<?php
require 'Slim/Slim.php';
require 'Slim/Middleware.php';
require 'connect.php';
require 'error_codes.php';
Slim::registerAutoloader();
date_default_timezone_set('Europe/Warsaw');
$app = new Slim();
$app->response()->header('Content-Type', 'application/json');
$app->add(new Slim_Middleware_SessionCookie(array('secret' => 'mp1024sec', 'expires' => '60 minutes', 'httponly' => true)));
$db = null;
$user = null;
// LOGIN
$authenticate = function ($app) {
return function () use ($app) {
global $user, $db;
if (!isset($_SESSION['user'])) {
$app->response->setStatus(401);
} else {
$db = getConnection();
$sql = 'select * from users where email=:email';
$stmt = $db->prepare($sql);
$stmt->bindValue(':email', $_SESSION['user'], PDO::PARAM_STR);
$stmt->execute();
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
if(count($results) != 1) {
$app->response->setStatus(401);
} else {
$user = $results[0];
unset($user['password']);
}
}
};
};
$app->post('/register', 'register');
function register() {
try {
global $db, $app;
$obj = json_decode($app->request->getBody());
if($obj->name != null && $obj->surname != null && $obj->email != null
&& filter_var($obj->email, FILTER_VALIDATE_EMAIL) && $obj->password != null) {
// TODO check if user already exists in users and users_requests
$sql = 'insert into users_requests(name, surname, email, password, expires, token) values(:name, :surname, :email, :password, :expires, :token)';
$db = getConnection();
$stmt = $db->prepare($sql);
$stmt->bindValue(':name', $obj->name, PDO::PARAM_STR);
$stmt->bindValue(':surname', $obj->surname, PDO::PARAM_STR);
$stmt->bindValue(':email', $obj->email, PDO::PARAM_STR);
$stmt->bindValue(':password', password_hash($obj->password, PASSWORD_DEFAULT), PDO::PARAM_STR);
$stmt->bindValue(':expires', date('Y-m-d H:i:s', strtotime('+2 days')));
$token = md5(uniqid(mt_rand(), true));
$stmt->bindValue(':token', $token, PDO::PARAM_STR);
$stmt->execute();
$db = null;
// TODO send email to ADMIN
echo json_encode(array('status' => 'success'));
} else {
paramError($app, 'user');
}
} catch(PDOException $e) {
pdoError($e, $app);
}
}
$app->get('/login', 'getLogin');
function getLogin() {
try {
global $db, $app;
if(isset($_SESSION['user'])) {
$db = getConnection();
$sql = 'select * from users where email=:email';
$stmt = $db->prepare($sql);
$stmt->bindValue(':email', $_SESSION['user'], PDO::PARAM_STR);
$stmt->execute();
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
if(count($results) != 1) {
$app->response->setStatus(401);
unauthorizedError();
return;
} else {
$user = $results[0];
unset($user['password']);
unset($user['id']);
echo json_encode(array('status' => 'success', 'user' => $user));
}
} else {
$app->response()->status(401);
unauthorizedError();
}
$db = null;
} catch(PDOException $e) {
pdoError($e, $app);
}
}
$app->post('/login', 'postLogin');
function postLogin() {
try {
global $db, $app;
$obj = json_decode($app->request()->getBody());
if($obj == null) {
codeError($app, LOGIN_MISSING_USER);
return;
} else if($obj->email == null) {
codeError($app, LOGIN_MISSING_EMAIL);
return;
} else if($obj->password == null) {
codeError($app, LOGIN_MISSING_PASSWORD);
return;
}
$sql = 'select * from users where email=:email';
$db = getConnection();
$stmt = $db->prepare($sql);
$stmt->bindValue(':email', $obj->email, PDO::PARAM_STR);
$stmt->execute();
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
if(count($results) != 1) {
codeError($app, LOGIN_USER_NOT_FOUND);
return;
