Seperated AJAX and API calls for security purposes

root · root · commit 50be60018de9 · 2015-05-07T22:02:54.000-04:00
diff --git a/appinfo/routes.php b/appinfo/routes.php
@@ -23,17 +23,27 @@
 
 $application->registerRoutes($this, array('routes' => array(
 	array('name' => 'page#index', 'url' => '/', 'verb' => 'GET'),
-	array('name' => 'ownnote_api#setval', 'url' => '/setval', 'verb' => 'POST'),
+	array('name' => 'ownnote_api#ajaxsetval', 'url' => '/api/v0.2/ajaxsetval', 'verb' => 'POST'),
 	array('name' => 'ownnote_api#index', 'url' => '/api/v0.2/ownnote', 'verb' => 'GET'),
+	array('name' => 'ownnote_api#ajaxindex', 'url' => '/api/v0.2/ownnote/ajaxindex', 'verb' => 'GET'),
 	array('name' => 'ownnote_api#remoteindex', 'url' => '/api/v0.2/ownnote/remoteindex', 'verb' => 'GET'),
 	array('name' => 'ownnote_api#announcement', 'url' => '/api/v0.2/ownnote/announcement', 'verb' => 'GET'),
+	array('name' => 'ownnote_api#ajaxannouncement', 'url' => '/api/v0.2/ownnote/ajaxannouncement', 'verb' => 'GET'),
 	array('name' => 'ownnote_api#version', 'url' => '/api/v0.2/ownnote/version', 'verb' => 'GET'),
+	array('name' => 'ownnote_api#ajaxversion', 'url' => '/api/v0.2/ownnote/ajaxversion', 'verb' => 'GET'),
 	array('name' => 'ownnote_api#ren', 'url' => '/api/v0.2/ownnote/ren', 'verb' => 'POST'),
+	array('name' => 'ownnote_api#ajaxren', 'url' => '/api/v0.2/ownnote/ajaxren', 'verb' => 'POST'),
 	array('name' => 'ownnote_api#edit', 'url' => '/api/v0.2/ownnote/edit', 'verb' => 'POST'),
+	array('name' => 'ownnote_api#ajaxedit', 'url' => '/api/v0.2/ownnote/ajaxedit', 'verb' => 'POST'),
 	array('name' => 'ownnote_api#del', 'url' => '/api/v0.2/ownnote/del', 'verb' => 'POST'),
+	array('name' => 'ownnote_api#ajaxdel', 'url' => '/api/v0.2/ownnote/ajaxdel', 'verb' => 'POST'),
 	array('name' => 'ownnote_api#save', 'url' => '/api/v0.2/ownnote/save', 'verb' => 'POST'),
+	array('name' => 'ownnote_api#ajaxsave', 'url' => '/api/v0.2/ownnote/ajaxsave', 'verb' => 'POST'),
 	array('name' => 'ownnote_api#create', 'url' => '/api/v0.2/ownnote/create', 'verb' => 'POST'),
+	array('name' => 'ownnote_api#ajaxcreate', 'url' => '/api/v0.2/ownnote/ajaxcreate', 'verb' => 'POST'),
 	array('name' => 'ownnote_api#delgroup', 'url' => '/api/v0.2/ownnote/delgroup', 'verb' => 'POST'),
+	array('name' => 'ownnote_api#ajaxdelgroup', 'url' => '/api/v0.2/ownnote/ajaxdelgroup', 'verb' => 'POST'),
 	array('name' => 'ownnote_api#rengroup', 'url' => '/api/v0.2/ownnote/rengroup', 'verb' => 'POST'),
+	array('name' => 'ownnote_api#ajaxrengroup', 'url' => '/api/v0.2/ownnote/ajaxrengroup', 'verb' => 'POST'),
         array('name' => 'ownnote_api#preflighted_cors', 'url' => '/api/v0.2/{path}', 'verb' => 'OPTIONS', 'requirements' => array('path' => '.+')),
 )));
diff --git a/controller/ownnoteapicontroller.php b/controller/ownnoteapicontroller.php
@@ -26,38 +26,140 @@ class OwnnoteApiController extends ApiController {
 
 	private $backend;
 
+
 	public function __construct($appName, IRequest $request){
 		parent::__construct($appName, $request);
 		$this->backend = new Backend();
 	}
 
+	/**
+	* AJAX FUNCTIONS
+	*/
+
 	/**
 	* @NoAdminRequired
 	* @CORS
-	* @NoCSRFRequired
 	*/
-	public function index() {
+	public function ajaxindex() {
 		$FOLDER = \OCP\Config::getAppValue('ownnote', 'folder', 'Notes');
 		return json_encode($this->backend->getListing($FOLDER, false));
 	}
 
