From 58a3ab692ec3a61c270e5a7b0953b6bb4b48b39c Mon Sep 17 00:00:00 2001 From: Paul Arthur Date: Mon, 28 Jan 2013 16:57:34 -0500 Subject: Move sessiony things from vauth into Session --- image.php | 6 +- lib/class/api.class.php | 6 +- lib/class/session.class.php | 423 ++++++++++++++++++++++++++++++++++++++++++++ lib/class/vauth.class.php | 393 +--------------------------------------- lib/init.php | 34 ++-- login.php | 6 +- server/xml.server.php | 12 +- 7 files changed, 461 insertions(+), 419 deletions(-) create mode 100644 lib/class/session.class.php diff --git a/image.php b/image.php index 243fd269..a08fb8a1 100644 --- a/image.php +++ b/image.php @@ -33,8 +33,8 @@ define('NO_SESSION','1'); require_once 'lib/init.php'; // Check to see if they've got an interface session or a valid API session, if not GTFO -if (!vauth::session_exists('interface',$_COOKIE[Config::get('session_name')]) AND !vauth::session_exists('api',$_REQUEST['auth']) AND !vauth::session_exists('xml-rpc',$_REQUEST['auth'])) { - debug_event('DENIED','Image Access, Checked Cookie Session:' . $_COOKIE[Config::get('session_name')] . ' and Auth:' . $_REQUEST['auth'],'1'); +if (!Session::exists('interface', $_COOKIE[Config::get('session_name')]) AND !Session::exists('api', $_REQUEST['auth']) AND !Session::exists('xml-rpc', $_REQUEST['auth'])) { + debug_event('image','Access denied, checked cookie session:' . $_COOKIE[Config::get('session_name')] . ' and auth:' . $_REQUEST['auth'], 1); exit; } @@ -77,7 +77,7 @@ switch ($_GET['type']) { break; // If we need to pull the data out of the session case 'session': - vauth::check_session(); + Session::check(); $filename = scrub_in($_REQUEST['image_index']); $image = Art::get_from_source($_SESSION['form']['images'][$filename], 'album'); $mime = $_SESSION['form']['images'][$filename]['mime']; diff --git a/lib/class/api.class.php b/lib/class/api.class.php index f289e98b..840e4c07 100644 --- a/lib/class/api.class.php +++ b/lib/class/api.class.php @@ -171,7 +171,7 @@ class Api { $data['username'] = $client->username; $data['type'] = 'api'; $data['value'] = $timestamp; - $token = vauth::session_create($data); + $token = Session::create($data); // Insert the token into the streamer Stream::insert_session($token,$client->id); @@ -236,8 +236,8 @@ class Api { $xmldata = array('server'=>Config::get('version'),'version'=>Api::$version,'compatible'=>'350001'); // Check and see if we should extend the api sessions (done if valid sess is passed) - if (vauth::session_exists('api', $input['auth'])) { - vauth::session_extend($input['auth']); + if (Session::exists('api', $input['auth'])) { + Session::extend($input['auth']); $xmldata = array_merge(array('session_expire'=>date("c",time()+Config::get('session_length')-60)),$xmldata); } diff --git a/lib/class/session.class.php b/lib/class/session.class.php new file mode 100644 index 00000000..5d555866 --- /dev/null +++ b/lib/class/session.class.php @@ -0,0 +1,423 @@ + '" . time() . "'"; + $db_results = Dba::read($sql); + + if ($results = Dba::fetch_assoc($db_results)) { + return $results[$column]; + } + + debug_event('session', 'Unable to read session from key ' . $key . ' no data found', 5); + + return ''; + } + + /** + * username + * + * This returns the username associated with a session ID, if any + */ + public static function username($key) { + return self::_read($key, 'user'); + } + + /** + * create + * This is called when you want to create a new session + * it takes care of setting the initial cookie, and inserting the first + * chunk of data, nifty ain't it! + */ + public static function create($data) { + + // Regenerate the session ID to prevent fixation + switch ($data['type']) { + case 'xml-rpc': + case 'api': + $key = md5(uniqid(rand(), true)); + break; + case 'mysql': + default: + session_regenerate_id(); + + // Before refresh we don't have