From 226ad561054e0fecc7bbc209f966850b5db02d1e Mon Sep 17 00:00:00 2001 From: Tom Clegg Date: Mon, 6 Aug 2012 00:40:06 -0400 Subject: [PATCH] add "effective user" name space to submit API --- public_html/submit.php | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/public_html/submit.php b/public_html/submit.php index be3f5b6..2a8287b 100644 --- a/public_html/submit.php +++ b/public_html/submit.php @@ -22,16 +22,25 @@ $api_key = $_REQUEST['api_key']; $shasum = hash('sha1', $_REQUEST['dataset_locator']); +if (isset($_REQUEST['controlled_by'])) { + if (substr($_REQUEST['controlled_by'],0,2) == $api_key) { + $controlled_by = $_REQUEST['controlled_by']; + } else { + respond(false, 'controlled_by does not match api_key'); + } +} else { + $controlled_by = $api_key; +} theDB()->query ("INSERT IGNORE INTO private_genomes SET oid=?, shasum=?, upload_date=SYSDATE()", - array ($api_key, $shasum)); + array ($controlled_by, $shasum)); theDB()->query ("UPDATE private_genomes SET dataset_locator=?, nickname=?, is_public=? WHERE oid=? AND shasum=?", array ($_REQUEST['dataset_locator'], $_REQUEST['dataset_name'], $_REQUEST['dataset_is_public'], - $api_key, $shasum)); + $controlled_by, $shasum)); $confirm_shasum = theDb()->getOne ("SELECT shasum FROM private_genomes WHERE oid=? AND shasum=?", array($api_key, $shasum)); if ($confirm_shasum != $shasum) { @@ -48,7 +57,7 @@ global_human_id=? WHERE oid=? AND shasum=?", array ($_REQUEST['human_id'], $api_key, $shasum)); - if ($_REQUEST['human_name']) { + if (@$_REQUEST['human_name']) { theDB()->query ("UPDATE genomes SET name=? WHERE global_human_id=?", array ($_REQUEST['human_name'], $_REQUEST['human_id'])); }