<?php
+/*
+# Copyright (c) 2012, Gjøvik University College
+# All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# * Neither the name of the Gjøvik University College nor the
+# names of its contributors may be used to endorse or promote products
+# derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY Gjøvik University College ''AS IS'' AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL Gjøvik University College BE LIABLE FOR ANY
+# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
require_once('config.php');
require_once('lib/auth_base.php');
require_once('lib/common_functions.php');
$type = false;
$authid = false;
- if ( array_key_exists('username', $_GET)
- && array_key_exists('password', $_GET) )
+ if ( array_key_exists('username', $_POST)
+ && array_key_exists('password', $_POST) )
{
- if ( 1 == authuser_verify( sql_clean($_GET['username']), sql_clean($_GET['password'])))
+ if ( 1 == authuser_verify( sql_clean($_POST['username']), sql_clean($_POST['password'])))
{
$type = "user";
- $authid = $_GET['username'];
+ $authid = $_POST['username'];
}
else
{
exit;
}
}
- else if ( array_key_exists('api_key', $_GET) )
+ else if ( array_key_exists('api_key', $_POST) )
{
- if ( verify_apikey( sql_clean( $_GET['api_key'] ) ) == 1 )
+ if ( verify_apikey( sql_clean( $_POST['api_key'] ) ) == 1 )
{
$type = "key";
- $authid = $_GET['api_key'];
+ $authid = $_POST['api_key'];
}
else
{
// De-authenticate/deauthorize the ongoing session.
// I.e. destroy session data, remove session cookies.
$session_name = "";
- if ( array_key_exists('session', $_GET ) )
- $session_name = $_GET['session'];
+ if ( array_key_exists('session', $_POST ) )
+ $session_name = $_POST['session'];
session_name($session_name);
session_start();
clear_credentials($session_name);
// The ping required a valid session...
// A successful ping returns a 'response' => 'pong'
// along with the new auth_key.
- $session_name = $_GET['session'];
+ $session_name = $_POST['session'];
$authid = $_SESSION['authid'];
$auth_key = update_authkey( $session_name, $authid );
print json_encode( array( 'response' => 'pong', 'auth_key' => $auth_key ));
if ( ! can_write() )
simple_authfail();
- if ( array_key_exists('host_ip', $_GET )
- && array_key_exists('access', $_GET ))
+ if ( array_key_exists('host_ip', $_POST )
+ && array_key_exists('access', $_POST ))
{
- $host = $_GET['host_ip'];
- $access = $_GET['access'];
+ $host = $_POST['host_ip'];
+ $access = $_POST['access'];
if (! preg_match("/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/", $host) || ! authlevel_value( $access ) )
{
if ( ! can_write() )
simple_authfail();
- if ( array_key_exists('api_key', $_GET ) )
+ if ( array_key_exists('api_key', $_POST ) )
{
- $key = sql_clean( $_GET['api_key'] );
+ $key = sql_clean( $_POST['api_key'] );
// Perform a key-verification, skipping host/remote-address check.
if ( ! verify_apikey( $key, true ) )
{
if ( ! can_write() )
simple_authfail();
- if ( array_key_exists('username', $_GET )
- && array_key_exists('access', $_GET ))
+ if ( array_key_exists('username', $_POST )
+ && array_key_exists('access', $_POST ))
{
- $user = $_GET['username'];
- $access = $_GET['access'];
+ $user = $_POST['username'];
+ $access = $_POST['access'];
$level = authlevel_value( $access );
if ( ! $level )
if ( ! can_write() )
simple_authfail();
- if ( array_key_exists('username', $_GET ))
+ if ( array_key_exists('username', $_POST ))
{
- $user = $_GET['username'];
+ $user = $_POST['username'];
$t_level = get_authorization( "user", $user );
}
}
- print json_encode( array( 'response' => 'ok', 'user' => $user, 'access' => authlevel_name( get_authorization( "user", $user ) ) ) );
+ print json_encode( array( 'response' => 'ok', 'user' => $user ) );
break;
}
else print json_encode ( array( 'response' => 'invalid') );
git.defcon.no / hermes / blobdiff