('site', 'private')) {
 130             return true;
 131         }
 132
 133                 $fullname = "$this->api_action/$this->api_method";
 134
 135                 if (in_array($fullname, $bareauth)) {
 136                         # bareauth: only needs auth if without an argument
 137                         if ($this->api_arg) {
 138                                 return false;
 139                         } else {
 140                                 return true;
 141                         }
 142                 } else if (in_array($fullname, $noauth)) {
 143                         # noauth: never needs auth
 144                         return false;
 145                 } else {
 146                         # everybody else needs auth
 147                         return true;
 148                 }
 149         }
 150
 151         function show_basic_auth_error() {
 152                 header('HTTP/1.1 401 Unauthorized');
 153                 $msg = 'Could not authenticate you.';
 154
 155                 if ($this->content_type == 'xml') {
 156                         header('Content-Type: application/xml; charset=utf-8');
 157                         common_start_xml();
 158                         common_element_start('hash');
 159                         common_element('error', NULL, $msg);
 160                         common_element('request', NULL, $_SERVER['REQUEST_URI']);
 161                         common_element_end('hash');
 162                         common_end_xml();
 163                 } else if ($this->content_type == 'json')  {
 164                         header('Content-Type: application/json; charset=utf-8');
 165                         $error_array = array('error' => $msg, 'request' => $_SERVER['REQUEST_URI']);
 166                         print(json_encode($error_array));
 167                 } else {
 168                         header('Content-type: text/plain');
 169                         print "$msg\n";
 170                 }
 171         }
 172
 173         function is_readonly() {
 174                 # NOTE: before handle(), can't use $this->arg
 175                 $apiaction = $_REQUEST['apiaction'];
 176                 $method = $_REQUEST['method'];
 177                 list($cmdtext, $fmt) = explode('.', $method);
 178
 179                 static $write_methods = array(
 180                         'account' => array('update_location', 'update_delivery_device', 'end_session'),
 181                         'blocks' => array('create', 'destroy'),
 182                         'direct_messages' => array('create', 'destroy'),
 183                         'favorites' => array('create', 'destroy'),
 184                         'friendships' => array('create', 'destroy'),
 185                         'help' => array(),
 186                         'notifications' => array('follow', 'leave'),
 187                         'statuses' => array('update', 'destroy'),
 188                         'users' => array()
 189                 );
 190
 191                 if (array_key_exists($apiaction, $write_methods)) {
 192                         if (!in_array($cmdtext, $write_methods[$apiaction])) {
 193                                 return true;
 194                         }
 195                 }
 196
 197                 return false;
 198         }
 199
 200 }