the cookie so we + // have to use session ID + $key = session_id(); + break; + } // end switch on data type + + $username = Dba::escape($data['username']); + $ip = $_SERVER['REMOTE_ADDR'] + ? Dba::escape(inet_pton($_SERVER['REMOTE_ADDR'])) + : '0'; + $type = Dba::escape($data['type']); + $value = Dba::escape($data['value']); + $agent = Dba::escape(substr($_SERVER['HTTP_USER_AGENT'], 0, 254)); + $expire = Dba::escape(time() + Config::get('session_length')); + + if (!strlen($value)) { $value = ' '; } + + /* Insert the row */ + $sql = "INSERT INTO `session` (`id`,`username`,`ip`,`type`,`agent`,`value`,`expire`) " . + " VALUES ('$key','$username','$ip','$type','$agent','$value','$expire')"; + $db_results = Dba::write($sql); + + if (!$db_results) { + debug_event('session', 'Session creation failed', 1); + return false; + } + + debug_event('session', 'Session created:' . $key, 5); + + return $key; + } + + /** + * check + * + * This checks for an existing session. If it's still valid we go ahead + * and start it and return true. + */ + public static function check() { + + $session_name = Config::get('session_name'); + + // No cookie no go! + if (!isset($_COOKIE[$session_name])) { return false; } + + // Check for a remember me + if (isset($_COOKIE[$session_name . '_remember'])) { + self::create_remember_cookie(); + } + + // Set up the cookie params before we start the session. + // This is vital + session_set_cookie_params( + Config::get('cookie_life'), + Config::get('cookie_path'), + Config::get('cookie_domain'), + Config::get('cookie_secure')); + + // Set name + session_name($session_name); + + // Ungimp IE and go + self::ungimp_ie(); + session_start(); + + return true; + } + + /** + * exists + * + * This checks to see if the specified session of the specified type + * exists, it also provides an array of keyed data that may be required + * based on the type. + */ + public static function exists($type, $key, $data=array()) { + // Switch on the type they pass + switch ($type) { + case 'xml-rpc': + case 'api': + $key = Dba::escape($key); + $time = time(); + $sql = "SELECT * FROM `session` WHERE " . + "`id`='$key' AND `expire` > '$time' " . + "AND `type`='$type'"; + $db_results = Dba::read($sql); + + if (Dba::num_rows($db_results)) { + return true; + } + break; + case 'interface': + $key = Dba::escape($key); + $time = time(); + // Build a list of enabled authentication types + $types = Config::get('auth_methods'); + if (!Config::get('use_auth')) { + $types[] = ''; + } + $enabled_types = implode("','", $types); + $sql = "SELECT * FROM `session` WHERE " . + "`id`='$key' AND `expire` > '$time' " . + "AND `type` IN('$enabled_types')"; + $db_results = Dba::read($sql); + + if (Dba::num_rows($db_results)) { + return true; + } + break; + case 'stream': + $key = Dba::escape($key); + $ip = Dba::escape(inet_pton($data['ip'])); + $agent = Dba::escape($data['agent']); + $sql = "SELECT * FROM `session_stream` WHERE " . + "`id`='$key' AND `expire` > '$time' " . + "AND `ip`='$ip' AND `agent`='$agent'"; + $db_results = Dba::read($sql); + + if (Dba::num_rows($db_results)) { + return true; + } + + break; + default: + return false; + break; + } // type + + // Default to false + return false; + + } + + /** + * extend + * + * This takes a SID and extends its expiration. + */ + public static function extend($sid) { + $time = time(); + $sid = Dba::escape($sid); + $expire = isset($_COOKIE[Config::get('session_name') . '_remember']) + ? $time + Config::get('remember_length') + : $time + Config::get('session_length'); + + $sql = "UPDATE `session` SET `expire`='$expire' WHERE `id`='$sid'"; + if ($db_results = Dba::write($sql)) { + debug_event('session', $sid . ' has been extended to ' . date('r', $expire) . ' extension length ' . ($expire - $time), 5); + } + + return $db_results; + } + + /** + * _auto_init + * This