source: trunk/include/ws_functions/pwg.groups.php @ 27811

Last change on this file since 27811 was 27811, checked in by plg, 10 years ago

merge r27810 from branch 2.6 to trunk

bug 3055: add security pwg_token on API methods introduced in Piwigo 2.6
(pwg.groups.addUser, pwg.groups.deleteUser, pwg.groups.setInfo, pwg.users.add,
pwg.users.setInfo, pwg.permissions.add, pwg.permissions.remove)

File size: 8.0 KB
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | Piwigo - a PHP based photo gallery                                    |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008-2014 Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
23
24/**
25 * API method
26 * Returns the list of groups
27 * @param mixed[] $params
28 *    @option int[] group_id (optional)
29 *    @option string name (optional)
30 */
31function ws_groups_getList($params, &$service)
32{
33  $where_clauses = array('1=1');
34
35  if (!empty($params['name']))
36  {
37    $where_clauses[] = 'LOWER(name) LIKE \''. pwg_db_real_escape_string($params['name']) .'\'';
38  }
39
40  if (!empty($params['group_id']))
41  {
42    $where_clauses[] = 'id IN('. implode(',', $params['group_id']) .')';
43  }
44
45  $query = '
46SELECT
47    g.*, COUNT(user_id) AS nb_users
48  FROM '. GROUPS_TABLE .' AS g
49    LEFT JOIN '. USER_GROUP_TABLE .' AS ug
50    ON ug.group_id = g.id
51  WHERE '. implode(' AND ', $where_clauses) .'
52  GROUP BY id
53  ORDER BY '. $params['order'] .'
54  LIMIT '. $params['per_page'] .'
55  OFFSET '. ($params['per_page']*$params['page']) .'
56;';
57
58  $groups = array_from_query($query);
59
60  return array(
61    'paging' => new PwgNamedStruct(array(
62      'page' => $params['page'],
63      'per_page' => $params['per_page'],
64      'count' => count($groups)
65      )),
66    'groups' => new PwgNamedArray($groups, 'group')
67    );
68}
69
70/**
71 * API method
72 * Adds a group
73 * @param mixed[] $params
74 *    @option string name
75 *    @option bool is_default
76 */
77function ws_groups_add($params, &$service)
78{
79  $params['name'] = pwg_db_real_escape_string($params['name']);
80
81  // is the name not already used ?
82  $query = '
83SELECT COUNT(*)
84  FROM '.GROUPS_TABLE.'
85  WHERE name = \''.$params['name'].'\'
86;';
87  list($count) = pwg_db_fetch_row(pwg_query($query));
88  if ($count != 0)
89  {
90    return new PwgError(WS_ERR_INVALID_PARAM, 'This name is already used by another group.');
91  }
92
93  // creating the group
94  single_insert(
95    GROUPS_TABLE,
96    array(
97      'name' => $params['name'],
98      'is_default' => boolean_to_string($params['is_default']),
99      )
100    );
101
102  return $service->invoke('pwg.groups.getList', array('group_id' => pwg_db_insert_id()));
103}
104
105/**
106 * API method
107 * Deletes a group
108 * @param mixed[] $params
109 *    @option int[] group_id
110 *    @option string pwg_token
111 */
112function ws_groups_delete($params, &$service)
113{
114  if (get_pwg_token() != $params['pwg_token'])
115  {
116    return new PwgError(403, 'Invalid security token');
117  }
118
119  $group_id_string = implode(',', $params['group_id']);
120
121  // destruction of the access linked to the group
122  $query = '
123DELETE
124  FROM '. GROUP_ACCESS_TABLE .'
125  WHERE group_id IN('. $group_id_string  .')
126;';
127  pwg_query($query);
128
129  // destruction of the users links for this group
130  $query = '
131DELETE
132  FROM '. USER_GROUP_TABLE .'
133  WHERE group_id IN('. $group_id_string  .')
134;';
135  pwg_query($query);
136
137  $query = '
138SELECT name
139  FROM '. GROUPS_TABLE .'
140  WHERE id IN('. $group_id_string  .')
141;';
142  $groupnames = array_from_query($query, 'name');
143
144  // destruction of the group
145  $query = '
146DELETE
147  FROM '. GROUPS_TABLE .'
148  WHERE id IN('. $group_id_string  .')
149;';
150  pwg_query($query);
151
152  include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
153  invalidate_user_cache();
154
155  return new PwgNamedArray($groupnames, 'group_deleted');
