- Patch #214209 by Arancaytar, pwolanin, gabor, etc: blogapi doesn't confirm node type exist.

336ee230 · Dries · 1d390ef3 · 336ee230
Commit 336ee230 authored Feb 12, 2008 by Dries
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 14 deletions

modules/blogapi/blogapi.module modules/blogapi/blogapi.module +33 -14

No files found.
--- a/modules/blogapi/blogapi.module
+++ b/modules/blogapi/blogapi.module
@@ -184,8 +184,13 @@ function blogapi_blogger_new_post($appkey, $blogid, $username, $password, $conte
    return blogapi_error($user);
  }

+  if (($error = _blogapi_validate_blogid($blogid)) !== TRUE) {
+    // Return an error if not configured type.
+    return $error;
+  }
+
  $edit = array();
-  $edit['type'] = _blogapi_blogid($blogid);
+  $edit['type'] = $blogid;
  // get the node type defaults
  $node_type_default = variable_get('node_options_'. $edit['type'], array('status', 'promote'));
  $edit['uid'] = $user->uid;
@@ -327,12 +332,16 @@ function blogapi_blogger_get_recent_posts($appkey, $blogid, $username, $password
    return blogapi_error($user);
  }

-  $type = _blogapi_blogid($blogid);
+  if (($error = _blogapi_validate_blogid($blogid)) !== TRUE) {
+    // Return an error if not configured type.
+    return $error;
+  }
+
  if ($bodies) {
-    $result = db_query_range("SELECT n.nid, n.title, r.body, r.format, n.comment, n.created, u.name FROM {node} n, {node_revisions} r, {users} u WHERE n.uid = u.uid AND n.vid = r.vid AND n.type = '%s' AND n.uid = %d ORDER BY n.created DESC",  $type, $user->uid, 0, $number_of_posts);
+    $result = db_query_range("SELECT n.nid, n.title, r.body, r.format, n.comment, n.created, u.name FROM {node} n, {node_revisions} r, {users} u WHERE n.uid = u.uid AND n.vid = r.vid AND n.type = '%s' AND n.uid = %d ORDER BY n.created DESC",  $blogid, $user->uid, 0, $number_of_posts);
  }
  else {
-    $result = db_query_range("SELECT n.nid, n.title, n.created, u.name FROM {node} n, {users} u WHERE n.uid = u.uid AND n.type = '%s' AND n.uid = %d ORDER BY n.created DESC", $type, $user->uid, 0, $number_of_posts);
+    $result = db_query_range("SELECT n.nid, n.title, n.created, u.name FROM {node} n, {users} u WHERE n.uid = u.uid AND n.type = '%s' AND n.uid = %d ORDER BY n.created DESC", $blogid, $user->uid, 0, $number_of_posts);
  }
  $blogs = array();
  while ($blog = db_fetch_object($result)) {
@@ -381,8 +390,12 @@ function blogapi_metaweblog_new_media_object($blogid, $username, $password, $fil
 * associated with a blog node.
 */
 function blogapi_metaweblog_get_category_list($blogid, $username, $password) {
-  $type = _blogapi_blogid($blogid);
-  $vocabularies = module_invoke('taxonomy', 'get_vocabularies', $type, 'vid');
+  if (($error = _blogapi_validate_blogid($blogid)) !== TRUE) {
+    // Return an error if not configured type.
+    return $error;
+  }
+
+  $vocabularies = module_invoke('taxonomy', 'get_vocabularies', $blogid, 'vid');
  $categories = array();
  if ($vocabularies) {
    foreach ($vocabularies as $vocabulary) {
@@ -685,13 +698,21 @@ function _blogapi_get_post($node, $bodies = TRUE) {
  return $xmlrpcval;
 }

-function _blogapi_blogid($id) {
-  if (is_numeric($id)) {
-    return 'blog';
-  }
-  else {
-    return $id;
+/**
+ * Validate blog ID, which maps to a content type in Drupal.
+ *
+ * Only content types configured to work with Blog API are supported.
+ *
+ * @return
+ *   TRUE if the content type is supported and the user has permission
+ *   to post, or a blogapi_error() XML construct otherwise.
+ */
+function _blogapi_validate_blogid($blogid) {
+  $types = _blogapi_get_node_types();
+  if (in_array($blogid, $types, TRUE)) {
+    return TRUE;
  }
+  return blogapi_error(t("Blog API module is not configured to support the %type content type, or you don't have sufficient permissions to post this type of content.", array('%type' => $blogid)));
 }

 function _blogapi_get_node_types() {
@@ -705,5 +726,3 @@ function _blogapi_get_node_types() {

  return $types;
 }
-
-