Change the url mapping so that path to the is part of the url

The request key is put in the X-Gallery-Request-Key header
The HTTP method can be override by using the X-Gallery-Request-Method header
Normalize the request data so that it doesn't matter where it comes from (HTTP get or HTTP post request)

3 files changed, 73 insertions, 89 deletions

diff --git a/modules/rest/controllers/rest.php b/modules/rest/controllers/rest.php
index 0e5cbe96..0c88877a 100644
--- a/modules/rest/controllers/rest.php
+++ b/modules/rest/controllers/rest.php
@@ -47,58 +47,77 @@ class Rest_Controller extends Controller {
   }
 
   public function __call($function, $args) {
-    $access_token = $this->input->get("request_key");
-    $request = $this->input->post("request", null);
+    $request = $this->_normalize_request($args);
 
-    if (empty($access_token)) {
+    if (empty($request->access_token)) {
       print rest::forbidden("No access token supplied.");
       return;
     }
 
     try {
-      $key = ORM::factory("user_access_token")
-        ->where("access_key", $access_token)
-        ->find();
+      if ($this->_set_active_user($request->access_token)) {
+        $handler_class = "{$function}_rest";
+        $handler_method = "{$request->method}";
 
-      if (!$key->loaded) {
-        print rest::forbidden("Invalid key: $access_token");
-        return;
-      }
+        if (!method_exists($handler_class, $handler_method)) {
+          print rest::not_implemented("$handler_class::$handler_method is not implemented");
+          return;
+        }
 
-      $user = identity::lookup_user($key->user_id);
-      if (empty($user)) {
-        print rest::forbidden("User not found: {$key->user_id}");
-        return;
+        print call_user_func(array($handler_class, $handler_method), $request);
       }
+    } catch (Exception $e) {
+      print rest::internal_error($e);
+    }
+  }
 
-      if (!empty($request)) {
-        $method = strtolower($this->input->server("HTTP_X_HTTP_METHOD_OVERRIDE", "POST"));
+  private function _normalize_request($args) {
+   $method = strtolower($this->input->server("REQUEST_METHOD"));
+    if ($method != "get") {
+      $request = $this->input->post("request", null);
+      if ($request) {
         $request = json_decode($request);
       } else {
-        print rest::invalid_request("Empty Request");
-        return;
+        $request = new stdClass();
       }
-
-
-      if (empty($args[0])) {
-        print rest::invalid_request("Resource not supplied");
-        return;
+    } else {
+      $request = new stdClass();
+      foreach (array_keys($_GET) as $key) {
+        if ($key == "request_key") {
+          continue;
+        }
+        $request->$key = $this->input->get($key);
       }
+    }
 
-      $handler_class = "{$function}_rest";
-      $handler_method = "{$method}_{$args[0]}";
+    $override_method = strtolower($this->input->server("HTTP_X_GALLERY_REQUEST_METHOD", null));
+    $request->method = empty($override_method) ? $method : $override_method;
+    $request->access_token = $this->input->server("HTTP_X_GALLERY_REQUEST_KEY");
+    $request->path = implode("/", $args);
 
-      if (!method_exists($handler_class, $handler_method)) {
-        print rest::not_implemented("$handler_class::$handler_method is not implemented");
-        return;
-      }
+    return $request;
+  }
 
-      identity::set_active_user($user);
+  private function _set_active_user($access_token) {
+    if (empty($access_token)) {
+      $user = identity::guest();
+    } else {
+      $key = ORM::factory("user_access_token")
+        ->where("access_key", $access_token)
+        ->find();
 
