okapi r893

htdocs/okapi/core.php

@@ -814,7 +814,7 @@ class Okapi
 {
 	public static $data_store;
 	public static $server;
-	public static $revision = 888; # This gets replaced in automatically deployed packages
+	public static $revision = 893; # This gets replaced in automatically deployed packages
 	private static $okapi_vars = null;
 
 	/** Get a variable stored in okapi_vars. If variable not found, return $default. */

htdocs/okapi/datastore.php

@@ -47,13 +47,26 @@ class OkapiDataStore extends OAuthDataStore
 
 	public function lookup_nonce($consumer, $token, $nonce, $timestamp)
 	{
+		# Since it's not important for us to save the actual token and nonce
+		# value, we will save a hash only. We could also include the consumer
+		# key in this hash and drop the column, but we will leave it be for
+		# now (for a couple of less important reasons).
+
+		$nonce_hash = md5(serialize(array(
+			$token ? $token->key : null,
+			$timestamp,
+			$nonce
+		)));
 		try
 		{
+			# Time timestamp is saved separately, because we are periodically
+			# removing older nonces from the database (see cronjobs).
+
 			Db::execute("
-				insert into okapi_nonces (consumer_key, `key`, timestamp)
+				insert into okapi_nonces (consumer_key, nonce_hash, timestamp)
 				values (
 					'".mysql_real_escape_string($consumer->key)."',
-					'".mysql_real_escape_string($nonce)."',
+					'".mysql_real_escape_string($nonce_hash)."',
 					'".mysql_real_escape_string($timestamp)."'
 				);
 			");
@@ -61,9 +74,8 @@ class OkapiDataStore extends OAuthDataStore
 		}
 		catch (\Exception $e)
 		{
-			# INSERT failed. Assume this nonce was already used.
-			# Note, that old nonces are periodically deleted (see cronjobs).
-			
+			# INSERT failed. This nonce was already used.
+
 			return $nonce;
 		}
 	}

htdocs/okapi/facade.php

@@ -22,6 +22,12 @@ namespace okapi;
 # order to get it to work with your code. Just call this after you
 # include the Facade file: Facade::disable_error_handling().
 
+# EXAMPLE OF USAGE:
+
+# require_once($rootpath.'okapi/facade.php');
+# \okapi\Facade::schedule_user_entries_check(...);
+# \okapi\Facade::disable_error_handling();
+
 
 use Exception;
 use okapi\OkapiServiceRunner;
@@ -106,7 +112,7 @@ class Facade
 	 * This is useful in some cases, when OKAPI cannot detect the modification
 	 * for itself (grep OCPL code for examples). See issue #179.
 	 *
-	 * $cache_codes may be a single cache code or an array of codes.
+	 * $cache_codes - a single cache code OR an array of cache codes.
 	 */
 	public static function schedule_geocache_check($cache_codes)
 	{
@@ -119,6 +125,24 @@ class Facade
 		");
 	}
 
+	/**
+	 * Find all log entries of the specified user for the specified cache and
+	 * mark them as *possibly* modified. See issue #265.
+	 *
+	 * $cache_id - internal ID of the geocache,
+	 * $user_id - internal ID of the user.
+	 */
+	public static function schedule_user_entries_check($cache_id, $user_id)
+	{
+		Db::execute("
+			update cache_logs
+			set okapi_syncbase = now()
+			where
+				cache_id = '".mysql_real_escape_string($cache_id)."'
+				and user_id = '".mysql_real_escape_string($user_id)."'
+		");
+	}
+
 	/**
 	 * Run OKAPI database update.
 	 * Will output messages to stdout.

htdocs/okapi/services/apiref/issue.php

@@ -30,46 +30,17 @@ class WebService
 		if ((!preg_match("/^[0-9]+$/", $issue_id)) || (strlen($issue_id) > 6))
 			throw new InvalidParam('issue_id');
 
-		$cache_key = "apiref/issue#".$issue_id;
-		$result = Cache::get($cache_key);
-		if ($result == null)
-		{
-			# Download list of comments from Google Code Issue Tracker.
-
-			try
-			{
-				$opts = array(
-					'http' => array(
-						'method' => "GET",
-						'timeout' => 2.0
-					)
-				);
-				$context = stream_context_create($opts);
-				$xml = file_get_contents("http://code.google.com/feeds/issues/p/opencaching-api/issues/$issue_id/comments/full",
-					false, $context);
-			}
-			catch (ErrorException $e)
-			{
-				throw new BadRequest("Sorry, we could not retrieve issue stats from the Google Code site. ".
-					"This is probably due to a temporary connection problem. Try again later or contact ".
-					"us if this seems permanent.");
-			}
-
-			$doc = simplexml_load_string($xml);
-			$result = array(
-				'id' => $issue_id + 0,
-				'last_updated' => (string)$doc->updated,
-				'title' => (string)$doc->title,
-				'url' => (string)$doc->link[0]['href'],
-				'comment_count' => $doc->entry->count()
-			);
-
-			# On one hand, we want newly added comments to show up quickly.
-			# On the other, we don't want OKAPI to contantly query Google Code.
-			# It's difficult to choose a correct timeout for this...
-
-			Cache::set($cache_key, $result, 3600);
-		}
+		# In October 2013, Google Code feed at:
+		# http://code.google.com/feeds/issues/p/opencaching-api/issues/$issue_id/comments/full
+		# stopped working. We are forced to respond with a simple placeholder.
+		
+		$result = array(
+			'id' => $issue_id + 0,
+			'last_updated' => null,
+			'title' => null,
+			'url' => "https://code.google.com/p/opencaching-api/issues/detail?id=".$issue_id,
+			'comment_count' => null
+		);
 		return Okapi::formatted_response($request, $result);
 	}
 }

