This is a big change, so please be cautious

- Added: First version of client api access with client user credentials
- Changed: 
  - merged remoting_lib and tform into one new base file where appropriate
  - moved some methods into helper methods
  only those methods remain in remoting_lib or tform that are completely
  different in these files or are only used in one of them
- Changed: added check of _GET array in json api handler

Author: mcramer

interface/lib/classes/json_handler.inc.php

@@ -82,7 +82,11 @@ private function _return_json($code, $message, $data = false) {
 
     public function run() {
 
-        $method = reset(array_keys($_GET));
+        if(!isset($_GET) || !is_array($_GET) || count($_GET) < 1) {
+            $this->_return_json('invalid_method', 'Method not provided in json call');
+        }
+        $keys = array_keys($_GET);
+        $method = reset($keys);
         $params = array();
 
         if(is_array($_POST)) {

interface/lib/classes/remoting.inc.php

@@ -59,14 +59,15 @@ public function __construct($methods = array())
         $app->uses('remoting_lib');
 
         $this->_methods = $methods;
-		/*
+		
+        /*
         $this->app = $app;
         $this->conf = $conf;
 		*/
     }
 
     //* remote login function
-	public function login($username, $password)
+	public function login($username, $password, $client_login = false)
     {
 		global $app, $conf;
 
@@ -95,24 +96,74 @@ public function login($username, $password)
 		$username = $app->db->quote($username);
 		$password = $app->db->quote($password);
 
-		$sql = "SELECT * FROM remote_user WHERE remote_username = '$username' and remote_password = md5('$password')";
-		$remote_user = $app->db->queryOneRecord($sql);
-		if($remote_user['remote_userid'] > 0) {
-			//* Create a remote user session
-			srand ((double)microtime()*1000000);
-			$remote_session = md5(rand());
-			$remote_userid = $remote_user['remote_userid'];
-			$remote_functions = $remote_user['remote_functions'];
-			$tstamp = time() + $this->session_timeout;
-			$sql = 'INSERT INTO remote_session (remote_session,remote_userid,remote_functions,tstamp'
+        if($client_login == true) {
+            $sql = "SELECT * FROM sys_user WHERE USERNAME = '$username'";
+            $user = $app->db->queryOneRecord($sql);
+            if($user) {
+                $saved_password = stripslashes($user['passwort']);
+
+                if(substr($saved_password,0,3) == '$1$') {
+                    //* The password is crypt-md5 encrypted
+                    $salt = '$1$'.substr($saved_password,3,8).'$';
+
+                    if(crypt(stripslashes($password),$salt) != $saved_password) {
+                        throw new SoapFault('client_login_failed', 'The login failed. Username or password wrong.');
+                        return false;
+                    }
+                } else {
+                    //* The password is md5 encrypted
+                    if(md5($password) != $saved_password) {
+                        throw new SoapFault('client_login_failed', 'The login failed. Username or password wrong.');
+                        return false;
+                    }
+                }
+            } else {
+                throw new SoapFault('client_login_failed', 'The login failed. Username or password wrong.');
+                return false;
+            }
+            if($user['active'] != 1) {
+                throw new SoapFault('client_login_failed', 'The login failed. User is blocked.');
+                return false;
+            }
+            
+            // now we need the client data
+            $client = $app->db->queryOneRecord("SELECT client.can_use_api FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = " . $app->functions->intval($user['default_group']));
+            if(!$client || $client['can_use_api'] != 'y') {
+                throw new SoapFault('client_login_failed', 'The login failed. Client may not use api.');
+                return false;
+            }
+            
+            //* Create a remote user session
+            //srand ((double)microtime()*1000000);
+            $remote_session = md5(mt_rand().uniqid('ispco'));
+            $remote_userid = $user['userid'];
+            $remote_functions = '';
+            $tstamp = time() + $this->session_timeout;
+            $sql = 'INSERT INTO remote_session (remote_session,remote_userid,remote_functions,client_login,tstamp'
                    .') VALUES ('
-                   ." '$remote_session',$remote_userid,'$remote_functions',$tstamp)";
-			$app->db->query($sql);
-			return $remote_session;
+                   ." '$remote_session',$remote_userid,'$remote_functions',1,$tstamp)";
+            $app->db->query($sql);
+            return $remote_session;
 		} else {
-			throw new SoapFault('login_failed', 'The login failed. Username or password wrong.');
-			return false;
-		}
+            $sql = "SELECT * FROM remote_user WHERE remote_username = '$username' and remote_password = md5('$password')";
+            $remote_user = $app->db->queryOneRecord($sql);
+            if($remote_user['remote_userid'] > 0) {
+                //* Create a remote user session
+                //srand ((double)microtime()*1000000);
+                $remote_session = md5(mt_rand().uniqid('ispco'));
+                $remote_userid = $remote_user['remote_userid'];
+                $remote_functions = $remote_user['remote_functions'];
+                $tstamp = time() + $this->session_timeout;
+                $sql = 'INSERT INTO remote_session (remote_session,remote_userid,remote_functions,tstamp'
+                       .') VALUES ('
+                       ." '$remote_session',$remote_userid,'$remote_functions',$tstamp)";
+                $app->db->query($sql);
+                return $remote_session;
+            } else {
+                throw new SoapFault('login_failed', 'The login failed. Username or password wrong.');
+                return false;
+            }
+        }
 
 	}
 
@@ -389,6 +440,16 @@ protected function checkPerm($session_id, $function_name)
             return false;
         }
 
+        $_SESSION['client_login'] = $session['client_login'];
+        if($session['client_login'] == 1) {
+            // permissions are checked at an other place
+            $_SESSION['client_sys_userid'] = $session['remote_userid'];
+            $app->remoting_lib->loadUserProfile(); // load the profile - we ALWAYS need this on client logins!
+            return true;
+        } else {
+            $_SESSION['client_sys_userid'] = 0;
+        }
+        
 		$dobre= str_replace(';',',',$session['remote_functions']);
 		$check = in_array($function_name, explode(',', $dobre) );
 		if(!$check) {