Play images and video from Synology PhotoStation server

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872
  1. <?PHP
  2. require_once('permission.inc.php');
  3. class PermissionAPI extends WebAPI
  4. {
  5. function __construct()
  6. {
  7. parent::__construct(SZ_WEBAPI_API_DESCRIPTION_PATH);
  8. }
  9. protected function Process()
  10. {
  11. /* if not admin, returns directly */
  12. csSYNOPhotoMisc::CheckSessionTimeOut();
  13. if (!strcasecmp($this->method, "getalbum")) {
  14. $this->GetAlbum();
  15. }
  16. if (!strcasecmp($this->method, "editalbum")) {
  17. $this->EditAlbum();
  18. }
  19. if (!strcasecmp($this->method, "editgroup")) {
  20. $this->EditGroup();
  21. }
  22. if (!strcasecmp($this->method, "list_public_share")) {
  23. $this->ListPublicShare();
  24. }
  25. if (!strcasecmp($this->method, "edit_public_share")) {
  26. $this->EditPublicShare();
  27. }
  28. }
  29. private function GetAlbum()
  30. {
  31. $ret = false;
  32. $resp = array();
  33. if (!isset($_REQUEST['type'])) {
  34. $this->SetError(PHOTOSTATION_PERMISSION_BAD_PARAMS);
  35. goto End;
  36. }
  37. /* set params */
  38. if (!isset($_REQUEST['id']) || '' === $_REQUEST['id'] || 'album_' === $_REQUEST['id']) {
  39. $albumName = '';
  40. } else {
  41. $id_arr = explode('_', $_REQUEST['id']);
  42. if ('album' == $id_arr[0] && 2 === count($id_arr)) {
  43. $albumName = @pack('H*', $id_arr[1]);
  44. } else {
  45. $this->SetError(PHOTOSTATION_PERMISSION_BAD_PARAMS);
  46. goto End;
  47. }
  48. }
  49. $path = SYNOPHOTO_SERVICE_REAL_DIR . "/" . ("/" === $albumName ? "" : $albumName);
  50. if (!csSynoPhotoMisc::CheckPathValid($path)) {
  51. $this->SetError(PHOTOSTATION_PERMISSION_BAD_PARAMS);
  52. goto End;
  53. }
  54. if (!file_exists($path)) {
  55. $this->SetError(PHOTOSTATION_PERMISSION_BAD_PARAMS);
  56. goto End;
  57. }
  58. $start = isset($_REQUEST['offset']) ? $_REQUEST['offset'] : 0;
  59. $limit = isset($_REQUEST['limit']) ? $_REQUEST['limit'] : 15;
  60. $search = isset($_REQUEST['query']) ? $_REQUEST['query'] : '';
  61. $needUsr = strstr($_REQUEST['type'], 'user_permission') ? true : false;
  62. $needGrp = strstr($_REQUEST['type'], 'group_permission') ? true : false;
  63. if (!$needUsr && !$needGrp) {
  64. $this->SetError(PHOTOSTATION_PERMISSION_BAD_PARAMS);
  65. goto End;
  66. }
  67. if ($needUsr) {
  68. $resp['user_permission'] = array();
  69. if (false === ($data = $this->GetAlbumUserData($albumName, $start, $limit, $search))) {
  70. $this->SetError(PHOTOSTATION_PERMISSION_BAD_PARAMS);
  71. goto End;
  72. }
  73. $users = $data['all'];
  74. foreach ($users as $row) {
  75. $user = null;
  76. $user['id'] = $row['userid'];
  77. $user['name'] = $row['username'];
  78. $user['description'] = $row['description'];
  79. $user['disabled'] = $row['disabled'];
  80. $pObj = null;
  81. $pObj['browse'] = $row['browse'];
  82. $pObj['upload'] = $row['upload'];
  83. $pObj['manage'] = $row['manage'];
  84. $user['permission'] = $pObj;
  85. $resp['user_permission'][] = $user;
  86. }
  87. $resp['total_user_count'] = $data['totalCount'];
  88. }
  89. if ($needGrp) {
  90. $resp['group_permission'] = array();
  91. if (false === ($data = $this->GetAlbumGroupData($albumName, $start, $limit, $search))) {
  92. $this->SetError(PHOTOSTATION_PERMISSION_BAD_PARAMS);
  93. goto End;
  94. }