function is called when the object is included, this sets up the + * session_save_handler + */ + public static function _auto_init() { + + if (!function_exists('session_start')) { + header("Location:" . Config::get('web_path') . "/test.php"); + exit; + } + + session_set_save_handler( + array('Session', 'open'), + array('Session', 'close'), + array('Session', 'read'), + array('Session', 'write'), + array('Session', 'destroy'), + array('Session', 'gc')); + + } + + /** + * create_cookie + * + * This is separated into its own function because of some flaws in + * specific webservers *cough* IIS *cough* which prevent us from setting + * a cookie at the same time as a header redirect. As such on view of a + * login a cookie is set with the proper name + */ + public static function create_cookie() { + // Set up the cookie prefs before we throw down, this is very important + $cookie_life = Config::get('cookie_life'); + $cookie_path = Config::get('cookie_path'); + $cookie_domain = false; + $cookie_secure = Config::get('cookie_secure'); + + session_set_cookie_params($cookie_life,$cookie_path,$cookie_domain,$cookie_secure); + + session_name(Config::get('session_name')); + + /* Start the session */ + self::ungimp_ie(); + session_start(); + } + + /** + * create_remember_cookie + * + * This function just creates the remember me cookie, nothing special + */ + public static function create_remember_cookie() { + + $remember_length = Config::get('remember_length'); + $session_name = Config::get('session_name'); + + Config::set('cookie_life', $remember_length, true); + setcookie($session_name . '_remember',"Rappelez-vous, rappelez-vous le 27 mars", time() + $remember_length, '/'); + + } + + /** + * ungimp_ie + * This function sets the cache limiting to public if you are running + * some flavor of IE. The detection used here is very conservative so + * feel free to fix it. This only has to be done if we're rolling HTTPS. + */ + public static function ungimp_ie() { + + // If no https, no ungimpage required + if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'on') { + return true; + } + + // Try to detect IE + $agent = trim($_SERVER['HTTP_USER_AGENT']); + + if ((strpos($agent, 'MSIE') !== false) || + (strpos($agent,'Internet Explorer/') !== false)) { + session_cache_limiter('public'); + } + + return true; + + } // ungimp_ie + +} +?> diff --git a/lib/class/vauth.class.php b/lib/class/vauth.class.php index e6dcab43..3d435d4c 100644 --- a/lib/class/vauth.class.php +++ b/lib/class/vauth.class.php @@ -38,117 +38,6 @@ class vauth { // Rien a faire } // __construct - /** - * open - * This function is for opening a new session so we just verify that we - * have a database connection, nothing more is needed - */ - public static function open($save_path, $session_name) { - - if (!is_resource(Dba::dbh())) { - debug_event('SESSION', 'Error: no database connection session failed', '1'); - return false; - } - - return true; - - } // open - - /** - * close - * This is run on the end of a session, nothing to do here for now - */ - public static function close() { - - return true; - - } // close - - /** - * read - * This takes a key and then looks in the database and returns the value - */ - public static function read($key) { - - $results = self::get_session_data($key); - - if (!is_array($results)) { - debug_event('SESSION', 'Unable to read session from key ' . $key . ' no data found', 5); - return ''; - } - - return $results['value']; - - } // read - - /** - * write - * This saves the session information into the database - */ - public static function write($key, $value) { - - if (defined('NO_SESSION_UPDATE')) { return true; } - - $length = Config::get('session_length'); - $value = Dba::escape($value); - $key = Dba::escape($key); - // Check to see if remember me cookie is set, if so use remember - // length, otherwise