From d9299887d4019c1fce0f0aa1f327221210715de7 Mon Sep 17 00:00:00 2001
From: Gnieark <gnieark@free.fr>
Date: Thu, 27 Apr 2017 19:35:58 +0200
Subject: [PATCH] API KEY management OK

---
 _define.php            |  2 +-
 _public.php            |  8 ++++
 inc/class.rest.key.php | 97 ++++++++++++++++++++++++++++++++++++++++++
 index.php              | 26 ++++++++---
 4 files changed, 127 insertions(+), 6 deletions(-)
 create mode 100644 inc/class.rest.key.php

diff --git a/_define.php b/_define.php
index af50913..c4f2bc2 100644
--- a/_define.php
+++ b/_define.php
@@ -14,7 +14,7 @@ if (!defined('DC_RC_PATH')) { return; }
 $this->registerModule(
 	/* Name */					"rest",
 	/* Description*/		"A JSON/REST API for Dotclear",
-	/* Author */				"Gnieark (hope some others contributors",
+	/* Author */				"Gnieark (hope some others contributors)",
 	/* Version */				'0.0.1',
 	array(
 		'permissions' =>	'usage,contentadmin',
diff --git a/_public.php b/_public.php
index 7b538af..eaf7fff 100644
--- a/_public.php
+++ b/_public.php
@@ -12,6 +12,14 @@ class rest extends dcUrlHandlers
 			self::p404();
 			return;
 		}
+		
+		//To do make headers optionals
+		header('Access-Control-Allow-Origin: *');
+		header('Access-Control-Allow-Methods: GET, POST'); 
+		header('Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept');
+		
+		
+		
 		echo "HELLO".$_SERVER['REQUEST_METHOD'].$args;
 	}
 }	
\ No newline at end of file
diff --git a/inc/class.rest.key.php b/inc/class.rest.key.php
new file mode 100644
index 0000000..ac986c2
--- /dev/null
+++ b/inc/class.rest.key.php
@@ -0,0 +1,97 @@
+<?php
+class ApiKey
+{
+	
+	public $key;
+	
+	public function __construct(){
+		$this->key = '';
+	}
+	public function new_key($dcUserId)
+	{
+		$this->key = $this->rand_str();		
+		$this -> put_dc_setting_user_key($dcUserId);
+		return $this->key;
+	}
+	
+	public function set_key($key)
+	{
+		$this->key = $key;
+	}
+	
+	public function get_dc_admin_form($dcUserId)
+	{
+	
+		global $core;
+		
+		//tester si une clef d'API a été générée
+
+		if($this->dc_is_key_setting_set($dcUserId)){
+			$infoFormApiKey = __('Your api key has already been created.');
+			$buttonFormApiKey = __('Erase existing API key and generate a new one for').' '.$dcUserId;
+		}else{
+			$infoFormApiKey = __('No API key found.');
+			$buttonFormApiKey = __('Generate a API key for').' '.$dcUserId;	
+		}
+		
+		if($this->key == ''){
+			$infoKey = $infoFormApiKey;
+		}else{
+			$infoKey = '<p class="info">'.__('The api key is').':<input type ="texte" value="'.$this->key.'"/><br/>'.
+			__('Copy and paste it, You will cannot see it again.').'</p>';
+		}
+		
+		
+		return '<form method="post" action="'.http::getSelfURI().'">'.
+						$infoKey.
+						'<p><input type="submit" name="resetApiKey" value="'.$buttonFormApiKey.'"/></p>'.
+						$core->formNonce().
+						'</form>';
+	}
+	
+	private function dc_is_key_setting_set($dcUserId)
+	{
+		global $core;
+		
+		$apiKeyName = $this->get_dc_setting_api_name($dcUserId);
+		$currentHashedKey = $core->blog->settings->rest->{$apiKeyName};
+		if(empty($currentHashedKey)){
+			return false;
+		}else{
+			return true;
+		}
+	}
+	
+	private function put_dc_setting_user_key($dcUserId)
+	{
+		global $core;
+		
+		if ($this->key == ''){
+			//don't save an empty key
+			return false;
+		}
+		$hash = md5($this->key);
+		$core->blog->settings->rest->put(
+																			$this->get_dc_setting_api_name($dcUserId),
+																			$hash,
+																			'string'
+		);
+		return $hash;
+	}
+	
+	private function get_dc_setting_api_name($dcUserId)
+	{
+		return 'rest_key_'.$dcUserId;
+	}
+	
+	private function rand_str($length = 32, $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890')
+	{
+    $chars_length = (strlen($chars) - 1);
+    $string = $chars{rand(0, $chars_length)};
+    for ($i = 1; $i < $length; $i = strlen($string)){
+        $r = $chars{rand(0, $chars_length)};
+        if ($r != $string{$i - 1}) $string .=  $r;
+    }
+    return $string;
+	}
+}
\ No newline at end of file
diff --git a/index.php b/index.php
index c69256f..dc4f640 100644
--- a/index.php
+++ b/index.php
@@ -2,6 +2,8 @@
 
 if (!defined('DC_CONTEXT_ADMIN')) { return; }
 
+require_once(dirname(__FILE__).'/inc/class.rest.key.php');
+$apiKey = new ApiKey;
 
 // Setting default parameters if missing configuration
 $core->blog->settings->addNamespace('rest');
@@ -21,8 +23,8 @@ if (is_null($core->blog->settings->rest->rest_active)) {
 $active = (boolean)$core->blog->settings->rest->rest_active;
 $openApi = (boolean)$core->blog->settings->rest->rest_is_open;
 
-//apply 
-if (!empty($_POST['saveconfig'])) {
+//Sousmission Formulaire parametres
+if ((!empty($_POST['saveconfig'])) && ($core->auth->isSuperAdmin())) {
 	try
 	{
 		$core->blog->settings->addNameSpace('rest');
@@ -39,12 +41,25 @@ if (!empty($_POST['saveconfig'])) {
 		$core->error->add($e->getMessage());
 	}
 }
+//Sousmission Formulaire Reset API Key
+if(!empty($_POST['resetApiKey'])){
+	$core->blog->settings->addNameSpace('rest');
+	$apiKey -> new_key($core->auth->userID());
+	dcPage::addSuccessNotice(__('Your new key is').' '.$apiKey->key);
+}
+//is user admin isSuperAdmin
+
 ?>
 <html>
 <head>
 	<title>Rest API config</title>
 </head>
 <body>
+	<h2><?php echo __('Your API key');?></h2>
+	<?php echo $apiKey-> get_dc_admin_form($core->auth->userID()); ?>
+
+<?php if($core->auth->isSuperAdmin()): ?>
+	
 	<h2>Rest API configuration</h2>
 		<form method="post" action="<?php http::getSelfURI(); ?>">
 		<p>
@@ -55,13 +70,14 @@ if (!empty($_POST['saveconfig'])) {
 			<?php echo form::checkbox('open', 1, $openApi); ?>
 			<label class="classic" for="open">&nbsp;<?php echo __('API is open');?></label>
 		</p>
-		<p class="info">If checked, few methods as GET will be allowed to externals users without API key. 
-		However, they won't be able to request for non public content.</p> 
+		<p class="info"><?php echo __("If checked, few methods as GET will be allowed to externals users without API key. 
+		However, they won't be able to request for non public content."); ?></p> 
 		<?php echo $core->formNonce(); ?>
 		<p>
 			<input type="submit" name="saveconfig" value="<?php echo __('Save configuration'); ?>" />
 		</p>
 		
 		</from>
+<?php endif; ?>
 </body>
-</html>
+</html>
\ No newline at end of file