  95. $groups = $data['all'];
  96. foreach ($groups as $row) {
  97. $group = null;
  98. $group['id'] = $row['groupid'];
  99. $group['name'] = $row['groupname'];
  100. $group['description'] = $row['description'];
  101. $group['disabled'] = $row['disabled'];
  102. $pObj = null;
  103. $pObj['browse'] = $row['browse'];
  104. $pObj['upload'] = $row['upload'];
  105. $pObj['manage'] = $row['manage'];
  106. $group['permission'] = $pObj;
  107. $resp['group_permission'][] = $group;
  108. }
  109. $resp['total_group_count'] = $data['totalCount'];
  110. }
  111. $this->SetResponse($resp);
  112. $ret = true;
  113. End:
  114. return $ret;
  115. }
  116. private function EditAlbum()
  117. {
  118. $ret = false;
  119. /* set params */
  120. if (!isset($_REQUEST['id']) || '' === $_REQUEST['id'] || 'album_' === $_REQUEST['id']) {
  121. $albumName = '/';
  122. } else {
  123. $id_arr = explode('_', $_REQUEST['id']);
  124. if ('album' == $id_arr[0] && 2 === count($id_arr)) {
  125. $albumName = @pack('H*', $id_arr[1]);
  126. } else {
  127. $this->SetError(PHOTOSTATION_PERMISSION_BAD_PARAMS);
  128. goto End;
  129. }
  130. }
  131. /* set user modified list */
  132. $userBrowseDelete = isset($_REQUEST['user_browse_delete']) ? $_REQUEST['user_browse_delete'] : '';
  133. $userUploadDelete = isset($_REQUEST['user_upload_delete']) ? $_REQUEST['user_upload_delete'] : '';
  134. $userManageDelete = isset($_REQUEST['user_manage_delete']) ? $_REQUEST['user_manage_delete'] : '';
  135. $userBrowseAdd = isset($_REQUEST['user_browse_add']) ? $_REQUEST['user_browse_add'] : '';
  136. $userUploadAdd = isset($_REQUEST['user_upload_add']) ? $_REQUEST['user_upload_add'] : '';
  137. $userManageAdd = isset($_REQUEST['user_manage_add']) ? $_REQUEST['user_manage_add'] : '';
  138. /* set group modified list */
  139. $groupBrowseDelete = isset($_REQUEST['group_browse_delete']) ? $_REQUEST['group_browse_delete'] : '';
  140. $groupUploadDelete = isset($_REQUEST['group_upload_delete']) ? $_REQUEST['group_upload_delete'] : '';
  141. $groupManageDelete = isset($_REQUEST['group_manage_delete']) ? $_REQUEST['group_manage_delete'] : '';
  142. $groupBrowseAdd = isset($_REQUEST['group_browse_add']) ? $_REQUEST['group_browse_add'] : '';
  143. $groupUploadAdd = isset($_REQUEST['group_upload_add']) ? $_REQUEST['group_upload_add'] : '';
  144. $groupManageAdd = isset($_REQUEST['group_manage_add']) ? $_REQUEST['group_manage_add'] : '';
  145. /* get the album info first */
  146. $path = SYNOPHOTO_SERVICE_REAL_DIR . "/" . $albumName;
  147. if (!csSynoPhotoMisc::CheckPathValid($path)) {
  148. $this->SetError(PHOTOSTATION_PERMISSION_BAD_PARAMS);
  149. goto End;
  150. }
  151. if (!file_exists($path)) {
  152. $this->SetError(PHOTOSTATION_PERMISSION_BAD_PARAMS);
  153. goto End;
  154. }
  155. $query = "SELECT shareid, sharename, public, password FROM photo_share WHERE sharename = ?";
  156. $db_result = PHOTO_DB_Query($query, array($albumName));
  157. if (false === ($row = PHOTO_DB_FetchRow($db_result))) {
  158. $this->SetError(PHOTOSTATION_PERMISSION_BAD_PARAMS);
  159. goto End;
  160. }
  161. /* get album type, 0 for public, 1 for private, 2 for password */
  162. if (PHOTO_DB_IsTrue($row['public'])) {
  163. $type = 0;
  164. } elseif ('' === $row['password']) {
  165. $type = 1;
  166. } else {
  167. $type = 2;
  168. }
  169. $shareid = $row['shareid'];