use the session length - $expire - = isset($_COOKIE[Config::get('session_name') . '_remember']) - ? time() + Config::get('remember_length') - : time() + Config::get('session_length'); - - $sql = "UPDATE `session` SET `value`='$value', " . - "`expire`='$expire' WHERE `id`='$key'"; - $db_results = Dba::read($sql); - - debug_event('SESSION', 'Writing to ' . $key . ' with expire ' . $expire . ' ' . Dba::error(), '6'); - - return $db_results; - - } // write - - /** - * destroy - * This removes the specified session from the database - */ - public static function destroy($key) { - - $key = Dba::escape($key); - - if (!strlen($key)) { return false; } - - // Remove anything and EVERYTHING - $sql = "DELETE FROM `session` WHERE `id`='$key'"; - $db_results = Dba::write($sql); - - debug_event('SESSION', 'Deleting Session with key:' . $key, '6'); - - // Destroy our cookie! - setcookie(Config::get('session_name'), '', time() - 86400); - - return true; - - } // destroy - - /** - * gc - * This function is randomly called and it cleans up the spoo - */ - public static function gc($maxlifetime) { - - $sql = "DELETE FROM `session` WHERE `expire` < '" . time() . "'"; - $db_results = Dba::write($sql); - - // Also clean up things that use sessions as keys - Query::gc(); - Tmp_Playlist::gc(); - - return true; - - } // gc - /** * logout * This is called when you want to log out and nuke your session @@ -161,7 +50,7 @@ class vauth { $key = $key ? $key : session_id(); // Nuke the cookie before all else - self::destroy($key); + Session::destroy($key); if ((! $relogin) && Config::get('logout_redirect')) { $target = Config::get('logout_redirect'); } @@ -195,286 +84,6 @@ class vauth { } // logout - /** - * get_session_data - * This takes a key and returns the raw data from the database, nothing - * to see here move along people - */ - public static function get_session_data($key) { - - $key = Dba::escape($key); - - $sql = "SELECT * FROM `session` WHERE `id`='$key' AND `expire` > '" . time() . "'"; - $db_results = Dba::read($sql); - - if ($results = Dba::fetch_assoc($db_results)) { - return $results; - } - - return false; - - } // get_session_data - - /** - * create_cookie - * This is separated into its own function because of some flaws in - * specific webservers *cough* IIS *cough* which prevent us from setting - * a cookie at the same time as a header redirect. As such on view of a - * login a cookie is set with the proper name - */ - public static function create_cookie() { - - /* Setup the cookie prefs before we throw down, this is very important */ - $cookie_life = Config::get('cookie_life'); - $cookie_path = Config::get('cookie_path'); - $cookie_domain = false; - $cookie_secure = Config::get('cookie_secure'); - - session_set_cookie_params($cookie_life,$cookie_path,$cookie_domain,$cookie_secure); - - session_name(Config::get('session_name')); - - /* Start the session */ - self::ungimp_ie(); - session_start(); - - } // create_cookie, just watch out for the cookie monster - - /** - * create_remember_cookie - * This function just creates the remember me cookie, nothing special - */ - public static function create_remember_cookie() { - - $remember_length = Config::get('remember_length'); - $session_name = Config::get('session_name'); - - Config::set('cookie_life', $remember_length, true); - setcookie($session_name . '_remember',"Rappelez-vous, rappelez-vous le 27 mars", time() + $remember_length, '/'); - - } // create_remember_cookie - - /** - * session_create - * This is called when you want to create a new session - * it takes care of setting the initial cookie, and inserting the first - * chunk of data, nifty ain't it! - */ - public static function session_create($data) { - - // Regenerate the session ID to prevent fixation - switch ($data['type']) { - case 'xml-rpc': - case 'api': - $key = md5(uniqid(rand(), true)); - break; - case 'mysql': - default: - session_regenerate_id(); - - // Before refresh we don't have the cookie so we - // have to use session ID - $key = session_id(); - break; - } // end switch on data type - - $username = Dba::escape($data['username']); - $ip = $_SERVER['REMOTE_ADDR'] - ? Dba::escape(inet_pton($_SERVER['REMOTE_ADDR'])) - : '0'; - $type = Dba::escape($data['type']); - $value = Dba::escape($data['value']); - $agent = Dba::escape(substr($_SERVER['HTTP_USER_AGENT'], 0, 254)); - $expire = Dba::escape(time() + Config::get('session_length')); - - /* We can't have null things here people */ - if (!strlen($value)) { $value = ' '; } - - /* Insert the row */ - $sql = "INSERT INTO `session` (`id`,`username`,`ip`,`type`,`agent`,`value`,`expire`) " . - " VALUES ('$key','$username','$ip','$type','$agent','$value','$expire')"; - $db_results = Dba::write($sql); - - if (!$db_results) { - debug_event('SESSION', "Session Creation Failed with Query: $sql and " . Dba::error(), '1'); - return false; - } - - debug_event('SESSION', 'Session Created:' . $key, '6'); - - return $key; - - } // session_create - - /** - * check_session - * This checks for an existing session. If it's still valid we go ahead - * and start it and return true. - */ - public static function check_session() { - - $session_name = Config::get('session_name'); - - // No cookie no go! - if (!isset($_COOKIE[$session_name])) { return false; } - - // Check for a remember me - if (isset($_COOKIE[$session_name . '_remember'])) { - self::create_remember_cookie(); - } - - // Set up the cookie params before we start the session. - // This is vital - session_set_cookie_params( - Config::get('cookie_life'), - Config::get('cookie_path'), - Config::get('cookie_domain'), - Config::get('cookie_secure')); - - // Set name - session_name($session_name); - - // Ungimp IE and go - self::ungimp_ie(); - session_start(); - - return true; - - } // check_session - - /** - * session_exists - * This checks to see if the specified session of the specified type - * exists, it also provides an array of key'd data that may be required - * based on the type - */ - public static function session_exists($type, $key, $data=array()) { - - // Switch on the type they pass - switch ($type) { - case 'xml-rpc': - case 'api': - $key = Dba::escape($key); - $time = time(); - $sql = "SELECT * FROM `session` WHERE " . - "`id`='$key' AND `expire` > '$time' " . - "AND `type`='$type'"; - $db_results = Dba::read($sql); - - if (Dba::num_rows($db_results)) { - return true; - } - break; - case 'interface': - $key = Dba::escape($key); - $time = time(); - // Build a list of enabled authentication types - $types = Config::get('auth_methods'); - if (!Config::get('use_auth')) { - $types[] = ''; - } - $enabled_types = implode("','", $types); - $sql = "SELECT * FROM `session` WHERE " . - "`id`='$key' AND `expire` > '$time' " . - "AND `type` IN('$enabled_types')"; - $db_results = Dba::read($sql); - - if (Dba::num_rows($db_results)) { - return true; - } - break; - case 'stream': - $key = Dba::escape($key); - $ip = Dba::escape(inet_pton($data['ip'])); - $agent = Dba::escape($data['agent']); - $sql = "SELECT * FROM `session_stream` WHERE " . - "`id`='$key' AND `expire` > '$time' " . - "AND `ip`='$ip' AND `agent`='$agent'"; - $db_results = Dba::read($sql); - - if (Dba::num_rows($db_results)) { - return true; - } - - break; - default: - return false; - break; - } // type - - // Default to false - return false; - - } // session_exists - - /** - * session_extend - * This should really be extend_session but hey you gotta go with the - * flow. - * This takes a SID and extends its expiration. - */ - public static function session_extend($sid) { - $time = time(); - $sid = Dba::escape($sid); - $expire = isset($_COOKIE[Config::get('session_name') . '_remember']) - ? $time + Config::get('remember_length') - : $time + Config::get('session_length'); - - $sql = "UPDATE `session` SET `expire`='$expire' WHERE `id`='$sid'"; - $db_results = Dba::write($sql); - - debug_event('SESSION', $sid . ' has been extended to ' . date('r', $expire) . ' extension length ' . ($expire - $time), 5); - - return $db_results; - } // session_extend - - /** - * _auto_init - * This function is called when the object is included, this sets up the - * session_save_handler - */ - public static function _auto_init() { - - if (!function_exists('session_start')) { - header("Location:" . Config::get('web_path') . "/test.php"); - exit; - } - - session_set_save_handler( - array('vauth', 'open'), - array('vauth', 'close'), - array('vauth', 'read'), - array('vauth', 'write'), - array('vauth', 'destroy'), - array('vauth', 'gc')); - - } // auto init - - /** - * ungimp_ie - * This function sets the cache limiting to public if you are running - * some flavor of IE. The detection used here is very conservative so - * feel free to fix it. This only has to be done if we're rolling HTTPS. - */ - public static function ungimp_ie() { - - // If no https, no ungimpage required - if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'on') { - return true; - } - - // Try to detect IE - $agent = trim($_SERVER['HTTP_USER_AGENT']); - - if ((strpos($agent, 'MSIE') !== false) || - (strpos($agent,'Internet Explorer/') !== false)) { - session_cache_limiter('public'); - } - - return true; - - } // ungimp_ie - /** * authenticate * This takes a username and password and then returns the results diff --git a/lib/init.php b/lib/init.php index fae52aef..7a9b3dc1 100644 --- a/lib/init.php +++ b/lib/init.php @@ -28,10 +28,10 @@ $ampache_path = dirname(__FILE__); $prefix = realpath($ampache_path . "/../"); require_once $prefix . '/lib/init-tiny.php'; -// Explicitly load vauth and enable the custom session handler. +// Explicitly load and enable the custom session handler. // Relying on autoload may not always load it before sessiony things are done. -require_once $prefix . '/lib/class/vauth.class.php'; -vauth::_auto_init(); +require_once $prefix . '/lib/class/session.class.php'; +Session::_auto_init(); // Set up for redirection on important error cases $path = preg_replace('#(.*)/(\w+\.php)$#', '$1', $_SERVER['PHP_SELF']); @@ -132,16 +132,22 @@ set_memory_limit($results['memory_limit']); // If we want a session if (!defined('NO_SESSION') && Config::get('use_auth')) { /* Verify their session */ - if (!vauth::session_exists('interface',$_COOKIE[Config::get('session_name')])) { vauth::logout($_COOKIE[Config::get('session_name')]); exit; } + if (!Session::exists('interface', $_COOKIE[Config::get('session_name')])) { + vauth::logout($_COOKIE[Config::get('session_name')]); + exit; + } // This actually is starting the session - vauth::check_session(); + Session::check(); /* Create the new user */ $GLOBALS['user'] = User::get_from_username($_SESSION['userdata']['username']); /* If the user ID doesn't exist deny them */ - if (!$GLOBALS['user']->id AND !Config::get('demo_mode')) { vauth::logout(session_id()); exit; } + if (!$GLOBALS['user']->id && !Config::get('demo_mode')) { + vauth::logout(session_id()); + exit; + } /* Load preferences and theme */ $GLOBALS['user']->update_last_seen(); @@ -153,17 +159,17 @@ elseif (!Config::get('use_auth')) { $auth['id'] = -1; $auth['offset_limit'] = 50; $auth['access'] = Config::get('default_auth_level') ? User::access_name_to_level(Config::get('default_auth_level')) : '100'; - if (!vauth::session_exists('interface',$_COOKIE[Config::get('session_name')])) { - vauth::create_cookie(); - vauth::session_create($auth); - vauth::check_session(); + if (!Session::exists('interface', $_COOKIE[Config::get('session_name')])) { + Session::create_cookie(); + Session::create($auth); + Session::check(); $GLOBALS['user'] = new User($auth['username']); $GLOBALS['user']->username = $auth['username']; $GLOBALS['user']->fullname = $auth['fullname']; $GLOBALS['user']->access = $auth['access']; } else { - vauth::check_session(); + Session::check(); if ($_SESSION['userdata']['username']) { $GLOBALS['user'] = User::get_from_username($_SESSION['userdata']['username']); } @@ -174,7 +180,9 @@ elseif (!Config::get('use_auth')) { $GLOBALS['user']->fullname = $auth['fullname']; $GLOBALS['user']->access = $auth['access']; } - if (!