diff options
author | Florian Pritz <bluewind@xinu.at> | 2015-02-03 00:44:46 +0100 |
---|---|---|
committer | Florian Pritz <bluewind@xinu.at> | 2015-02-03 00:44:46 +0100 |
commit | e2c2740365b1f25beca1e174c8c5bda2950b7466 (patch) | |
tree | ccfdfe9fae92954acb4d1d2199f3c06c345b45a1 /application | |
parent | cb52a4cdc2daa45a61c728f5ec83603e6c6a71fa (diff) |
implement api/user/create_apikey
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Diffstat (limited to 'application')
-rw-r--r-- | application/controllers/api/v1/user.php | 14 | ||||
-rw-r--r-- | application/core/MY_Controller.php | 8 |
2 files changed, 19 insertions, 3 deletions
diff --git a/application/controllers/api/v1/user.php b/application/controllers/api/v1/user.php index 4c2e5345d..39c833d86 100644 --- a/application/controllers/api/v1/user.php +++ b/application/controllers/api/v1/user.php @@ -21,9 +21,19 @@ class user extends \controllers\api\api_controller { $this->muser->require_access("full"); return send_json_reply(\service\user::apikeys($this->muser->get_userid())); } - + public function create_apikey() { - // TODO: implement + $this->muser->require_access("full"); + $userid = $this->muser->get_userid(); + $comment = $this->input->post("comment"); + $comment = $comment === false ? "" : $comment; + $access_level = $this->input->post("access_level"); + + $key = \service\user::create_apikey($userid, $comment, $access_level); + + return send_json_reply(array( + "new_key" => $key, + )); } } diff --git a/application/core/MY_Controller.php b/application/core/MY_Controller.php index 1e724a865..fc08b10ae 100644 --- a/application/core/MY_Controller.php +++ b/application/core/MY_Controller.php @@ -66,7 +66,13 @@ class MY_Controller extends CI_Controller { show_error("Function not JSON enabled"); } - if ($this->input->post("apikey") !== false) { + if ($this->uri->segment(1) == "api") { + is_cli_client(true); + } + + if ($this->input->post("apikey") !== false + || ($this->input->post("username") !== false + && $this->input->post("password") !== false)) { /* This relies on the authentication code always verifying the supplied * apikey. If the key is not verified/logged in an attacker could simply * add an empty "apikey" field to the CSRF form to circumvent the |