You are here

Home » API reference » Blog API 7.2 » blogapi_metaweblog.module

function blogapi_metaweblog_new_media_object in Blog API 7.2

Same name and namespace in other branches
  1. 7 blogapi.module \blogapi_metaweblog_new_media_object()

Service callback for metaWeblog.newMediaObject

1 string reference to 'blogapi_metaweblog_new_media_object'
blogapi_metaweblog_services_resources in modules/blogapi_metaweblog/blogapi_metaweblog.module
Implements hook_services_resources().

File

modules/blogapi_metaweblog/blogapi_metaweblog.module, line 331
Provides MetaWeblog services for BlogAPI

Code

function blogapi_metaweblog_new_media_object($blogid, $username, $password, $file) {

  // Validate the user.
  $user = blogapi_validate_user($username, $password);
  $extensions = '';
  $usersize = 0;
  $uploadsize = 0;
  $roles = array_intersect(user_roles(FALSE, 'manage content with blogapi'), $user->roles);
  foreach ($roles as $rid => $name) {
    $extensions .= ' ' . strtolower(variable_get("blogapi_extensions_{$rid}", variable_get('blogapi_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp')));
    $usersize = max($usersize, variable_get("blogapi_usersize_{$rid}", variable_get('blogapi_usersize_default', 1)) * 1024 * 1024);
    $uploadsize = max($uploadsize, variable_get("blogapi_uploadsize_{$rid}", variable_get('blogapi_uploadsize_default', 1)) * 1024 * 1024);
  }
  $filesize = strlen($file['bits']);
  if ($filesize > $uploadsize) {
    return services_error(t('It is not possible to upload the file, because it exceeded the maximum filesize of @maxsize.', array(
      '@maxsize' => format_size($uploadsize),
    )), 413);
  }
  if (blogapi_space_used($user->uid) + $filesize > $usersize) {
    return services_error(t('The file can not be attached to this post, because the disk quota of @quota has been reached.', array(
      '@quota' => format_size($usersize),
    )), 413);
  }

  // Only allow files with whitelisted extensions and convert remaining dots to
  // underscores to prevent attacks via non-terminal executable extensions with
  // files such as exploit.php.jpg.
  $whitelist = array_unique(explode(' ', trim($extensions)));
  $name = basename($file['name']);
  if ($extension_position = strrpos($name, '.')) {
    $filename = drupal_substr($name, 0, $extension_position);
    $final_extension = drupal_substr($name, $extension_position + 1);
    if (!in_array(strtolower($final_extension), $whitelist)) {
      return services_error(t('It is not possible to upload the file, because it is only possible to upload files with the following extensions: @extensions', array(
        '@extensions' => implode(' ', $whitelist),
      )), 403);
    }
    $filename = str_replace('.', '_', $filename);
    $filename .= '.' . $final_extension;
  }
  else {
    $filename = $name;
  }
  $uri = file_build_uri($filename);
  $data = $file['bits'];
  if (!$data) {
    return services_error(t('No file sent.'), 400);
  }
  if (!($file = file_save_data($data, $uri))) {
    return services_error(t('Error storing file.'), 500);
  }

  // Store Drupal file ID in separate dfid column and unset fid to use own blogapi serial value
  $file->dfid = $file->fid;
  unset($file->fid);
  drupal_write_record('blogapi_files', $file);

  // Return the successful result.
  return array(
    'url' => file_create_url($file->uri),
    'struct',
  );
}