From 5f6c43e73d363c146dec9787aadd7caaec2abc0d Mon Sep 17 00:00:00 2001
From: Diego Najar <dignajar@gmail.com>
Date: Sat, 23 Sep 2017 13:10:05 +0200
Subject: [PATCH] API, write permissions

---
 bl-kernel/dbpages.class.php | 15 ++++++---------
 bl-kernel/dbusers.class.php | 12 +++++-------
 bl-kernel/functions.php     | 24 ++++++++++++++++++++----
 bl-plugins/api/plugin.php   | 19 +++++++++++++------
 install.php                 |  3 ++-
 5 files changed, 46 insertions(+), 27 deletions(-)

diff --git a/bl-kernel/dbpages.class.php b/bl-kernel/dbpages.class.php
index 8df11345..4d859918 100644
--- a/bl-kernel/dbpages.class.php
+++ b/bl-kernel/dbpages.class.php
@@ -10,7 +10,7 @@ class dbPages extends dbJSON
 		'description'=>		array('inFile'=>false,	'value'=>''),
 		'username'=>		array('inFile'=>false,	'value'=>''),
 		'tags'=>		array('inFile'=>false,	'value'=>array()),
-		'status'=>		array('inFile'=>false,	'value'=>'draft'), // published, draft, scheduled
+		'status'=>		array('inFile'=>false,	'value'=>'published'), // published, draft, scheduled
 		'date'=>		array('inFile'=>false,	'value'=>''),
 		'dateModified'=>	array('inFile'=>false,	'value'=>''),
 		'position'=>		array('inFile'=>false,	'value'=>0),
@@ -142,8 +142,8 @@ class dbPages extends dbJSON
 					}
 				}
 			} else {
-				// Default value for the field
-				$value = $options['value'];
+				// By default is the current value
+				$value = $this->db[$args['key']][$field];
 			}
 
 			$args[$field] = $value;
@@ -158,9 +158,6 @@ class dbPages extends dbJSON
 			$args['date'] = $this->db[$args['key']]['date'];
 		}
 
-		// Current UUID
-		$args['uuid'] = $this->db[$args['key']]['uuid'];
-
 		// Date
 		$currentDate = Date::current(DB_DATE_FORMAT);
 
@@ -192,9 +189,9 @@ class dbPages extends dbJSON
 			}
 		}
 
-		if( $climode===false ) {
+		if ($climode===false) {
 			// Move the directory from old key to new key.
-			if($newKey!==$args['key']) {
+			if ($newKey!==$args['key']) {
 				if( Filesystem::mv(PATH_PAGES.$args['key'], PATH_PAGES.$newKey) === false ) {
 					Log::set(__METHOD__.LOG_SEP.'Error occurred when trying to move the directory to '.PATH_PAGES.$newKey);
 					return false;
@@ -203,7 +200,7 @@ class dbPages extends dbJSON
 
 			// Make the index.txt and save the file.
 			$data = implode("\n", $dataForFile);
-			if( file_put_contents(PATH_PAGES.$newKey.DS.FILENAME, $data) === false ) {
+			if (file_put_contents(PATH_PAGES.$newKey.DS.FILENAME, $data)===false) {
 				Log::set(__METHOD__.LOG_SEP.'Error occurred when trying to put the content in the file '.FILENAME);
 				return false;
 			}
diff --git a/bl-kernel/dbusers.class.php b/bl-kernel/dbusers.class.php
index ede2db5c..e1c0f51e 100644
--- a/bl-kernel/dbusers.class.php
+++ b/bl-kernel/dbusers.class.php
@@ -105,13 +105,11 @@ class dbUsers extends dbJSON
 			$User = new User();
 			$User->setField('username', $username);
 
-			foreach($this->db[$username] as $key=>$value) {
+			foreach ($this->db[$username] as $key=>$value) {
 				$User->setField($key, $value);
 			}
-
 			return $User;
 		}
-
 		return false;
 	}
 