htdocs/okapi/services/apiref/issue.xml

@@ -2,6 +2,10 @@
 	<brief>Retrieve information on given issue</brief>
 	<issue-id>11</issue-id>
 	<desc>
+		<p><b>Important:</b> This method stopped working properly in October 2013.
+		Now, it returns a simple placeholder.
+		<a href='https://code.google.com/p/opencaching-api/issues/detail?id=288'>Read more</a>.</p>
+		
 		<p>OKAPI is trying to be as <b>integrated</b> with its
 		<a href='http://code.google.com/p/opencaching-api/'>Main Project Page</a> as it can.
 		This method retrieves basic information on a given issue from our project
@@ -17,10 +21,11 @@
 		<p>A dictionary of the following structure:</p>
 		<ul>
 			<li><b>id</b> - number of the issue created for this method,</li>
-			<li><b>last_updated</b> - date and time (ISO 8601) when the issue was last updated,</li>
-			<li><b>title</b> - issue title,</li>
+			<li><b>last_updated</b> - date and time (ISO 8601) when the issue was last updated
+				<b>or null</b> if unknown,</li>
+			<li><b>title</b> - issue title <b>or null</b> if unknown,</li>
 			<li><b>url</b> - URL of the issue page,</li>
-			<li><b>comment_count</b> - total number of submitted comments.</li>
+			<li><b>comment_count</b> - total number of submitted comments <b>or null</b> if unknown.</li>
 		</ul>
 		<p>Note, that this will respond with HTTP 400 if we fail to retrieve data from
 		the Google Code site.</p>

htdocs/okapi/services/apiref/method_index.php

@@ -2,8 +2,6 @@
 
 namespace okapi\services\apiref\method_index;
 
-use okapi\OkapiInternalRequest;
-
 use Exception;
 use okapi\Okapi;
 use okapi\OkapiRequest;
@@ -12,6 +10,8 @@ use okapi\InvalidParam;
 use okapi\OkapiServiceRunner;
 use okapi\Cache;
 use okapi\OkapiInternalConsumer;
+use okapi\OkapiInternalRequest;
+
 
 class WebService
 {

htdocs/okapi/services/attrs/attribute-definitions.xml

@@ -3,6 +3,9 @@
 This is the list of all geocache attributes supported by OKAPI. It should
 include any attribute used by at least one of the Opencaching installations.
 
+If you'd like to get the write access to our repository (to submit your
+translations), contact us: Submit a new issue in our issue tracker. 
+
 
 NOTES FOR EXTERNAL APP DEVELOPERS
 =================================

htdocs/okapi/services/attrs/attribute.xml

@@ -42,27 +42,37 @@
 				attribute.</p>
 			</li>
 			<li>
-				<b>name</b> - plaintext string, name of the attribute (language is
-				selected based on your <b>langpref</b> parameter),
+				<p><b>name</b> - plaintext string, name of the attribute (language is
+				selected based on your <b>langpref</b> parameter),</p>
+				
+				<p>If you think your language is missing, then feel free to add missing
+				translations directly to OKAPI repository. See
+				<a href='https://code.google.com/p/opencaching-api/source/browse/trunk/okapi/services/attrs/attribute-definitions.xml'>here</a>.</p>
 			</li>
 			<li>
 				<p><b>names</b> - a dictionary of all known names of the attribute, in
 				various languages (ISO 639-1 language code is used as dictionary
 				key).</p>
 			
-				<p>If you'd like to help with the translations, see
+				<p>If you think your language is missing, then feel free to add missing
+				translations directly to OKAPI repository. See
 				<a href='https://code.google.com/p/opencaching-api/source/browse/trunk/okapi/services/attrs/attribute-definitions.xml'>here</a>.</p>
 			</li>
 			<li>
 				<b>description</b> - HTML string, description of the attribute (language is
 				selected based on your <b>langpref</b> parameter),
+				
+				<p>If you think your language is missing, then feel free to add missing
+				translations directly to OKAPI repository. See
+				<a href='https://code.google.com/p/opencaching-api/source/browse/trunk/okapi/services/attrs/attribute-definitions.xml'>here</a>.</p>
 			</li>
 			<li>
 				<p><b>descriptions</b> - a dictionary of all known descriptions of the
 				attribute, in various languages (ISO 639-1 language code is used as
 				dictionary key).</p>
 			