}
$user = $results[0];
if(!password_verify($obj->password, $user['password'])) {
codeError($app, LOGIN_WRONG_PASSWORD);
return;
}
$_SESSION['user'] = $user['email'];
unset($user['password']);
unset($user['id']);
$db = null;
echo json_encode(array('status' => 'success', 'user' => $user));
} catch(PDOException $e) {
pdoError($e, $app);
}
}
$app->post('/logout', 'postLogout');
function postLogout() {
unset($_SESSION['user']);
echo json_encode(array('status' => 'success'));
}
// ANKIETY
$app->get('/ankiety', $authenticate($app), 'getAnkiety');
function getAnkiety() {
global $user, $db, $app;
if($app->response()->status() == 401 || $user == null) {
unauthorizedError();
return;
}
try {
$sql = '';
$stmt = null;
if($user['role'] === 'ADMIN') {
$sql = 'select * from ankiety';
$stmt = $db->prepare($sql);
} else if($user['role'] === 'USER') {
$sql = 'select id, title, message from ankiety where userId=:id';
$stmt = $db->prepare($sql);
$stmt->bindValue(':id', $user['id'], PDO::PARAM_INT);
}
$stmt->execute();
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
$db = null;
echo json_encode($results);
} catch (PDOException $e) {
pdoError($e, $app);
}
}
$app->get('/ankiety/:id', $authenticate($app), 'getAnkietyId');
function getAnkietyId($id) {
global $user, $db, $app;
if($app->response()->status() == 401 || $user == null) {
unauthorizedError();
return;
}
try {
$sql = '';
$stmt = '';
if($user['role'] === 'ADMIN') {
$sql = 'select * from ankiety where id=:id';
$stmt = $db->prepare($sql);
$stmt->bindValue(':id', $id, PDO::PARAM_INT);
} else if($user['role'] === 'USER') {
$sql = 'select id, title, message from ankiety where id=:id and userId=:userId';
$stmt = $db->prepare($sql);
$stmt->bindValue(':id', $id, PDO::PARAM_INT);
$stmt->bindValue(':userId', $user['id'], PDO::PARAM_INT);
}
$stmt->execute();
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
$db = null;
if(count($results) === 1)
echo json_encode($results[0]);
else
echo json_encode(array('status' => 'error', 'error' => 'ankieta not found'));
} catch (PDOException $e) {
pdoError($e, $app);
}
}
$app->post('/ankiety', $authenticate($app), 'postAnkiety');
function postAnkiety() {
global $user, $db, $app;
if($app->response()->status() == 401 || $user == null) {
unauthorizedError();
return;
}
try {
$obj = json_decode($app->request()->getBody());
if(validateAnkieta($obj)) {
$sql = '';
$stmt = '';
$sql = 'insert into ankiety(title, message, userId) values(:title, :message, :userId)';
$stmt = $db->prepare($sql);
$stmt->bindValue(':title', $obj->title, PDO::PARAM_STR);
$stmt->bindValue(':message', $obj->message, PDO::PARAM_STR);
$stmt->bindValue(':userId', $user['id'], PDO::PARAM_INT);
$stmt->execute();
$obj->id = $db->lastInsertId();
if($user['role'] === 'ADMIN')
$obj->userId = $user['id'];
echo json_encode($obj);
} else {
paramError($app, 'ankieta');
}
$db = null;
} catch (PDOException $e) {
pdoError($e, $app);
}
}
$app->put('/ankiety', $authenticate($app), 'putAnkiety');
function putAnkiety() {
global $user, $db, $app;
if($app->response()->status() == 401 || $user == null) {
unauthorizedError();
return;
}
try {
$obj = json_decode($app->request()->getBody());
if(validateAnkieta($obj)) {
$sql = '';
$stmt = '';
if($user['role'] === 'ADMIN') {
$sql = 'update ankiety set title=:title, message=:message where id=:id';
$stmt = $db->prepare($sql);
$stmt->bindValue(':id', $obj->id, PDO::PARAM_INT);
$stmt->bindValue(':title', $obj->title, PDO::PARAM_STR);
