Skip to content

Commit

Permalink
Updated the restful "update" function to ensure some security.
Browse files Browse the repository at this point in the history
  • Loading branch information
@drobertadams
drobertadams committed Jul 26, 2011
1 parent 43b2a1c commit b4df304
Showing 1 changed file with 29 additions and 13 deletions.
42 changes: 29 additions & 13 deletions application/controllers/rest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -228,8 +228,11 @@ public function register()

/**
* Update a user's registration information. The URI format should be:
* rest/update/oldusername/OLDUSERNAME/newusername/NEWUSERNAME/password/PASSWORD/professor/PROFESSOR
* rest/update/oldusername/OLDUSERNAME/newusername/NEWUSERNAME/\
* oldpassword/OLDPASSWORD/newpassword/NEWPASSOWRD/professor/PROFESSOR
* Returns <result>N</result> where
* N=-4 : newusername already in use
* N=-3 : permissions denied
* N=-2 : error in URI string
* N=-1 : user not found
* N=1 : success
Expand All @@ -239,34 +242,44 @@ public function update()
/* URI field names. */
$OLDUSERNAME = "oldusername";
$NEWUSERNAME = "newusername";
$PASSWORD = "password";
$OLDPASSWORD = "oldpassword";
$NEWPASSWORD = "newpassword";
$PROFESSOR = "professor";

/* Tell the browser we're outputting XML. */
$this->output->set_header("Content-type: application/xml; charset=UTF-8");

/* Decompose the URI string into elements and decode them. */
$uri_keys = array($OLDUSERNAME, $NEWUSERNAME, $PASSWORD, $PROFESSOR);
$uri_keys = array($OLDUSERNAME, $NEWUSERNAME, $OLDPASSWORD, $NEWPASSWORD, $PROFESSOR);
$uri_vals = $this->uri->uri_to_assoc(3, $uri_keys);
$uri_vals[$OLDUSERNAME] = urldecode($uri_vals[$OLDUSERNAME]);
$uri_vals[$NEWUSERNAME] = urldecode($uri_vals[$NEWUSERNAME]);
$uri_vals[$PASSWORD] = urldecode($uri_vals[$PASSWORD]);
$uri_vals[$OLDPASSWORD] = urldecode($uri_vals[$OLDPASSWORD]);
$uri_vals[$NEWPASSWORD] = urldecode($uri_vals[$NEWPASSWORD]);
$uri_vals[$PROFESSOR] = urldecode($uri_vals[$PROFESSOR]);

/* Make sure all three components are listed. If not, fail. */
if ( ! $uri_vals[$OLDUSERNAME] || ! $uri_vals[$NEWUSERNAME] ||
! $uri_vals[$PASSWORD] || ! $uri_vals[$PROFESSOR] ) {
! $uri_vals[$OLDPASSWORD] || ! $uri_vals[$NEWPASSWORD] || ! $uri_vals[$PROFESSOR] ) {
print("<result>-2</result>");
return;
}

/* If not already registered, fail. */
$this->db->select('id')->from('users')->where('username', $uri_vals[$OLDUSERNAME]);
$q = $this->db->get();
if ($q->num_rows() == 0) {
print("<result>-1</result>");
return;
}
/* Make sure the user is changing their own entry. */
if ( ! $this->quickauth->login( $uri_vals[$OLDUSERNAME], $uri_vals[$OLDPASSWORD] ) ) {
print("<result>-3</result>");
exit;
}

/* If the username is changing, make sure the new one is unused. */
if ( $uri_vals[$NEWUSERNAME] != $uri_vals[$OLDUSERNAME] ) {
$this->db->select('id')->from('users')->where('username', $uri_vals[$NEWUSERNAME]);
$q = $this->db->get();
if ($q->num_rows() != 0) {
print("<result>-4</result>");
return;
}
}

/* Get the professor's id. */
$this->db->select('id')->from('users')->where('username', $uri_vals[$PROFESSOR]);
Expand All @@ -277,14 +290,17 @@ public function update()
/* Update the user's info. */
$userdata = array(
'username' => $uri_vals[$NEWUSERNAME],
'password' => $this->quickauth->encrypt( $uri_vals[$PASSWORD] ),
'password' => $this->quickauth->encrypt( $uri_vals[$NEWPASSWORD] ),
'firstname' => '',
'lastname' => '',
'professorid' => $prof_id
);
$this->db->where('username', $uri_vals[$OLDUSERNAME]);
$this->db->update('users', $userdata);

/* Log the user back in. */
$this->quickauth->login($uri_vals[$NEWUSERNAME], $uri_vals[$NEWPASSWORD]);

/* Success! */
print("<result>1</result>\n");
}
Expand Down

0 comments on commit b4df304

Please sign in to comment.