-      print call_user_func(array($handler_class, $handler_method), $request);
-    } catch (Exception $e) {
-      print rest::internal_error($e);
+      if ($key->loaded) {
+        $user = identity::lookup_user($key->user_id);
+        if (empty($user)) {
+          print rest::forbidden("User not found: {$key->user_id}");
+          return false;;
+        }
+      } else {
+        print rest::forbidden("Invalid user access token supplied: {$key->user_id}");
+        return false;
+      }
     }
+    identity::set_active_user($user);
+    return true;
   }
-
 }
\ No newline at end of file
diff --git a/modules/rest/helpers/rest.php b/modules/rest/helpers/rest.php
index 64a32d40..22c13be9 100644
--- a/modules/rest/helpers/rest.php
+++ b/modules/rest/helpers/rest.php
@@ -60,9 +60,12 @@ class rest_Core {
     if (!empty($message)) {
       $response["message"] = (string)$message;
     }
+    if ($response_data) {
+      $response = array_merge($response, $response_data);
+    }
     // We don't need to save the session for this request
     Session::abort_save();
-    return json_encode(array_merge($response, $response_data));
+    return json_encode($response);
   }
 
   private static function _format_response($message, $log_message) {
diff --git a/modules/rest/tests/Rest_Controller_Test.php b/modules/rest/tests/Rest_Controller_Test.php
index afac2d05..1417c315 100644
--- a/modules/rest/tests/Rest_Controller_Test.php
+++ b/modules/rest/tests/Rest_Controller_Test.php
@@ -72,7 +72,7 @@ class Rest_Controller_Test extends Unit_Test_Case {
   }
 
   public function rest_access_key_no_parameters_test() {
-    $_SERVER["REQUEST_METHOD"] = "POST";
+    $_SERVER["REQUEST_METHOD"] = "GET";
 
     $this->assert_equal(
       json_encode(array("status" => "ERROR", "message" => (string)t("Authorization failed"))),
@@ -90,7 +90,6 @@ class Rest_Controller_Test extends Unit_Test_Case {
 
   public function rest_access_key_invalid_password_test() {
     $_SERVER["REQUEST_METHOD"] = "POST";
-    $_POST["request"] = json_encode(array("user" => "access_test", "password" => "invalid"));
 
     $this->assert_equal(
       json_encode(array("status" => "ERROR", "message" => (string)t("Authorization failed"))),
@@ -100,31 +99,14 @@ class Rest_Controller_Test extends Unit_Test_Case {
   public function rest_get_resource_no_request_key_test() {
     $_SERVER["HTTP_X_HTTP_METHOD_OVERRIDE"] = "GET";
 
-    $_SERVER["REQUEST_METHOD"] = "POST";
-    $_POST["request"] = json_encode(array("path" => $this->_path));
-
     $this->assert_equal(
       json_encode(array("status" => "ERROR", "message" => (string)t("Authorization failed"))),
-      $this->_call_controller("rest"));
-  }
-
-  public function rest_get_resource_no_request_content_test() {
-    $_SERVER["HTTP_X_HTTP_METHOD_OVERRIDE"] = "GET";
-
-    $_SERVER["REQUEST_METHOD"] = "POST";
-    $_GET["request_key"] = $this->_access_key;
-
-    $this->assert_equal(
-      json_encode(array("status" => "ERROR", "message" => (string)t("Invalid request"))),
-      $this->_call_controller("rest"));
+      $this->_call_controller("rest", explode("/", $this->_photo->relative_path())));
   }
 
   public function rest_get_resource_invalid_key_test() {
-    $_SERVER["HTTP_X_HTTP_METHOD_OVERRIDE"] = "GET";
-
-    $_SERVER["REQUEST_METHOD"] = "POST";
-    $_GET["request_key"] = md5($this->_access_key); // screw up the access key
-    $_POST["request"] = json_encode(array("path" => $this->_path));
+    $_SERVER["HTTP_X_GALLERY_REQUEST_KEY"] = md5($this->_access_key); // screw up the access key;
+    $_SERVER["REQUEST_METHOD"] = "GET";
 
