<?php namespace HashOver;
// Copyright (C) 2019-2021 Jacob Barkdull
// This file is part of HashOver.
//
// HashOver is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as
// published by the Free Software Foundation, either version 3 of the
// License, or (at your option) any later version.
//
// HashOver is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with HashOver. If not, see <http://www.gnu.org/licenses/>.
// Check if request is for JSONP
if (isset ($_GET['jsonp'])) {
// If so, setup HashOver for JavaScript
require ('javascript-setup.php');
} else {
// If not, setup HashOver for JSON
require ('json-setup.php');
}
// Returns comment data or authentication error
function get_json_response ($hashover)
{
// Initial JSON data
$data = array ();
// Get comment from POST/GET data
$key = $hashover->setup->getRequest ('comment', null);
// Return error if we're missing necessary post data
if ($key === null) {
return array ('error' => 'Missing comment file.');
}
// Sanitize file path
$file = str_replace ('../', '', $key);
// Store references to some long variables
$thread = $hashover->setup->threadName;
// Read comment
$comment = $hashover->thread->data->read ($file, $thread);
// Return error message if failed to read comment
if ($comment === false) {
return array ('error' => 'Failed to read file: "' . $file . '"');
}
// User is not authorized by default
$authorized = false;
// Check if user is logged in
if ($hashover->login->userIsLoggedIn === true) {
// If so, user is authorized if they own the comment
if (!empty ($comment['login_id'])) {
if ($hashover->login->loginHash === $comment['login_id']) {
$authorized = true;
}
}
// Or, user is authorized if they are Admin
if ($hashover->login->isAdmin () === true) {
$authorized = true;
}
}
// Check if user is authorized to receive comment data
if ($authorized === true) {
// If so, instantiate Crypto class
$crypto = new Crypto ();
// Specific comment data to return
$data = array (
// Commenter name
'name' => Misc::getArrayItem ($comment, 'name') ?: '',
// Commenter website URL
'website' => Misc::getArrayItem ($comment, 'website') ?: '',
// Commenter's comment
'body' => Misc::getArrayItem ($comment, 'body') ?: ''
);
// Add decrypted email address to data if an email exists
if (!empty ($comment['email']) and !empty ($comment['encryption'])) {
$data ['email'] = $crypto->decrypt ($comment['email'], $comment['encryption']);
}
// And return comment data
return $data;
}
// Otherwise, wait 5 seconds
sleep (5);
// And return authentication error
return array (
'error' => $hashover->locale->text['post-fail']
);
}
try {
// Instanciate HashOver class
$hashover = new \HashOver ('json');
// Throw exception if requested by remote server
$hashover->setup->refererCheck ();
// Set page URL from POST/GET data
$hashover->setup->setPageURL ('request');
// Initiate comment processing
$hashover->initiate ();
// Get JSON response
$data = get_json_response ($hashover);
// Return JSON or JSONP function call
echo Misc::jsonData ($data);
} catch (\Exception $error) {
echo Misc::displayException ($error, 'json');
}