+	/**
+	* @NoAdminRequired
+	* @CORS
+	*/
+	public function ajaxannouncement() {
+		return $this->backend->getAnnouncement();
+	}
+
+	/**
+	* @NoAdminRequired
+	* @CORS
+	*/
+	public function ajaxcreate($name, $group) {
+		$FOLDER = \OCP\Config::getAppValue('ownnote', 'folder', 'Notes');
+		if (isset($name) && isset($group))
+			return $this->backend->createNote($FOLDER, $name, $group);
+	}
+
+	/**
+	* @NoAdminRequired
+	* @CORS
+	*/
+	public function ajaxdel($name, $group) {
+		$FOLDER = \OCP\Config::getAppValue('ownnote', 'folder', 'Notes');
+		if (isset($name) && isset($group))
+			return $this->backend->deleteNote($FOLDER, $name, $group);
+	}
+
+	/**
+	* @NoAdminRequired
+	* @CORS
+	*/
+	public function ajaxedit($name, $group) {
+		if (isset($name) && isset($group))
+			return $this->backend->editNote($name, $group);
+	}
+
+	/**
+	* @NoAdminRequired
+	* @CORS
+	*/
+	public function ajaxsave($name, $group, $content) {
+		$FOLDER = \OCP\Config::getAppValue('ownnote', 'folder', 'Notes');
+		if (isset($name) && isset($group) && isset($content))
+			return $this->backend->saveNote($FOLDER, $name, $group, $content, 0);
+	}
+
+	/**
+	* @NoAdminRequired
+	* @CORS
+	*/
+	public function ajaxren($name, $group, $newname, $newgroup) {
+		$FOLDER = \OCP\Config::getAppValue('ownnote', 'folder', 'Notes');
+		if (isset($name) && isset($newname) && isset($group) && isset($newgroup))
+			return $this->backend->renameNote($FOLDER, $name, $group, $newname, $newgroup);
+	}
+
+	/**
+	* @NoAdminRequired
+	* @CORS
+	*/
+	public function ajaxdelgroup($group) {
+		$FOLDER = \OCP\Config::getAppValue('ownnote', 'folder', 'Notes');
+		if (isset($group))
+			return $this->backend->deleteGroup($FOLDER, $group);
+	}
+
+	/**
+	* @NoAdminRequired
+	* @CORS
+	*/
+	public function ajaxrengroup($group, $newgroup) {
+		$FOLDER = \OCP\Config::getAppValue('ownnote', 'folder', 'Notes');
+		if (isset($group) && isset($newgroup))
+			return $this->backend->renameGroup($FOLDER, $group, $newgroup);
+	}
+
+	/**
+	* @NoAdminRequired
+	* @CORS
+	*/
+	public function ajaxversion() {
+		return $this->backend->getVersion();
+	}
+
+	/**
+	* @CORS
+	*/
+	public function ajaxsetval($field, $value) {
+		return $this->backend->setAdminVal($field, $value);
+	}
+
+
+	/**
+	* MOBILE FUNCTIONS
+	*/
+
 	/**
 	* @NoAdminRequired
 	* @CORS
 	* @NoCSRFRequired
 	*/
-	public function remoteindex() {
+	public function index() {
 		$FOLDER = \OCP\Config::getAppValue('ownnote', 'folder', 'Notes');
-		return json_encode($this->backend->getListing($FOLDER, true));
+		return json_encode($this->backend->getListing($FOLDER, false));
 	}
 
 	/**
 	* @NoAdminRequired
 	* @CORS
 	* @NoCSRFRequired
 	*/
-	public function announcement() {
-		return $this->backend->getAnnouncement();
+	public function remoteindex() {
+		$FOLDER = \OCP\Config::getAppValue('ownnote', 'folder', 'Notes');
+		return json_encode($this->backend->getListing($FOLDER, true));
 	}
 