  170. $sharename = $row['sharename'];
  171. switch ($type) {
  172. case 0:
  173. /* update for user permission */
  174. /* add/delete self upload right */
  175. SYNOPHOTO_ADMIN_AddAccessRightByShareid($shareid, $userUploadAdd, PHOTO_UPLOAD_RIGHT_TABLE);
  176. SYNOPHOTO_ADMIN_DeleteAccessRightByShareid($shareid, $userUploadDelete, PHOTO_UPLOAD_RIGHT_TABLE);
  177. /* add/delete self manage right */
  178. SYNOPHOTO_ADMIN_AddAccessRightByShareid($shareid, $userManageAdd, PHOTO_MANAGE_RIGHT_TABLE);
  179. SYNOPHOTO_ADMIN_DeleteAccessRightByShareid($shareid, $userManageDelete, PHOTO_MANAGE_RIGHT_TABLE);
  180. /* add child browse, upload, manage rights for manager */
  181. SYNOPHOTO_ADMIN_AddChildRightBySharename($sharename, $userManageAdd, PHOTO_MANAGE_RIGHT_TABLE);
  182. SYNOPHOTO_ADMIN_AddChildRightBySharename($sharename, $userManageAdd, PHOTO_UPLOAD_RIGHT_TABLE);
  183. SYNOPHOTO_ADMIN_AddChildRightBySharename($sharename, $userManageAdd, PHOTO_ACCESS_RIGHT_TABLE);
  184. /* delete parent's manage right */
  185. SYNOPHOTO_ADMIN_DeleteParentRightBySharename($sharename, $userManageDelete, PHOTO_MANAGE_RIGHT_TABLE);
  186. /* update for group permission */
  187. $this->AddGroupPermission($shareid, $groupBrowseAdd, 1);
  188. $this->AddGroupPermission($shareid, $groupUploadAdd, 2);
  189. $this->AddGroupPermission($shareid, $groupManageAdd, 4);
  190. $this->DeleteGroupPermission($shareid, $groupBrowseDelete, 1);
  191. $this->DeleteGroupPermission($shareid, $groupUploadDelete, 2);
  192. $this->DeleteGroupPermission($shareid, $groupManageDelete, 4);
  193. $this->AddChildGroupRightBySharename($sharename, $groupManageAdd, 1);
  194. $this->AddChildGroupRightBySharename($sharename, $groupManageAdd, 2);
  195. $this->AddChildGroupRightBySharename($sharename, $groupManageAdd, 4);
  196. $this->DeleteParentGroupRightBySharename($sharename, $groupManageDelete, 4);
  197. break;
  198. case 1:
  199. /* add/delete self browse right */
  200. SYNOPHOTO_ADMIN_AddAccessRightByShareid($shareid, $userBrowseAdd, PHOTO_ACCESS_RIGHT_TABLE);
  201. SYNOPHOTO_ADMIN_DeleteAccessRightByShareid($shareid, $userBrowseDelete, PHOTO_ACCESS_RIGHT_TABLE);
  202. /* add/delete self upload right */
  203. SYNOPHOTO_ADMIN_AddAccessRightByShareid($shareid, $userUploadAdd, PHOTO_UPLOAD_RIGHT_TABLE);
  204. SYNOPHOTO_ADMIN_DeleteAccessRightByShareid($shareid, $userUploadDelete, PHOTO_UPLOAD_RIGHT_TABLE);
  205. /* add/delete self manage right */
  206. SYNOPHOTO_ADMIN_AddAccessRightByShareid($shareid, $userManageAdd, PHOTO_MANAGE_RIGHT_TABLE);
  207. SYNOPHOTO_ADMIN_DeleteAccessRightByShareid($shareid, $userManageDelete, PHOTO_MANAGE_RIGHT_TABLE);
  208. /* add child browse, upload, manage rights for manager */
  209. SYNOPHOTO_ADMIN_AddChildRightBySharename($sharename, $userManageAdd, PHOTO_MANAGE_RIGHT_TABLE);
  210. SYNOPHOTO_ADMIN_AddChildRightBySharename($sharename, $userManageAdd, PHOTO_UPLOAD_RIGHT_TABLE);
  211. SYNOPHOTO_ADMIN_AddChildRightBySharename($sharename, $userManageAdd, PHOTO_ACCESS_RIGHT_TABLE);
  212. /* delete parent's manage right */
  213. SYNOPHOTO_ADMIN_DeleteParentRightBySharename($sharename, $userManageDelete, PHOTO_MANAGE_RIGHT_TABLE);
  214. /* delete child's browse right */
  215. SYNOPHOTO_ADMIN_DeleteChildRightBySharename($sharename, $userBrowseDelete, PHOTO_ACCESS_RIGHT_TABLE);
