From eaa3f52364397ba2817d4ffe699dbd4bbd5086b1 Mon Sep 17 00:00:00 2001
From: Benjamin Sonntag <benjamin@octopuce.fr>
Date: Sun, 21 Sep 2014 16:44:06 +0200
Subject: [PATCH] [fix] Auth OK, Call OK

---
 api/panel/index.php          |  9 +++++----
 lib/Alternc/Api/Response.php |  2 +-
 lib/Alternc/Api/Service.php  | 11 ++++++-----
 lib/Alternc/Api/Token.php    |  5 +++--
 4 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/api/panel/index.php b/api/panel/index.php
index f8e89685..cba32848 100644
--- a/api/panel/index.php
+++ b/api/panel/index.php
@@ -103,7 +103,7 @@ function apicall($data,$token,$mode) {
   $options["loginAdapterList"]=array("sharedsecret","login");
   // TODO (no loggerAdapter PSR3-Interface-compliant class as of now)
   try {
-
+    $data["token_hash"]=$token;
     $service=new Alternc_Api_Service($options);
 
     $response = $service->call(
@@ -118,7 +118,7 @@ function apicall($data,$token,$mode) {
     // something went wrong, we spit out the exception as an Api_Response
     // TODO : Don't do that on production! spit out a generic "fatal error" code and LOG the exception !
     header("Content-Type: application/json");
-    $response=new Alternc_Api_Response(array("code" => $e->code, "message" => $e->message));
+    $response=new Alternc_Api_Response(array("code" => $e->getCode(), "message" => $e->getMessage() ));
     echo $response->toJson();
     exit();
   }
@@ -185,8 +185,7 @@ if ($_SERVER["REQUEST_URI"]=="/api/post") {
     exit();
   }
 }
-
-if (preg_match("#^/api/rest/([^/]*)/([^/\?]*)[/\?]?$#",$_SERVER["REQUEST_URI"],$mat)) {
+if (preg_match("#^/api/rest/([^/]*)/([^/\?]*)[/\?]?#",$_SERVER["REQUEST_URI"],$mat)) {
   if ($_SERVER["REQUEST_METHOD"]=="POST") {
     $data=array("options" => $_POST, 
 		"object" => $mat[1],
@@ -205,3 +204,5 @@ if (preg_match("#^/api/rest/([^/]*)/([^/\?]*)[/\?]?$#",$_SERVER["REQUEST_URI"],$
     exit(); 
   }
 }
+
+echo "I did nothing. Did you call the api properly?";
\ No newline at end of file
diff --git a/lib/Alternc/Api/Response.php b/lib/Alternc/Api/Response.php
index fe6debe1..ac54ec84 100644
--- a/lib/Alternc/Api/Response.php
+++ b/lib/Alternc/Api/Response.php
@@ -46,7 +46,7 @@ class Alternc_Api_Response {
      * initialize a response object
      * @param options any of the public above
      */
-    public function __constructor($options=array()) {
+    public function __construct($options=array()) {
       $os=array("code","message","content","metadata");
       foreach ($os as $o) {
 	if (isset($options[$o])) $this->$o=$options[$o];
diff --git a/lib/Alternc/Api/Service.php b/lib/Alternc/Api/Service.php
index 1353c1f4..9bd06240 100644
--- a/lib/Alternc/Api/Service.php
+++ b/lib/Alternc/Api/Service.php
@@ -86,7 +86,7 @@ class Alternc_Api_Service {
     if (count($this->allowedAuth) && !in_array($auth["method"],$this->allowedAuth)) {
       throw new \Exception("Method not allowed", self::ERR_METHOD_DENIED);
     }
-    if (isset($auth["options"]["uid"]) && !is_int($auth["options"]["uid"])) {
+    if (isset($auth["options"]["uid"]) && !intval($auth["options"]["uid"])) {
       throw new \Exception("Invalid UID", self::ERR_INVALID_ARGUMENT);
     }
 
@@ -109,9 +109,10 @@ class Alternc_Api_Service {
 	return new Alternc_Api_Response( array("code" => self::ERR_SETUID_FORBIDDEN, "message" => "This user is not allowed to set his uid") );
       } 
       // Search for the requested user. We allow using *disabled* account here since we are admin 
-      foreach($db->query("SELECT uid FROM membres WHERE uid=?",array($auth["options"]["uid"])) as $setuid) {
-	$token->uid=$setuid;
-	$db->exec("UPDATE token SET uid=? WHERE token=?",array( $token->uid, $token->token) );
+      foreach($this->db->query("SELECT uid FROM membres WHERE uid=".intval($auth["options"]["uid"])) as $setuid) {
+	$token->uid=intval($setuid['uid']);
+	$stmt=$this->db->prepare("UPDATE token SET data=? WHERE token=?");
+	$stmt->execute(array( $token->toJson(), $token->token));
 	return $token;
       } 
       return new Alternc_Api_Response( array("code" => self::ERR_SETUID_USER_NOT_FOUND, "message" => "Can't find the user you want to setuid to") );
@@ -149,7 +150,7 @@ class Alternc_Api_Service {
     $request->token=$this->token; // we receive $request->token_hash as a STRING, but we transmit its object as an Alternc_Api_Token.
 
     // TODO: log this Api Call
-    return $object->$action($request);
+    return $object->$action($request->options);
   }
 
 
diff --git a/lib/Alternc/Api/Token.php b/lib/Alternc/Api/Token.php
index 8607e6e6..5c07d577 100644
--- a/lib/Alternc/Api/Token.php
+++ b/lib/Alternc/Api/Token.php
@@ -114,8 +114,9 @@ class Alternc_Api_Token {
       if (!is_string($token) || !preg_match("#^[a-zA-Z0-9]{32}$#",$token)) {
 	return new Alternc_Api_Response( array("code" => self::ERR_INVALID_TOKEN, "message" => "Invalid token") );
       }
-      
-      foreach($db->query("SELECT * FROM token WHERE token=?", array($token)) as $tok) {
+      $stmt=$db->prepare("SELECT * FROM token WHERE token=?");
+      $stmt->execute(array($token));
+      while ($tok=$stmt->fetch(PDO::FETCH_OBJ)) {
 	return new Alternc_Api_Token( json_decode($tok->data,true) );
       }