summaryrefslogtreecommitdiffstats
path: root/application
diff options
context:
space:
mode:
authorFlorian Pritz <bluewind@xinu.at>2015-02-03 00:44:46 +0100
committerFlorian Pritz <bluewind@xinu.at>2015-02-03 00:44:46 +0100
commite2c2740365b1f25beca1e174c8c5bda2950b7466 (patch)
treeccfdfe9fae92954acb4d1d2199f3c06c345b45a1 /application
parentcb52a4cdc2daa45a61c728f5ec83603e6c6a71fa (diff)
implement api/user/create_apikey
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Diffstat (limited to 'application')
-rw-r--r--application/controllers/api/v1/user.php14
-rw-r--r--application/core/MY_Controller.php8
2 files changed, 19 insertions, 3 deletions
diff --git a/application/controllers/api/v1/user.php b/application/controllers/api/v1/user.php
index 4c2e5345d..39c833d86 100644
--- a/application/controllers/api/v1/user.php
+++ b/application/controllers/api/v1/user.php
@@ -21,9 +21,19 @@ class user extends \controllers\api\api_controller {
$this->muser->require_access("full");
return send_json_reply(\service\user::apikeys($this->muser->get_userid()));
}
-
+
public function create_apikey()
{
- // TODO: implement
+ $this->muser->require_access("full");
+ $userid = $this->muser->get_userid();
+ $comment = $this->input->post("comment");
+ $comment = $comment === false ? "" : $comment;
+ $access_level = $this->input->post("access_level");
+
+ $key = \service\user::create_apikey($userid, $comment, $access_level);
+
+ return send_json_reply(array(
+ "new_key" => $key,
+ ));
}
}
diff --git a/application/core/MY_Controller.php b/application/core/MY_Controller.php
index 1e724a865..fc08b10ae 100644
--- a/application/core/MY_Controller.php
+++ b/application/core/MY_Controller.php
@@ -66,7 +66,13 @@ class MY_Controller extends CI_Controller {
show_error("Function not JSON enabled");
}
- if ($this->input->post("apikey") !== false) {
+ if ($this->uri->segment(1) == "api") {
+ is_cli_client(true);
+ }
+
+ if ($this->input->post("apikey") !== false
+ || ($this->input->post("username") !== false
+ && $this->input->post("password") !== false)) {
/* This relies on the authentication code always verifying the supplied
* apikey. If the key is not verified/logged in an attacker could simply
* add an empty "apikey" field to the CSRF form to circumvent the