$GLOBALS['user']->id AND !Config::get('demo_mode')) { vauth::logout(session_id()); exit; } + if (!$GLOBALS['user']->id AND !Config::get('demo_mode')) { + vauth::logout(session_id()); exit; + } $GLOBALS['user']->update_last_seen(); } } @@ -196,7 +204,7 @@ else { Preference::init(); if (session_id()) { - vauth::session_extend(session_id()); + Session::extend(session_id()); // We only need to create the tmp playlist if we have a session $GLOBALS['user']->load_playlist(); } diff --git a/login.php b/login.php index 30ef9d33..2a474342 100644 --- a/login.php +++ b/login.php @@ -26,7 +26,7 @@ require_once 'lib/init.php'; /* We have to create a cookie here because IIS * can't handle Cookie + Redirect */ -vauth::create_cookie(); +Session::create_cookie(); Preference::init(); /** @@ -52,7 +52,7 @@ if (($_POST['username'] && $_POST['password']) || ($_SERVER['REMOTE_USER'] || $_SERVER['HTTP_REMOTE_USER']))) { if ($_POST['rememberme']) { - vauth::create_remember_cookie(); + Session::create_remember_cookie(); } /* If we are in demo mode let's force auth success */ @@ -137,7 +137,7 @@ if (($_POST['username'] && $_POST['password']) || if ($auth['success']) { // $auth->info are the fields specified in the config file // to retrieve for each user - vauth::session_create($auth); + Session::create($auth); // Not sure if it was me or php tripping out, // but naming this 'user' didn't work at all diff --git a/server/xml.server.php b/server/xml.server.php index ea7b9df6..3d6d804f 100644 --- a/server/xml.server.php +++ b/server/xml.server.php @@ -48,7 +48,7 @@ if (!Config::get('access_control')) { * Verify the existance of the Session they passed in we do allow them to * login via this interface so we do have an exception for action=login */ -if (!vauth::session_exists('api', $_REQUEST['auth']) AND $_REQUEST['action'] != 'handshake' AND $_REQUEST['action'] != 'ping') { +if (!Session::exists('api', $_REQUEST['auth']) AND $_REQUEST['action'] != 'handshake' AND $_REQUEST['action'] != 'ping') { debug_event('Access Denied','Invalid Session attempt to API [' . $_REQUEST['action'] . ']','3'); ob_end_clean(); echo XML_Data::error('401', T_('Session Expired')); @@ -56,10 +56,12 @@ if (!vauth::session_exists('api', $_REQUEST['auth']) AND $_REQUEST['action'] != } // If the session exists then let's try to pull some data from it to see if we're still allowed to do this -$session = vauth::get_session_data($_REQUEST['auth']); -$username = ($_REQUEST['action'] == 'handshake' || $_REQUEST['action'] == 'ping') ? $_REQUEST['user'] : $session['username']; +$username = + ($_REQUEST['action'] == 'handshake' || $_REQUEST['action'] == 'ping') + ? $_REQUEST['user'] + : Session::user($_REQUEST['auth']); -if (!Access::check_network('init-api',$username,'5')) { +if (!Access::check_network('init-api', $username, 5)) { debug_event('Access Denied','Unauthorized access attempt to API [' . $_SERVER['REMOTE_ADDR'] . ']', '3'); ob_end_clean(); echo XML_Data::error('403', T_('Unauthorized access attempt to API - ACL Error')); @@ -67,7 +69,7 @@ if (!Access::check_network('init-api',$username,'5')) { } if ($_REQUEST['action'] != 'handshake' AND $_REQUEST['action'] != 'ping') { - vauth::session_extend($_REQUEST['auth']); + Session::extend($_REQUEST['auth']); $GLOBALS['user'] = User::get_from_username($session['username']); } -- cgit