  216. SYNOPHOTO_ADMIN_DeleteChildRightBySharename($sharename, $userBrowseDelete, PHOTO_UPLOAD_RIGHT_TABLE);
  217. SYNOPHOTO_ADMIN_DeleteChildRightBySharename($sharename, $userBrowseDelete, PHOTO_MANAGE_RIGHT_TABLE);
  218. /* update for group permission */
  219. $this->AddGroupPermission($shareid, $groupBrowseAdd, 1);
  220. $this->AddGroupPermission($shareid, $groupUploadAdd, 2);
  221. $this->AddGroupPermission($shareid, $groupManageAdd, 4);
  222. $this->DeleteGroupPermission($shareid, $groupBrowseDelete, 1);
  223. $this->DeleteGroupPermission($shareid, $groupUploadDelete, 2);
  224. $this->DeleteGroupPermission($shareid, $groupManageDelete, 4);
  225. $this->AddChildGroupRightBySharename($sharename, $groupManageAdd, 1);
  226. $this->AddChildGroupRightBySharename($sharename, $groupManageAdd, 2);
  227. $this->AddChildGroupRightBySharename($sharename, $groupManageAdd, 4);
  228. $this->DeleteParentGroupRightBySharename($sharename, $groupManageDelete, 4);
  229. $this->DeleteChildGroupRightBySharename($sharename, $groupBrowseDelete, 1);
  230. $this->DeleteChildGroupRightBySharename($sharename, $groupBrowseDelete, 2);
  231. $this->DeleteChildGroupRightBySharename($sharename, $groupBrowseDelete, 4);
  232. break;
  233. case 2:
  234. /* remove all permissions if album is password */
  235. $query = "Delete from " . PHOTO_ACCESS_RIGHT_TABLE . " where shareid = ".$shareid;
  236. PHOTO_DB_Query($query);
  237. $query = "Delete from " . PHOTO_UPLOAD_RIGHT_TABLE . " where shareid = ".$shareid;
  238. PHOTO_DB_Query($query);
  239. $query = "Delete from " . PHOTO_MANAGE_RIGHT_TABLE . " where shareid = ".$shareid;
  240. PHOTO_DB_Query($query);
  241. /* update for group permission */
  242. $query = "DELETE FROM " . PHOTO_GROUP_PERMISSION_TABLE . " WHERE shareid = " . $shareid;
  243. PHOTO_DB_Query($query);
  244. break;
  245. }
  246. $ret = true;
  247. End:
  248. return $ret;
  249. }
  250. private function EditGroup()
  251. {
  252. $ret = false;
  253. if (!isset($_REQUEST['id'])) {
  254. $this->SetError(PHOTOSTATION_PERMISSION_BAD_PARAMS);
  255. goto End;
  256. }
  257. $gid = $_REQUEST['id'];
  258. /* set album modified list */
  259. $albumBrowseDelete = isset($_REQUEST['album_browse_delete']) ? $_REQUEST['album_browse_delete'] : '';
  260. $albumUploadDelete = isset($_REQUEST['album_upload_delete']) ? $_REQUEST['album_upload_delete'] : '';
  261. $albumManageDelete = isset($_REQUEST['album_manage_delete']) ? $_REQUEST['album_manage_delete'] : '';
  262. $albumBrowseAdd = isset($_REQUEST['album_browse_add']) ? $_REQUEST['album_browse_add'] : '';
  263. $albumUploadAdd = isset($_REQUEST['album_upload_add']) ? $_REQUEST['album_upload_add'] : '';
  264. $albumManageAdd = isset($_REQUEST['album_manage_add']) ? $_REQUEST['album_manage_add'] : '';
  265. $this->AddAlbumPermission($gid, $albumBrowseAdd, 1);
  266. $this->AddAlbumPermission($gid, $albumUploadAdd, 2);
  267. $this->AddAlbumPermission($gid, $albumManageAdd, 4);
  268. $this->DeleteAlbumPermission($gid, $albumManageDelete, 4);
  269. $this->DeleteAlbumPermission($gid, $albumUploadDelete, 2);
  270. $this->DeleteAlbumPermission($gid, $albumBrowseDelete, 1);
  271. $ret = true;
  272. End:
  273. return $ret;
  274. }
  275. private function GetAlbumUserData($sharename, $start = 0, $limit = 15, $search = '')
  276. {
  277. /* edit sharename for root album */
  278. if ('' === $sharename) {