156}
157
158/**
159 * API method
160 * Updates a group
161 * @param mixed[] $params
162 *    @option int group_id
163 *    @option string name (optional)
164 *    @option bool is_default (optional)
165 */
166function ws_groups_setInfo($params, &$service)
167{
168  if (get_pwg_token() != $params['pwg_token'])
169  {
170    return new PwgError(403, 'Invalid security token');
171  }
172
173  $updates = array();
174
175  // does the group exist ?
176  $query = '
177SELECT COUNT(*)
178  FROM '. GROUPS_TABLE .'
179  WHERE id = '. $params['group_id'] .'
180;';
181  list($count) = pwg_db_fetch_row(pwg_query($query));
182  if ($count == 0)
183  {
184    return new PwgError(WS_ERR_INVALID_PARAM, 'This group does not exist.');
185  }
186
187  if (!empty($params['name']))
188  {
189    $params['name'] = pwg_db_real_escape_string($params['name']);
190
191    // is the name not already used ?
192    $query = '
193SELECT COUNT(*)
194  FROM '. GROUPS_TABLE .'
195  WHERE name = \''. $params['name'] .'\'
196;';
197    list($count) = pwg_db_fetch_row(pwg_query($query));
198    if ($count != 0)
199    {
200      return new PwgError(WS_ERR_INVALID_PARAM, 'This name is already used by another group.');
201    }
202
203    $updates['name'] = $params['name'];
204  }
205
206  if (!empty($params['is_default']) or @$params['is_default']===false)
207  {
208    $updates['is_default'] = boolean_to_string($params['is_default']);
209  }
210
211  single_update(
212    GROUPS_TABLE,
213    $updates,
214    array('id' => $params['group_id'])
215    );
216
217  return $service->invoke('pwg.groups.getList', array('group_id' => $params['group_id']));
218}
219
220/**
221 * API method
222 * Adds user(s) to a group
223 * @param mixed[] $params
224 *    @option int group_id
225 *    @option int[] user_id
226 */
227function ws_groups_addUser($params, &$service)
228{
229  if (get_pwg_token() != $params['pwg_token'])
230  {
231    return new PwgError(403, 'Invalid security token');
232  }
233
234  // does the group exist ?
235  $query = '
236SELECT COUNT(*)
237  FROM '. GROUPS_TABLE .'
238  WHERE id = '. $params['group_id'] .'
239;';
240  list($count) = pwg_db_fetch_row(pwg_query($query));
241  if ($count == 0)
242  {
243    return new PwgError(WS_ERR_INVALID_PARAM, 'This group does not exist.');
244  }
245
246  $inserts = array();
247  foreach ($params['user_id'] as $user_id)
248  {
249    $inserts[] = array(
250      'group_id' => $params['group_id'],
251      'user_id' => $user_id,
252      );
253  }
254
255  mass_inserts(
256    USER_GROUP_TABLE,
257    array('group_id', 'user_id'),
258    $inserts,
259    array('ignore'=>true)
260    );
261
262  include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
263  invalidate_user_cache();
264
265  return $service->invoke('pwg.groups.getList', array('group_id' => $params['group_id']));
266}
267
268/**
269 * API method
270 * Removes user(s) from a group
271 * @param mixed[] $params
272 *    @option int group_id
273 *    @option int[] user_id
274 */
275function ws_groups_deleteUser($params, &$service)
276{
277  if (get_pwg_token() != $params['pwg_token'])
278  {
279    return new PwgError(403, 'Invalid security token');
280  }
281
282  // does the group exist ?
283  $query = '
284SELECT COUNT(*)
285  FROM '. GROUPS_TABLE .'
286  WHERE id = '. $params['group_id'] .'
287;';
288  list($count) = pwg_db_fetch_row(pwg_query($query));
289  if ($count == 0)
290  {
291    return new PwgError(WS_ERR_INVALID_PARAM, 'This group does not exist.');
292  }
293
294  $query = '
295DELETE FROM '. USER_GROUP_TABLE .'
296  WHERE
297    group_id = '. $params['group_id'] .'
298    AND user_id IN('. implode(',', $params['user_id']) .')
299;';
300  pwg_query($query);
301
302  include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
303  invalidate_user_cache();
304
305  return $service->invoke('pwg.groups.getList', array('group_id' => $params['group_id']));
306}
307
308?>
Note: See TracBrowser for help on using the repository browser.