     $this->assert_equal(
       json_encode(array("status" => "ERROR", "message" => (string)t("Authorization failed"))),
@@ -132,50 +114,30 @@ class Rest_Controller_Test extends Unit_Test_Case {
   }
 
   public function rest_get_resource_no_user_for_key_test() {
-    $_SERVER["HTTP_X_HTTP_METHOD_OVERRIDE"] = "GET";
-    $_SERVER["REQUEST_METHOD"] = "POST";
-
-    $_GET["request_key"] = $this->_access_key;
-    $_POST["request"] = json_encode(array("path" => $this->_path));
+    $_SERVER["REQUEST_METHOD"] = "GET";
+    $_SERVER["HTTP_X_GALLERY_REQUEST_KEY"] = $this->_access_key;
 
     $this->_user->delete();
     unset($this->_user);
 
     $this->assert_equal(
       json_encode(array("status" => "ERROR", "message" => (string)t("Authorization failed"))),
-      $this->_call_controller("rest"));
-  }
-
-  public function rest_get_resource_no_resource_test() {
-    $_SERVER["HTTP_X_HTTP_METHOD_OVERRIDE"] = "GET";
-    $_SERVER["REQUEST_METHOD"] = "POST";
-
-    $_GET["request_key"] = $this->_access_key;
-    $_POST["request"] = json_encode(array("path" => $this->_path));
-
-    $this->assert_equal(
-      json_encode(array("status" => "ERROR", "message" => (string)t("Invalid request"))),
-      $this->_call_controller("rest"));
+      $this->_call_controller("rest", explode("/", $this->_photo->relative_path())));
   }
 
   public function rest_get_resource_no_handler_test() {
-    $_SERVER["HTTP_X_HTTP_METHOD_OVERRIDE"] = "GET";
-    $_SERVER["REQUEST_METHOD"] = "POST";
-
-    $_GET["request_key"] = $this->_access_key;
-    $_POST["request"] = json_encode(array("path" => $this->_path));
+    $_SERVER["REQUEST_METHOD"] = "GET";
+    $_SERVER["HTTP_X_GALLERY_REQUEST_KEY"] = $this->_access_key;
+    $_SERVER["HTTP_X_GALLERY_REQUEST_METHOD"] = "PUT";
 
     $this->assert_equal(
       json_encode(array("status" => "ERROR", "message" => (string)t("Service not implemented"))),
-      $this->_call_controller("rest", "album"));
+      $this->_call_controller("rest", explode("/", $this->_photo->relative_path())));
   }
 
   public function rest_get_resource_test() {
-    $_SERVER["HTTP_X_HTTP_METHOD_OVERRIDE"] = "GET";
-    $_SERVER["REQUEST_METHOD"] = "POST";
-
-    $_GET["request_key"] = $this->_access_key;
-    $_POST["request"] = json_encode(array("path" => $this->_path));
+    $_SERVER["REQUEST_METHOD"] = "GET";
+    $_SERVER["HTTP_X_GALLERY_REQUEST_KEY"] = $this->_access_key;
 
     $this->assert_equal(
       json_encode(array("status" => "OK", "message" => (string)t("Processed"),
@@ -185,14 +147,14 @@ class Rest_Controller_Test extends Unit_Test_Case {
                                         "description" => $this->_photo->description,
                                         "internet_address" => $this->_photo->slug,
                                         "type" => $this->_photo->type))),
-      $this->_call_controller("rest", "photo"));
+      $this->_call_controller("rest", explode("/", $this->_photo->relative_path())));
   }
 
   private function _call_controller($method="access_key", $arg=null) {
     $controller = new Rest_Controller();
 
     ob_start();
-    call_user_func(array($controller, $method), $arg);
+    call_user_func_array(array($controller, $method), $arg);
     $results = ob_get_contents();
     ob_end_clean();
 
@@ -203,7 +165,7 @@ class Rest_Controller_Test extends Unit_Test_Case {
 class rest_rest {
   static $request = null;
 
-  static function get_photo($request) {
+  static function get($request) {
     self::$request = $request;
     $item = ORM::factory("item")
       ->where("relative_path_cache", $request->path)