$stmt->bindValue(':message', $obj->message, PDO::PARAM_STR);
} else if($user['role'] === 'USER') {
$sql = 'update ankiety set title=:title, message=:message where id=:id and userId=:userId';
$stmt = $db->prepare($sql);
$stmt->bindValue(':id', $obj->id, PDO::PARAM_INT);
$stmt->bindValue(':userId', $user['id'], PDO::PARAM_INT);
$stmt->bindValue(':title', $obj->title, PDO::PARAM_STR);
$stmt->bindValue(':message', $obj->message, PDO::PARAM_STR);
}
$stmt->execute();
$db = null;
echo json_encode($obj);
} else {
paramError($app, 'ankieta');
}
} catch (PDOException $e) {
pdoError($e, $app);
}
}
$app->delete('/ankiety/:id', $authenticate($app), 'deleteAnkietyId');
function deleteAnkietyId($id) {
global $user, $db, $app;
if($app->response->getStatus() == 401 || $user == null) {
unauthorizedError();
return;
}
try {
$sql = '';
$stmt = '';
if($user['role'] === 'ADMIN') {
$sql = 'delete from ankiety where id=:id';
$stmt = $db->prepare($sql);
$stmt->bindValue(':id', $id, PDO::PARAM_INT);
} else if($user['role'] === 'USER') {
$sql = 'delete from ankiety where id=:id and userId=:userId';
$stmt = $db->prepare($sql);
$stmt->bindValue(':id', $id, PDO::PARAM_INT);
$stmt->bindValue(':userId', $user['id'], PDO::PARAM_INT);
}
$stmt->execute();
$db = null;
echo json_encode(array('status' => 'success'));
} catch (PDOException $e) {
pdoError($e, $app);
}
}
// POSTY
$app->get('/posty', 'getPosty');
function getPosty() {
global $app;
$limit = $app->request()->get('limit');
if($limit != null) {
if(!filter_var($limit, FILTER_VALIDATE_INT, array('min_range' => 0))) {
$app->response()->status(400);
echo json_encode(array('status' => 'error', 'error' => POSTS_ILLEGAL_LIMIT));
return;
} else {
if($limit < 0) {
$app->response()->status(400);
echo json_encode(array('status' => 'error', 'error' => POSTS_ILLEGAL_LIMIT));
return;
}
}
}
$db = getConnection();
if(isset($_SESSION['user'])) { // request from panel
$user = null;
$sql = 'select * from users where email=:email';
$stmt = $db->prepare($sql);
$stmt->bindValue(':email', $_SESSION['user'], PDO::PARAM_STR);
$stmt->execute();
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
if(count($results) != 1) {
$app->response()->status(401);
codeError($app, ILLEGAL_STATE);
return;
} else {
$user = $results[0];
unset($user['password']);
}
if($user['role'] === 'ADMIN') {
$sql = 'select p.id, p.message, p.timestamp, p.userId, u.name, u.surname, u.email, u.role from posts p join users u on p.userId = u.id order by p.timestamp desc';
if($limit != null)
$sql .= ' limit :limit';
$stmt = $db->prepare($sql);
if($limit != null)
$stmt->bindValue(':limit', (int) $limit, PDO::PARAM_INT);
$stmt->execute();
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
echo json_encode($results);
} else if($user['role'] === 'USER') {
$sql = 'select p.id, p.message, p.timestamp, u.name, u.surname, u.email from posts p join users u on p.userId = u.id where p.userId=:userId order by p.timestamp desc';
if($limit != null)
$sql .= ' limit :limit';
$stmt = $db->prepare($sql);
$stmt->bindValue(':userId', $user['id'], PDO::PARAM_INT);
if($limit != null)
$stmt->bindValue(':limit', (int) $limit, PDO::PARAM_INT);
$stmt->execute();
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
echo json_encode($results);
}
} else { // request from 'outside'
$sql = 'select p.id, p.message, p.timestamp, u.name, u.surname, u.email from posts p join users u on p.userId = u.id order by p.timestamp desc';
if($limit != null)
$sql .= ' limit :limit';
$stmt = $db->prepare($sql);