  279. $sharename = '/';
  280. }
  281. $query = "SELECT * FROM photo_share WHERE sharename = ?";
  282. $db_result = PHOTO_DB_Query($query, array($sharename));
  283. if ($row = PHOTO_DB_FetchRow($db_result)) {
  284. $shareid = $row['shareid'];
  285. $isPublic = ('t' == $row['public']);
  286. } else {
  287. return false;
  288. }
  289. $parentid = null;
  290. /* find the nearest private parent */
  291. if (false !== strstr($sharename, '/')) {
  292. $parent = substr($sharename, 0, strpos($sharename, "/"));
  293. $query = "SELECT * FROM photo_share WHERE sharename = ?";
  294. $db_result = PHOTO_DB_Query($query, array($parent));
  295. $row = PHOTO_DB_FetchRow($db_result);
  296. if ('' == $row['password'] && PHOTO_DB_ConvertBool($row['public']) == 'f') {
  297. // For parent albunm be privated
  298. // Only users who have the permission of the parent album can be candidates of the second album.
  299. // So we must filter them out
  300. $parentid = $row['shareid'];
  301. }
  302. }
  303. $users = $this->GetAllUsers($start, $limit, $search);
  304. $result['totalCount'] = $users['totalCount'];
  305. $result['all'] = array();
  306. for ($i = $start; $i < $users['totalCount'] && $i < $start + $limit; $i++) {
  307. $idx = $i - $start;
  308. $result['all'][$idx]['disabled'] = 0;
  309. if (null != $parentid) {
  310. $query = "SELECT * FROM " . PHOTO_ACCESS_RIGHT_TABLE . " WHERE shareid = " . $parentid;
  311. $query .= " AND userid = " . $users['all_users'][$idx]['userid'];
  312. $db_result_parent = PHOTO_DB_Query($query);
  313. // Only users who have the permission of the parent album can be candidates of the second album.
  314. if (false === ($row_parent = PHOTO_DB_FetchRow($db_result_parent))) {
  315. $result['all'][$idx]['disabled'] = 1;
  316. }
  317. }
  318. $result['all'][$idx]['userid'] = $users['all_users'][$idx]['userid'];
  319. $result['all'][$idx]['username'] = $users['all_users'][$idx]['username'];
  320. $result['all'][$idx]['description'] = $users['all_users'][$idx]['description'];
  321. /* check album access right */
  322. $query = "SELECT * FROM " . PHOTO_ACCESS_RIGHT_TABLE . " WHERE shareid = " . $shareid;
  323. $query .= " AND userid = " . $users['all_users'][$idx]['userid'];
  324. $db_result = PHOTO_DB_Query($query);
  325. $row = PHOTO_DB_FetchRow($db_result);
  326. if (($row != null || $isPublic) && (0 == $result['all'][$idx]['disabled'])) {
  327. $result['all'][$idx]['browse'] = 1;
  328. $result['all'][$idx]['browse_orig'] = 1;
  329. } else {
  330. $result['all'][$idx]['browse'] = 0;
  331. $result['all'][$idx]['browse_orig'] = 0;
  332. }
  333. /* check album upload right */
  334. $query_2 = "Select * from " . PHOTO_UPLOAD_RIGHT_TABLE . " where shareid = " . $shareid;
  335. $query_2 .= " and userid = " . $users['all_users'][$idx]['userid'];
  336. $db_result_2 = PHOTO_DB_Query($query_2);
  337. $row_2 = PHOTO_DB_FetchRow($db_result_2);
  338. if ($row_2 != null) {
  339. $result['all'][$idx]['upload'] = 1;
  340. $result['all'][$idx]['upload_orig'] = 1;
  341. } else {
  342. $result['all'][$idx]['upload'] = 0;
  343. $result['all'][$idx]['upload_orig'] = 0;
  344. }
  345. /* check album manage right */
  346. $query_3 = "Select * from " . PHOTO_MANAGE_RIGHT_TABLE . " where shareid = " . $shareid;
  347. $query_3 .= " and userid = " . $users['all_users'][$idx]['userid'];
