From fd7990735cc73b5b1494190b9c187297e588a9f6 Mon Sep 17 00:00:00 2001
From: Tim Almdal <tnalmdal@shaw.ca>
Date: Mon, 21 Dec 2009 11:25:11 -0800
Subject: Added validation to the edit functionality, since we can't trust any
 input

---
 modules/rest/controllers/rest.php |  5 ++---
 modules/rest/helpers/rest.php     | 19 +++++++++++++++----
 2 files changed, 17 insertions(+), 7 deletions(-)

(limited to 'modules/rest')

diff --git a/modules/rest/controllers/rest.php b/modules/rest/controllers/rest.php
index d1404b29..7a5ab46a 100644
--- a/modules/rest/controllers/rest.php
+++ b/modules/rest/controllers/rest.php
@@ -67,7 +67,7 @@ class Rest_Controller extends Controller {
   }
 
   private function _normalize_request($args=array()) {
-   $method = strtolower($this->input->server("REQUEST_METHOD"));
+    $method = strtolower($this->input->server("REQUEST_METHOD"));
     $request = new stdClass();
     foreach (array_keys($this->input->get()) as $key) {
       $request->$key = $this->input->get($key);
@@ -78,8 +78,7 @@ class Rest_Controller extends Controller {
       }
     }
 
-    $override_method = strtolower($this->input->server("HTTP_X_GALLERY_REQUEST_METHOD", null));
-    $request->method = empty($override_method) ? $method : $override_method;
+    $request->method = strtolower($this->input->server("HTTP_X_GALLERY_REQUEST_METHOD", $method));
     $request->access_token = $this->input->server("HTTP_X_GALLERY_REQUEST_KEY");
     $request->path = implode("/", $args);
 
diff --git a/modules/rest/helpers/rest.php b/modules/rest/helpers/rest.php
index 2c653f21..ad6ca7c7 100644
--- a/modules/rest/helpers/rest.php
+++ b/modules/rest/helpers/rest.php
@@ -62,14 +62,25 @@ class rest_Core {
   /**
    * Success
    */
-  static function success($response_data=null, $message=null) {
+  static function success($response_data=array(), $message=null) {
     $response = array("status" => "OK");
     if (!empty($message)) {
       $response["message"] = (string)$message;
     }
-    if ($response_data) {
-      $response = array_merge($response, $response_data);
-    }
+    $response = array_merge($response, $response_data);
+
+    // We don't need to save the session for this request
+    Session::abort_save();
+    return json_encode($response);
+  }
+
+  /**
+   * Validation Error
+   */
+  static function validation_error($error_data) {
+    $response = array("status" => "VALIDATE_ERROR");
+    $response = array_merge($response, array("fields" => $error_data));
+
     // We don't need to save the session for this request
     Session::abort_save();
     return json_encode($response);
-- 
cgit v1.2.3