@@ -152,8 +150,8 @@ class dbUsers extends dbJSON
 	// Return the username associated to an email, FALSE otherwise
 	public function getByEmail($email)
 	{
-		foreach($this->db as $username=>$values) {
-			if($values['email']==$email) {
+		foreach ($this->db as $username=>$values) {
+			if ($values['email']==$email) {
 				return $username;
 			}
 		}
@@ -163,8 +161,8 @@ class dbUsers extends dbJSON
 	// Returns the username with the authentication token assigned, FALSE otherwise
 	public function getByAuthToken($token)
 	{
-		foreach($this->db as $username=>$fields) {
-			if($fields['tokenAuth']==$token) {
+		foreach ($this->db as $username=>$fields) {
+			if ($fields['tokenAuth']==$token) {
 				return $username;
 			}
 		}
diff --git a/bl-kernel/functions.php b/bl-kernel/functions.php
index b1b58ba0..29e9f8e3 100644
--- a/bl-kernel/functions.php
+++ b/bl-kernel/functions.php
@@ -349,10 +349,15 @@ function editPage($args) {
 	global $dbPages;
 	global $Syslog;
 
-	// The user is always the one loggued
-	$args['username'] = Session::get('username');
-	if ( empty($args['username']) ) {
-		Log::set('Function editPage()'.LOG_SEP.'Empty username.');
+	// Check the key is not empty
+	if (empty($args['key'])) {
+		Log::set('Function editPage()'.LOG_SEP.'Empty key.');
+		return false;
+	}
+
+	// Check if the page key exist
+	if (!$dbPages->exists($args['key'])) {
+		Log::set('Function editPage()'.LOG_SEP.'Page key does not exist, '.$args['key']);
 		return false;
 	}
 
@@ -362,6 +367,17 @@ function editPage($args) {
 		unset($args['externalCoverImage']);
 	}
 
+	// Title and content need to be here because from inside the dbPages is not visible
+	if (empty($args['title']) || empty($args['content'])) {
+		$page = buildPage($args['key']);
+		if (empty($args['title'])) {
+			$args['title'] = $page->title();
+		}
+		if (empty($args['content'])) {
+			$args['content'] = $page->contentRaw();
+		}
+	}
+
 	$key = $dbPages->edit($args);
 	if ($key) {
 		// Call the plugins after page modified
diff --git a/bl-plugins/api/plugin.php b/bl-plugins/api/plugin.php
index 2134e9b9..56dd76b4 100644
--- a/bl-plugins/api/plugin.php
+++ b/bl-plugins/api/plugin.php
@@ -91,13 +91,20 @@ class pluginAPI extends Plugin {
 		// ------------------------------------------------------------
 		$writePermissions = false;
 		if ( !empty($inputs['authentication']) ) {
-			// Get the user with the authentication token
+
+			// Get the user with the authentication token, FALSE if doesn't exit
 			$username = $dbUsers->getByAuthToken($inputs['authentication']);
 			if ($username!==false) {
-				// Enable write permissions
-				$writePermissions = true;
-				// Loggin the user to create the session
-				$Login->setLogin($username, 'admin');
+
+				// Get the object user to check the role
+				$user = $dbUsers->getUser($username);
+				if ($user->role()=='admin') {
+
+					// Loggin the user to create the session
+					$Login->setLogin($username, 'admin');
+					// Enable write permissions
+					$writePermissions = true;
+				}
 			}
 		}
 
@@ -270,7 +277,7 @@ class pluginAPI extends Plugin {
 	{
 		// This function is defined on functions.php
 		$key = createPage($args);
-var_dump($key);exit;
+
 		if ($key===false) {
 			return array(
 				'status'=>'1',
diff --git a/install.php b/install.php
index 80d8ac89..17921ae5 100644
--- a/install.php
+++ b/install.php
@@ -367,6 +367,7 @@ function install($adminPassword, $email, $timezone)
 	// File users.php
 	$salt = uniqid();
 	$passwordHash = sha1($adminPassword.$salt);
+	$tokenAuth = md5( uniqid().time().DOMAIN );
 
 	$data = array(
 		'admin'=>array(
@@ -379,7 +380,7 @@ function install($adminPassword, $email, $timezone)
 			'registered'=>$currentDate,
 			'tokenEmail'=>'',
 			'tokenEmailTTL'=>'2009-03-15 14:00',
-			'tokenAuth'=>'',
+			'tokenAuth'=>$tokenAuth,
 			'tokenAuthTTL'=>'2009-03-15 14:00',
 			'twitter'=>'',
 			'facebook'=>'',