  348. $db_result_3 = PHOTO_DB_Query($query_3);
  349. $row_3 = PHOTO_DB_FetchRow($db_result_3);
  350. if ($row_3 != null) {
  351. $result['all'][$idx]['manage'] = 1;
  352. $result['all'][$idx]['manage_orig'] = 1;
  353. } else {
  354. $result['all'][$idx]['manage'] = 0;
  355. $result['all'][$idx]['manage_orig'] = 0;
  356. }
  357. }
  358. return $result;
  359. }
  360. private function GetAllUsers($start, $limit, $search)
  361. {
  362. if ($_SESSION[SYNOPHOTO_ADMIN_USER]['use_dsm_account']) {
  363. return $this->GetAllDSMUser($start, $limit, $search);
  364. }
  365. $i = 0;
  366. $limitOffsetString = PHOTO_DB_GetLimitOffsetString($limit, $start);
  367. $query = "SELECT * FROM photo_user WHERE admin = 'f' AND username LIKE ? ORDER BY username ASC $limitOffsetString";
  368. $db_result = PHOTO_DB_Query($query, array("%$search%"));
  369. while ($row = PHOTO_DB_FetchRow($db_result)) {
  370. $result['all_users'][$i]['userid'] = $row['userid'];
  371. $result['all_users'][$i]['username'] = $row['username'];
  372. $result['all_users'][$i]['description'] = $row['description'];
  373. $i++;
  374. }
  375. $query = "SELECT count(*) FROM photo_user WHERE admin = 'f' AND username LIKE ?";
  376. $db_result = PHOTO_DB_Query($query, array("%$search%"));
  377. $row = PHOTO_DB_FetchRow($db_result);
  378. $result['totalCount'] = $row[0];
  379. return $result;
  380. }
  381. private function GetAllDSMUser($start, $limit, $query = '')
  382. {
  383. $command = "/usr/syno/bin/synophoto_dsm_user --enum " . escapeshellarg($query);
  384. @exec($command, $pListUserCount, $retval);
  385. if (0 > $retval) {
  386. $result['totalCount'] = 0;
  387. return json_encode($result);
  388. }
  389. $result['totalCount'] = $pListUserCount[0];
  390. /* get the order of user info */
  391. $dir = "ASC";
  392. /* modify start value to skip admin and guest */
  393. if (isset($pListUserCount[1])) {
  394. $result['totalCount'] --;
  395. if ($pListUserCount[1] < $start) {
  396. $start += 1;
  397. }
  398. }
  399. if (isset($pListUserCount[2])) {
  400. $result['totalCount'] --;
  401. if ($pListUserCount[2] < $start) {
  402. $start += 1;
  403. }
  404. }
  405. /* modify limit value accoring to start value */
  406. if (isset($pListUserCount[1])) {
  407. if ($start <= $pListUserCount[1] && $pListUserCount[1] < $start + $limit) {
  408. $limit += 1;
  409. }
  410. }
  411. if (isset($pListUserCount[2])) {
  412. if ($start <= $pListUserCount[2] && $pListUserCount[2] < $start + $limit) {
  413. $limit += 1;
  414. }
  415. }
  416. $command = "/usr/syno/bin/synophoto_dsm_user --enum " . escapeshellarg($start) . " " . escapeshellarg($limit) . " " . $dir . ":" . escapeshellarg($query);
  417. @exec($command, $pListUserName, $retval);
  418. if (0 !== $retval) {
  419. $result['totalCount'] = 0;
  420. return json_encode($result);
  421. }
  422. $i = 0;
  423. $result['all_users'] = array();
  424. foreach ($pListUserName as $user_str) {
  425. $user_info = split(',', $user_str);
  426. if ('guest' == $user_info[1] || 'admin' == $user_info[1]) {
  427. continue;
  428. }
  429. $result['all_users'][$i]['userid'] = $user_info[0];
  430. $result['all_users'][$i]['username'] = $user_info[1];
  431. $result['all_users'][$i]['description'] = $user_info[2];
  432. $result['all_users'][$i]['disable'] = ($user_info[3] == 'true') ? "t" : "f";
