hotglue: /var-www-hotglue/hotglue.org-test/dev/json.php Source File

00001 <?php
00002 
00003 /**
00004  *      json.php
00005  *      HTTP request handler for JSON-encoded AJAX calls
00006  *
00007  *      Copyright Gottfried Haider, Danja Vasiliev 2010.
00008  *      This source code is licensed under the GNU General Public License.
00009  *      See the file COPYING for more details.
00010  */
00011 
00012 @require_once('config.inc.php');
00013 require_once('log.inc.php');
00014 log_msg('info', '--- json request ---');
00015 require_once('common.inc.php');
00016 require_once('modules.inc.php');
00017 require_once('util.inc.php');
00018 
00019 
00020 // set mime type and encoding first
00021 header('Content-Type: application/json; charset=UTF-8');
00022 
00023 // get method and arguments
00024 $args = array();
00025 switch ($_SERVER['REQUEST_METHOD']) {
00026         // we don't use $_REQUEST here because this includes cookies as well
00027         // disable support for GET to make cross site request forgery (xsrf) 
00028         // at least harder to do
00029         //case 'GET':
00030         //      foreach ($_GET as $key=>$val) {
00031         //              if (get_magic_quotes_gpc()) {
00032         //                      $val = stripslashes($val);
00033         //              }
00034         //              $dec = @json_decode($val, true);
00035         //              if ($dec === NULL) {
00036         //                      $err = response('Error decoding the argument '.quot($key).' => '.var_dump_inl($val), 400);
00037         //                      echo json_encode($err);
00038         //                      log_msg('warn', 'json: '.$err['#data']);
00039         //                      die();
00040         //              } else {
00041         //                      $args[$key] = $dec;
00042         //              }
00043         //      }
00044         //      break;
00045         case 'POST':
00046                 foreach ($_POST as $key=>$val) {
00047                         if (get_magic_quotes_gpc()) {
00048                                 $val = stripslashes($val);
00049                         }
00050                         $dec = @json_decode($val, true);
00051                         if ($dec === NULL) {
00052                                 $err = response('Error decoding the argument '.quot($key).' => '.var_dump_inl($val), 400);
00053                                 echo json_encode($err);
00054                                 log_msg('warn', 'json: '.$err['#data']);
00055                                 die();
00056                         } else {
00057                                 $args[$key] = $dec;
00058                         }
00059                 }
00060                 break;
00061         default:
00062                 //$err = response('Only HTTP GET and POST requests supported', 400);
00063                 $err = response('Only HTTP POST requests supported', 400);
00064                 echo json_encode($err);
00065                 log_msg('warn', 'json: '.$err['#data']);
00066                 die();
00067 }
00068 
00069 // check if we got a method argument
00070 if (!empty($args['method'])) {
00071         $method = $args['method'];
00072         unset($args['method']);
00073         log_msg('debug', 'json: method is '.quot($method));
00074         log_msg('debug', 'json: arguments are '.var_dump_inl($args));
00075         log_msg('debug', 'json: base url is '.quot(base_url()));
00076 } else {
00077         // this can also be caused by an upload exceeding the limits 
00078         // set in php.ini
00079         $err = response('Required argument "method" missing', 400);
00080         echo json_encode($err);
00081         log_msg('warn', 'json: '.$err['#data']);
00082         die();
00083 }
00084 
00085 load_modules($method);
00086 
00087 if (!($m = get_service($method))) {
00088         $err = response('Unknown method '.quot($method), 400);
00089         echo json_encode($err);
00090         log_msg('warn', 'json: '.$err['#data']);
00091         die();
00092 }
00093 
00094 // check authentication
00095 if (isset($m['auth']) && $m['auth']) {
00096         if (!is_auth()) {
00097                 prompt_auth(true);
00098         }
00099 }
00100 
00101 if (isset($m['cross-origin']) && $m['cross-origin']) {
00102         // output cross-origin header if requested
00103         header('Access-Controll-Allow-Origin: *');
00104 } else {
00105         // otherwise check the referer to make xsrf harder
00106         if (!empty($_SERVER['HTTP_REFERER'])) {
00107                 $bu = base_url();
00108                 if (substr($_SERVER['HTTP_REFERER'], 0, strlen($bu)) != $bu) {
00109                         echo json_encode(response('Cross-origin requests not supported for this method', 400));
00110                         log_msg('warn', 'json: possible xsrf detected, referer is '.quot($_SERVER['HTTP_REFERER']).', arguments '.var_dump_inl($args));
00111                         die();
00112                 }
00113         }
00114 }
00115 
00116 // run service and output result
00117 $ret = run_service($method, $args);
00118 if (is_array($ret) && isset($ret['#error']) && $ret['#error']) {
00119         log_msg('warn', 'json: service '.$method.' returned error '.quot($ret['#data']));
00120 } elseif (is_array($ret) && isset($ret['#data'])) {
00121         log_msg('debug', 'json: service returned '.var_dump_inl($ret['#data']));
00122 }
00123 echo json_encode($ret);