Merge pull request #25 from KLXM/skerbis-patch-5

Fix user erkennung
KLXM · Jan 31, 2025 · dfda927 · dfda927
2 parents cd4c1f6 + 358ae96
commit dfda927
Showing 1 changed file with 89 additions and 67 deletions.
diff --git a/lib/api/api_filepond.php b/lib/api/api_filepond.php
@@ -3,73 +3,95 @@ class rex_api_filepond_uploader extends rex_api_function
 {
     protected $published = true;
 
-public function execute()
-{
-   try {
-       $logger = rex_logger::factory();
-       $logger->log('info', 'FILEPOND: Starting execute()');
-
-       // Backend User Check
-       $user = rex_backend_login::createUser();
-       $isBackendUser = $user ? true : false;
-
-       $logger->log('info', 'FILEPOND: isBackendUser = ' . ($isBackendUser ? 'true' : 'false'));
-
-       // YCom Check
-       $isYComUser = false;
-       if (rex_plugin::get('ycom', 'auth')->isAvailable()) {
-           $ycomUser = rex_ycom_auth::getUser();
-           $isYComUser = $ycomUser && $ycomUser->getValue('status') == 1;
-       }
-
-       // Token Check
-       $apiToken = rex_config::get('filepond_uploader', 'api_token');
-       $requestToken = rex_request('api_token', 'string', null);
-       $sessionToken = rex_session('filepond_token', 'string', '');
-
-       $isValidToken = ($apiToken && $requestToken && hash_equals($apiToken, $requestToken)) || 
-                      ($apiToken && $sessionToken && hash_equals($apiToken, $sessionToken));
-
-       if (!$isBackendUser && !$isYComUser && !$isValidToken) {
-           throw new rex_api_exception('Unauthorized access - requires valid API token, Backend login or YCom login');
-       }
-
-       $func = rex_request('func', 'string', '');
-       $categoryId = rex_request('category_id', 'int', 0);
-
-       switch ($func) {
-           case 'upload':
-               $result = $this->handleUpload($categoryId);
-               rex_response::cleanOutputBuffers();
-               rex_response::sendJson($result);
-               exit;
-
-           case 'delete':
-               $result = $this->handleDelete();
-               rex_response::cleanOutputBuffers();
-               rex_response::sendJson($result);
-               exit;
-
-           case 'load':
-               return $this->handleLoad();
-
-           case 'restore':
-               $result = $this->handleRestore();
-               rex_response::cleanOutputBuffers();
-               rex_response::sendJson($result);
-               exit;
-
-           default:
-               throw new rex_api_exception('Invalid function');
-       }
-   } catch (Exception $e) {
-       rex_logger::logException($e);
-       rex_response::cleanOutputBuffers();
-       rex_response::setStatus(rex_response::HTTP_INTERNAL_ERROR);
-       rex_response::sendJson(['error' => $e->getMessage()]);
-       exit;
-   }
-}
+    public function execute()
+    {
+        try {
+            $logger = rex_logger::factory();
+            $logger->log('info', 'FILEPOND: Starting execute()');
+
+            // Backend User Check
+            $user = rex_backend_login::createUser();
+            $isBackendUser = $user ? true : false;
+
+            $logger->log('info', 'FILEPOND: isBackendUser = ' . ($isBackendUser ? 'true' : 'false'));
+
+            // Token Check
+            $apiToken = rex_config::get('filepond_uploader', 'api_token');
+            $requestToken = rex_request('api_token', 'string', null);
+            $sessionToken = rex_session('filepond_token', 'string', '');
+
+            $isValidToken = ($apiToken && $requestToken && hash_equals($apiToken, $requestToken)) ||
+                ($apiToken && $sessionToken && hash_equals($apiToken, $sessionToken));
+
+            $authorized = false;
+
+            $isYComUser = false;
+            if (rex_plugin::get('ycom', 'auth')->isAvailable()) {
+                if (rex_ycom_auth::getUser()) {
+                    $authorized = true;
+                    $isYComUser = true;
+                }
+            }
+
+            if ($isBackendUser) {
+                $authorized = true;
+            }
+            if ($isValidToken) {
+                $authorized = true;
+            }
+
+            if (!$authorized) {
+                $errors = [];
+                if (!$isYComUser) {
+                    $errors[] = 'no YCom login';
+                }
+                if (!$isBackendUser) {
+                    $errors[] = 'no Backend login';
+                }
+                if (!$isValidToken) {
+                    $errors[] = 'invalid API token';
+                }
+                throw new rex_api_exception('Unauthorized access - ' . implode(', ', $errors));
+            }
+
+
+            $func = rex_request('func', 'string', '');
+            $categoryId = rex_request('category_id', 'int', 0);
+
+            switch ($func) {
+                case 'upload':
+                    $result = $this->handleUpload($categoryId);
+                    rex_response::cleanOutputBuffers();
+                    rex_response::sendJson($result);
+                    exit;
+
+                case 'delete':
+                    $result = $this->handleDelete();
+                    rex_response::cleanOutputBuffers();
+                    rex_response::sendJson($result);
+                    exit;
+
+                case 'load':
+                    return $this->handleLoad();
+
+                case 'restore':
+                    $result = $this->handleRestore();
+                    rex_response::cleanOutputBuffers();
+                    rex_response::sendJson($result);
+                    exit;
+
+                default:
+                    throw new rex_api_exception('Invalid function');
+            }
+        } catch (Exception $e) {
+            rex_logger::logException($e);
+            rex_response::cleanOutputBuffers();
+            rex_response::setStatus(rex_response::HTTP_INTERNAL_ERROR);
+            rex_response::sendJson(['error' => $e->getMessage()]);
+            exit;
+        }
+    }
+
     protected function handleUpload($categoryId)
     {
         if (!isset($_FILES['filepond'])) {