diff options
| author | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2008-08-30 05:09:40 +0000 |
|---|---|---|
| committer | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2008-08-30 05:09:40 +0000 |
| commit | 96d7639ca1e320019e870c109e42f0618c16cf6b (patch) | |
| tree | 586e3c8575d2b1c553957d97fc3d13c10dec995a /server/xml.server.php | |
| parent | 2a247178325017c88ab9073e96ea92e6b122ed53 (diff) | |
| download | ampache-96d7639ca1e320019e870c109e42f0618c16cf6b.tar.gz ampache-96d7639ca1e320019e870c109e42f0618c16cf6b.tar.bz2 ampache-96d7639ca1e320019e870c109e42f0618c16cf6b.zip | |
adjust the logic on the api so that username does not have to be passed after the initial handshake
Diffstat (limited to 'server/xml.server.php')
| -rw-r--r-- | server/xml.server.php | 32 |
1 files changed, 17 insertions, 15 deletions
diff --git a/server/xml.server.php b/server/xml.server.php index 2f4df872..f8b3f563 100644 --- a/server/xml.server.php +++ b/server/xml.server.php @@ -48,25 +48,27 @@ if (!Config::get('access_control')) { * Verify the existance of the Session they passed in we do allow them to * login via this interface so we do have an exception for action=login */ -if (!Access::check_network('init-api',$_SERVER['REMOTE_ADDR'],$_REQUEST['user'],'5')) { - debug_event('Access Denied','Unathorized access attempt to API [' . $_SERVER['REMOTE_ADDR'] . ']', '3'); - ob_end_clean(); - echo xmlData::error('403','ACL Error'); - exit(); +if ((!vauth::session_exists('api', $_REQUEST['auth']) AND $_REQUEST['action'] != 'handshake')) { + debug_event('Access Denied','Invalid Session attempt to API [' . $_REQUEST['action'] . ']','3'); + ob_end_clean(); + echo xmlData::error('401','Session Expired'); + exit(); } -if ((!vauth::session_exists('api', $_REQUEST['auth']) AND $_REQUEST['action'] != 'handshake')) { - debug_event('Access Denied','Invalid Session attempt to API [' . $_REQUEST['action'] . ']','3'); - ob_end_clean(); - echo xmlData::error('401','Session Expired'); - exit(); +// If the session exists then let's try to pull some data from it to see if we're still allowed to do this +$session = vauth::get_session_data($_REQUEST['auth']); +$username = ($_REQUEST['action'] == 'handshake') ? $_REQUEST['user'] : $session['username']; + +if (!Access::check_network('init-api',$_SERVER['REMOTE_ADDR'],$username,'5')) { + debug_event('Access Denied','Unathorized access attempt to API [' . $_SERVER['REMOTE_ADDR'] . ']', '3'); + ob_end_clean(); + echo xmlData::error('403','ACL Error'); + exit(); } -// If we make it past the check and we're not a hand-shaking then we should extend the session -if ($_REQUEST['action'] != 'handshake') { - vauth::session_extend($_REQUEST['auth']); - $session = vauth::get_session_data($_REQUEST['auth']); - $GLOBALS['user'] = User::get_from_username($session['username']); +if (!$_REQUEST['action'] != 'handshake') { + vauth::session_extend($_REQUEST['auth']); + $GLOBALS['user'] = User::get_from_username($session['username']); } switch ($_REQUEST['action']) { |