 	/**
@@ -144,12 +246,4 @@ public function rengroup($group, $newgroup) {
 	public function version() {
 		return $this->backend->getVersion();
 	}
-
-	/**
-	* @CORS
-	* @NoCSRFRequired
-	*/
-	public function setval($field, $value) {
-		return $this->backend->setAdminVal($field, $value);
-	}
 }
diff --git a/js/admin.js b/js/admin.js
@@ -6,7 +6,7 @@ function ocOwnnoteUrl(url) {
 $(document).ready(function() {
 	$('#ownnote-folder').change(function() {
 		var val = $(this).val();
-	        $.post(ocOwnnoteUrl("setval"), { field: 'folder', value: val }, function (data) {
+	        $.post(ocOwnnoteUrl("api/v0.2/ajaxsetval"), { field: 'folder', value: val }, function (data) {
 			 console.log('response', data);
         	});
 	});
@@ -15,7 +15,7 @@ $(document).ready(function() {
 		if (val == "") {
 			$('#ownnote-folder').val('');
 			$('#shorten-folder-settings').css('display', 'none');
-			$.post(ocOwnnoteUrl("setval"), { field: 'folder', value: '' }, function (data) {
+			$.post(ocOwnnoteUrl("api/v0.2/ajaxsetval"), { field: 'folder', value: '' }, function (data) {
 				console.log('response', data);
 			});
 		} else
@@ -26,7 +26,7 @@ $(document).ready(function() {
 		var c = $(this).is(':checked');
 		if (c)
 			da = "checked";
-	        $.post(ocOwnnoteUrl("setval"), { field: 'disableAnnouncement', val: da }, function (data) {
+	        $.post(ocOwnnoteUrl("api/v0.2/ajaxsetval"), { field: 'disableAnnouncement', val: da }, function (data) {
 			 console.log('response', data);
         	});
 	});
diff --git a/js/script.js b/js/script.js
@@ -36,15 +36,15 @@
 	function deleteNote(id) {
 		var n = $(this).attr('n');
 		var g = $(this).attr('g');
-		$.post(ocUrl("api/v0.2/ownnote/del"), { name: n, group: g }, function (data) {
+		$.post(ocUrl("api/v0.2/ownnote/ajaxdel"), { name: n, group: g }, function (data) {
 			loadListing();
 		});
 	}
 
 	function editNote(id) {
 		var n = $(this).attr('n');
 		var g = $(this).attr('g');
-		$.post(ocUrl("api/v0.2/ownnote/edit"), { name: n, group: g }, function (data) {
+		$.post(ocUrl("api/v0.2/ownnote/ajaxedit"), { name: n, group: g }, function (data) {
 			buildEdit(n, g, data);
 		});
 	}
@@ -177,9 +177,9 @@
 			if (exists) {
 				alert("Filename/group already exists.");
 			} else
-				$.post(ocUrl("api/v0.2/ownnote/ren"), { name: originalfilename, group: originalgroup, newname: editfilename, newgroup: editgroup }, function (data) {
+				$.post(ocUrl("api/v0.2/ownnote/ajaxren"), { name: originalfilename, group: originalgroup, newname: editfilename, newgroup: editgroup }, function (data) {
 					if (data == "DONE") {
-						$.post(ocUrl("api/v0.2/ownnote/save"), { name: editfilename, group: editgroup, content: content }, function (data) {
+						$.post(ocUrl("api/v0.2/ownnote/ajaxsave"), { name: editfilename, group: editgroup, content: content }, function (data) {
 							if (!stayinnote)
 								loadListing();
 							else {
@@ -190,7 +190,7 @@
 					}
 				});
 		} else {
-			$.post(ocUrl("api/v0.2/ownnote/save"), { name: editfilename, group: editgroup, content: content }, function (data) {
+			$.post(ocUrl("api/v0.2/ownnote/ajaxsave"), { name: editfilename, group: editgroup, content: content }, function (data) {
 				if (!stayinnote)
 					loadListing();
 				else {
@@ -223,7 +223,7 @@
 	}
 
 	function loadListing() {
-		var url = ocUrl("api/v0.2/ownnote");
+		var url = ocUrl("api/v0.2/ownnote/ajaxindex");
 		$.get(url, function(data) {
 			filelist = data;
 			listing = jQuery.parseJSON(filelist);
@@ -389,7 +389,7 @@
 			group = $('#newgroupname').val();
 		}
 		cancelNote();
-		$.post(ocUrl("api/v0.2/ownnote/create"), { name: name, group: group }, function (data) {
+		$.post(ocUrl("api/v0.2/ownnote/ajaxcreate"), { name: name, group: group }, function (data) {
 			loadListing();
 		});
 		return false;
@@ -516,7 +516,7 @@
 				$('#announcement-container').html(html);
 			}
 		} else {
-			var url = ocUrl("api/v0.2/ownnote/announcement");
+			var url = ocUrl("api/v0.2/ownnote/ajaxannouncement");
 			$.ajax({
 				url: url,
 				success: function(data) {
@@ -599,7 +599,7 @@
 		if (exists)
 			alert('An ungrouped file has the same name as a file in this group.');
 		else
-			$.post(ocUrl("api/v0.2/ownnote/delgroup"), { group: g }, function (data) {
+			$.post(ocUrl("api/v0.2/ownnote/ajaxdelgroup"), { group: g }, function (data) {
 				switchgroup = "All";
 				loadListing();
 			});
@@ -630,7 +630,7 @@
 			if (exists)
 				alert("Group already exists.");
 			else
-				$.post(ocUrl("api/v0.2/ownnote/rengroup"), { group: cg, newgroup: v }, function (data) {
+				$.post(ocUrl("api/v0.2/ownnote/ajaxrengroup"), { group: cg, newgroup: v }, function (data) {
 					switchgroup = v;
 					cg = "";
 					loadListing();