  433. $result['all_users'][$i]['admin'] = ($user_info[5] == 1) ? "t" : "f";
  434. $i++;
  435. }
  436. return $result;
  437. }
  438. private function GetAlbumGroupData($sharename, $start = 0, $limit = 15, $search = '')
  439. {
  440. /* edit sharename for root album */
  441. if ('' === $sharename) {
  442. $sharename = '/';
  443. }
  444. $query = "SELECT * FROM photo_share WHERE sharename = ?";
  445. $db_result = PHOTO_DB_Query($query, array($sharename));
  446. if ($row = PHOTO_DB_FetchRow($db_result)) {
  447. $shareid = $row['shareid'];
  448. $isPublic = ('t' == $row['public']);
  449. } else {
  450. return false;
  451. }
  452. $parentid = null;
  453. /* find the nearest private parent */
  454. if (false !== strstr($sharename, '/')) {
  455. $parent = substr($sharename, 0, strpos($sharename, "/"));
  456. $query = "SELECT * FROM photo_share WHERE sharename = ?";
  457. $db_result = PHOTO_DB_Query($query, array($parent));
  458. $row = PHOTO_DB_FetchRow($db_result);
  459. if ('' == $row['password'] && PHOTO_DB_ConvertBool($row['public']) == 'f') {
  460. // For parent albunm be privated
  461. // Only users who have the permission of the parent album can be candidates of the second album.
  462. // So we must filter them out
  463. $parentid = $row['shareid'];
  464. }
  465. }
  466. $groups = $this->GetAllGroups($start, $limit, $search);
  467. $result['totalCount'] = $groups['totalCount'];
  468. $result['all'] = array();
  469. for ($i = $start; $i < $groups['totalCount'] && $i < $start + $limit; $i ++) {
  470. $idx = $i - $start;
  471. $result['all'][$idx]['disabled'] = 0;
  472. if (null != $parentid) {
  473. $query = "SELECT * FROM " . PHOTO_GROUP_PERMISSION_TABLE . " WHERE shareid = " . $parentid;
  474. $query .= " AND groupid = " . $groups['all_groups'][$idx]['groupid'];
  475. $db_result_parent = PHOTO_DB_Query($query);
  476. // Only groups which have the permission of the parent album can be candidates of the second album.
  477. if (false === ($row_parent = PHOTO_DB_FetchRow($db_result_parent))) {
  478. $result['all'][$idx]['disabled'] = 1;
  479. }
  480. }
  481. $result['all'][$idx]['groupid'] = $groups['all_groups'][$idx]['groupid'];
  482. $result['all'][$idx]['groupname'] = $groups['all_groups'][$idx]['groupname'];
  483. $result['all'][$idx]['description'] = $groups['all_groups'][$idx]['description'];
  484. $query = "SELECT * FROM " . PHOTO_GROUP_PERMISSION_TABLE . " WHERE shareid = " . $shareid;
  485. $query .= " AND groupid = " . $groups['all_groups'][$idx]['groupid'];
  486. $db_result = PHOTO_DB_Query($query);
  487. $row = PHOTO_DB_FetchRow($db_result);
  488. if ((($row != null && (1 & $row['permission'])) || $isPublic) && (0 == $result['all'][$idx]['disabled'])) {
  489. $result['all'][$idx]['browse'] = 1;
  490. $result['all'][$idx]['browse_orig'] = 1;
  491. } else {
  492. $result['all'][$idx]['browse'] = 0;
  493. $result['all'][$idx]['browse_orig'] = 0;
  494. }
  495. if ($row != null && (2 & $row['permission'])) {
  496. $result['all'][$idx]['upload'] = 1;
  497. $result['all'][$idx]['upload_orig'] = 1;
  498. } else {
  499. $result['all'][$idx]['upload'] = 0;
  500. $result['all'][$idx]['upload_orig'] = 0;
  501. }
  502. if ($row != null && (4 & $row['permission'])) {
  503. $result['all'][$idx]['manage'] = 1;
  504. $result['all'][$idx]['manage_orig'] = 1;