if($limit != null)
$stmt->bindValue(':limit', (int) $limit, PDO::PARAM_INT);
$stmt->execute();
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
echo json_encode($results);
}
$db = null;
}
$app->post('/posty', $authenticate($app), 'postPosty');
function postPosty() {
global $user, $db, $app;
if($app->response()->status() == 401 || $user == null) {
unauthorizedError();
return;
}
try {
$obj = json_decode($app->request()->getBody());
if(validatePost($obj)) {
$sql = '';
$stmt = '';
$sql = 'insert into posts(message, userId) values(:message, :userId)';
$stmt = $db->prepare($sql);
$stmt->bindValue(':message', $obj->message, PDO::PARAM_STR);
$stmt->bindValue(':userId', $user['id'], PDO::PARAM_INT);
$stmt->execute();
$obj->id = $db->lastInsertId();
if($user['role'] === 'ADMIN')
$obj->userId = $user['id'];
echo json_encode($obj);
} else {
paramError($app, 'post');
}
$db = null;
} catch (PDOException $e) {
pdoError($e, $app);
}
}
$app->put('/posty', $authenticate($app), 'putPosty');
function putPosty() {
global $user, $db, $app;
if($app->response()->status() == 401 || $user == null) {
unauthorizedError();
return;
}
try {
$obj = json_decode($app->request()->getBody());
if(validatePost($obj)) {
$sql = '';
$stmt = '';
if($user['role'] === 'ADMIN') {
$sql = 'update posts set message=:message where id=:id';
$stmt = $db->prepare($sql);
$stmt->bindValue(':id', $obj->id, PDO::PARAM_INT);
$stmt->bindValue(':message', $obj->message, PDO::PARAM_STR);
} else if($user['role'] === 'USER') {
$sql = 'update posts set message=:message where id=:id and userId=:userId';
$stmt = $db->prepare($sql);
$stmt->bindValue(':id', $obj->id, PDO::PARAM_INT);
$stmt->bindValue(':userId', $user['id'], PDO::PARAM_INT);
$stmt->bindValue(':message', $obj->message, PDO::PARAM_STR);
}
$stmt->execute();
$db = null;
echo json_encode($obj);
} else {
paramError($app, 'post');
}
} catch (PDOException $e) {
pdoError($e, $app);
}
}
$app->delete('/posty/:id', $authenticate($app), 'deletePostyId');
function deletePostyId() {
global $user, $db, $app;
if($app->response->getStatus() == 401 && $user == null) {
unauthorizedError();
return;
}
try {
$sql = '';
$stmt = '';
if($user['role'] === 'ADMIN') {
$sql = 'delete from posts where id=:id';
$stmt = $db->prepare($sql);
$stmt->bindValue(':id', $id, PDO::PARAM_INT);
} else if($user['role'] === 'USER') {
$sql = 'delete from posts where id=:id and userId=:userId';
$stmt = $db->prepare($sql);
$stmt->bindValue(':id', $id, PDO::PARAM_INT);
$stmt->bindValue(':userId', $user['id'], PDO::PARAM_INT);
}
$stmt->execute();
$db = null;
echo json_encode(array('status' => 'success'));
} catch (PDOException $e) {
pdoError($e, $app);
}
}
$app->run();
function pdoError($e, $app) {
$response = ['error' => 'DB error: ' . $e->getMessage(), 'status' => 'error'];
$app->response()->status(500);
echo json_encode($response);
}
function paramError($app, $param) {
$app->response()->status(400);
echo json_encode(['error' => 'missing parameter: ' . $param, 'status' => 'error']);
}
function codeError($app, $code) {
$app->response()->status(400);
echo json_encode(['error' => $code, 'status' => 'error']);
}
function unauthorizedError() {
echo json_encode(array('error' => 'unauthorized', 'status' => 'error'));
}
function validateAnkieta($ankieta) {
if($ankieta->title != null && $ankieta->message != null)
return true;
return false;
}
function validatePost($post) {
if($post->message != null)
return true;
return false;
}
?>
preferences:
30.05 ms | 402 KiB | 5 Q