-				<p>If you'd like to help with the translations, see
+				<p>If you think your language is missing, then feel free to add missing
+				translations directly to OKAPI repository. See
 				<a href='https://code.google.com/p/opencaching-api/source/browse/trunk/okapi/services/attrs/attribute-definitions.xml'>here</a>.</p>
 			</li>
 			<li>

htdocs/okapi/static/common.js

@@ -11,8 +11,13 @@ $(function() {
 			},
 			success: function(issue)
 			{
-				var comments = (issue.comment_count == 1) ? "comment" : "comments";
-				var link = $("<a>" + issue.comment_count + " " + comments + "</a>");
+				var comments, link;
+				if (issue.comment_count === null) {
+					link = $("<a>Comments</a>");
+				} else {
+					comments = (issue.comment_count == 1) ? "comment" : "comments";
+					link = $("<a>" + issue.comment_count + " " + comments + "</a>");
+				}
 				link.attr('href', issue.url);
 				div.append(link);
 				var notice = $("<span class='notice'>Notice: comments are shared between all OKAPI installations.</span>");

htdocs/okapi/views/devel/dbstruct.php

@@ -14,6 +14,7 @@ use okapi\ParamMissing;
 use okapi\InvalidParam;
 use okapi\OkapiServiceRunner;
 use okapi\OkapiInternalRequest;
+use okapi\OkapiInternalConsumer;
 use okapi\BadRequest;
 
 class View
@@ -35,11 +36,11 @@ class View
 		#  - reassure that we use the --no-data option
 		#  - plausibility test for data amount
 		#  - verify that the output does not contain table contents
-		
-		ini_set('memory_limit', '16M');  
+
+		ini_set('memory_limit', '16M');
 		$shell_arguments = "mysqldump --no-data -h$dbserver -u$user -p$password $dbname";
 		if (!strpos($shell_arguments,"--no-data"))
-			throw new Exception("wrong database dump arguments"); 
+			throw new Exception("wrong database dump arguments");
 		$struct = shell_exec($shell_arguments);
 		if (strlen($struct) > 1000000)
 			throw new Exception("something went terribly wrong while dumping table structures");
@@ -51,15 +52,16 @@ class View
 		$struct = preg_replace("/ AUTO_INCREMENT=([0-9]+)/i", "", $struct);
 
 		# This method can be invoked with "compare_to" parameter, which points to
-		# an alternate database structure (probably generated by the same script
-		# in other OKAPI instance). When invoked this way, we will attempt to
+		# an alternate database structure (generated by the same script in other
+		# *public* OKAPI instance). When invoked this way, we will attempt to
 		# generate SQL script which alters LOCAL database is such a way that it
-		# will become THE OTHER database.
+		# will become the other (public) database.
 
 		$response = new OkapiHttpResponse();
 		$response->content_type = "text/plain; charset=utf-8";
 		if (isset($_GET['compare_to']))
 		{
+			self::requireSafe($_GET['compare_to']);
 			$scheme = parse_url($_GET['compare_to'], PHP_URL_SCHEME);
 			if (in_array($scheme, array('http', 'https')))
 			{
@@ -123,4 +125,30 @@ class View
 		return $response;
 	}
 
+	/**
+	 * Check if the URL can be safely retrieved. See issue #252.
+	 */
+	private static function requireSafe($url)
+	{
+		require_once($GLOBALS['rootpath'].'okapi/service_runner.php');
+		$installations = OkapiServiceRunner::call(
+			"services/apisrv/installations",
+			new OkapiInternalRequest(
+				new OkapiInternalConsumer(), null, array()
+			)
+		);
+		$allowed = array();
+		foreach ($installations as $i) {
+			$allowed_url = $i['okapi_base_url']."devel/dbstruct";
+			$allowed[] = $allowed_url;
+			if ($url == $allowed_url) {
+				return;
+			}
+		}
+		throw new BadRequest(
+			"The following URL is not on our whitelist: \"".$url."\".\n\n".
+			"Please use one of the following:\n".
+			"\"".implode("\",\n\"", $allowed)."\"."
+		);
+	}
 }

htdocs/okapi/views/update.php

@@ -672,4 +672,8 @@ class View
 	private static function ver81() { Db::execute("alter table okapi_search_sets add column expires datetime not null"); }
 	private static function ver82() { CronJobController::reset_job_schedule("FulldumpGeneratorJob"); }
 	private static function ver83() { Db::execute("alter table okapi_stats_temp engine=InnoDB"); }
+	private static function ver84() { Db::execute("truncate okapi_nonces;"); }
+	private static function ver85() { Db::execute("alter table okapi_nonces drop primary key;"); }
+	private static function ver86() { Db::execute("alter table okapi_nonces change column `key` nonce_hash varchar(32) character set utf8 collate utf8_bin not null;"); }
+	private static function ver87() { Db::execute("alter table okapi_nonces add primary key (consumer_key, nonce_hash);"); }
 }