From b40707428130a927b27f595a875808d08588ff52 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Wed, 7 Dec 2016 19:04:24 -0800 Subject: always check api_user --- include/api_zot.php | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/include/api_zot.php b/include/api_zot.php index d9895fae0..d1979c3ae 100644 --- a/include/api_zot.php +++ b/include/api_zot.php @@ -117,6 +117,9 @@ } function api_attach_list($type) { + if(api_user() === false) + return false; + logger('api_user: ' . api_user()); $hash = ((array_key_exists('filehash',$_REQUEST)) ? $_REQUEST['filehash'] : ''); $filename = ((array_key_exists('filename',$_REQUEST)) ? $_REQUEST['filename'] : ''); @@ -135,7 +138,8 @@ function api_file_meta($type) { - if (api_user()===false) return false; + if(api_user() === false) + return false; if(! $_REQUEST['file_id']) return false; $r = q("select * from attach where uid = %d and hash = '%s' limit 1", intval(api_user()), @@ -152,7 +156,8 @@ function api_file_data($type) { - if (api_user()===false) return false; + if(api_user() === false) + return false; if(! $_REQUEST['file_id']) return false; $start = (($_REQUEST['start']) ? intval($_REQUEST['start']) : 0); $length = (($_REQUEST['length']) ? intval($_REQUEST['length']) : 0); @@ -193,8 +198,10 @@ function api_file_export($type) { - if (api_user()===false) return false; - if(! $_REQUEST['file_id']) return false; + if(api_user() === false) + return false; + if(! $_REQUEST['file_id']) + return false; $ret = attach_export_data(api_user(),$_REQUEST['file_id']); if($ret) { @@ -205,7 +212,8 @@ function api_file_detail($type) { - if (api_user()===false) return false; + if(api_user() === false) + return false; if(! $_REQUEST['file_id']) return false; $r = q("select * from attach where uid = %d and hash = '%s' limit 1", intval(api_user()), @@ -228,16 +236,21 @@ function api_albums($type) { + if(api_user() === false) + return false; json_return_and_die(photos_albums_list(App::get_channel(),App::get_observer())); } function api_photos($type) { + if(api_user() === false) + return false; $album = $_REQUEST['album']; json_return_and_die(photos_list_photos(App::get_channel(),App::get_observer(),$album)); } function api_photo_detail($type) { - if (api_user()===false) return false; + if(api_user() === false) + return false; if(! $_REQUEST['photo_id']) return false; $scale = ((array_key_exists('scale',$_REQUEST)) ? intval($_REQUEST['scale']) : 0); $r = q("select * from photo where uid = %d and resource_id = '%s' and imgscale = %d limit 1", @@ -316,8 +329,6 @@ function api_red_xchan($type) { - logger('api_xchan'); - if(api_user() === false) return false; logger('api_xchan'); -- cgit v1.2.3