  505. } else {
  506. $result['all'][$idx]['manage'] = 0;
  507. $result['all'][$idx]['manage_orig'] = 0;
  508. }
  509. }
  510. return $result;
  511. }
  512. private function GetAllGroups($start, $limit, $search)
  513. {
  514. if ($_SESSION[SYNOPHOTO_ADMIN_USER]['use_dsm_account']) {
  515. return $this->GetAllDSMGroup($start, $limit, $search);
  516. }
  517. $i = 0;
  518. $limitOffsetString = PHOTO_DB_GetLimitOffsetString($limit, $start);
  519. $query = "SELECT * FROM photo_group WHERE groupname LIKE ? ORDER BY groupname ASC $limitOffsetString";
  520. $db_result = PHOTO_DB_Query($query, array("%$search%"));
  521. while ($row = PHOTO_DB_FetchRow($db_result)) {
  522. $result['all_groups'][$i]['groupid'] = $row['groupid'];
  523. $result['all_groups'][$i]['groupname'] = $row['groupname'];
  524. $result['all_groups'][$i]['description'] = $row['description'];
  525. $i ++;
  526. }
  527. $query = "SELECT count(*) FROM photo_group WHERE groupname LIKE ?";
  528. $db_result = PHOTO_DB_Query($query, array("%$search%"));
  529. $row = PHOTO_DB_FetchRow($db_result);
  530. $result['totalCount'] = $row[0];
  531. return $result;
  532. }
  533. private function GetAllDSMGroup($start, $limit, $query = '')
  534. {
  535. $command = "/usr/syno/bin/synophoto_dsm_user --group " . escapeshellarg($query);
  536. @exec($command, $pListGroupCount, $retval);
  537. if (0 > $retval) {
  538. $result['totalCount'] = 0;
  539. return $result;
  540. }
  541. $result['totalCount'] = $pListGroupCount[0];
  542. $command = "/usr/syno/bin/synophoto_dsm_user --group " . escapeshellarg($start) . " " . escapeshellarg($limit) . " ASC:" . escapeshellarg($query);
  543. @exec($command, $pListGroupName, $retval);
  544. if (0 !== $retval) {
  545. $result['totalCount'] = 0;
  546. return $result;
  547. }
  548. $i = 0;
  549. $result['all_groups'] = array();
  550. foreach ($pListGroupName as $group_str) {
  551. $group_info = split(',', $group_str);
  552. $result['all_groups'][$i]['groupid'] = $group_info[0];
  553. $result['all_groups'][$i]['groupname'] = $group_info[1];
  554. $result['all_groups'][$i]['description'] = $group_info[2];
  555. $i ++;
  556. }
  557. return $result;
  558. }
  559. private function AddGroupPermission($shareid, $groups, $type)
  560. {
  561. if ($shareid == null || $shareid == "" || $groups == null || $groups == "") {
  562. return;
  563. }
  564. $ids = explode(',', $groups);
  565. foreach ($ids as $id) {
  566. if ('' === $id) {
  567. continue;
  568. }
  569. $query = "UPDATE " . PHOTO_GROUP_PERMISSION_TABLE . " SET permission = permission | $type WHERE shareid = " . $shareid . " AND groupid = " . $id;
  570. $db_result = PHOTO_DB_Query($query);
  571. if (false === ($row = PHOTO_DB_FetchRow($db_result))) {
  572. $date = date('Y-m-d H:i:s');
  573. $query = "INSERT INTO " . PHOTO_GROUP_PERMISSION_TABLE . " (groupid, shareid, permission, create_time) ";
  574. $query = $query . "VALUES (" . $id . ", " . $shareid . ", " . $type . ", '" . $date . "')";
  575. $db_result = PHOTO_DB_Query($query);
  576. }
  577. }
  578. }
  579. private function AddAlbumPermission($gid, $albums, $type)
  580. {
  581. if ($gid == null || $gid == "" || $albums == null || $albums == "") {
  582. return;
  583. }
  584. $ids = explode(',', $albums);
  585. foreach ($ids as $id) {
  586. if ('' === $id) {
  587. continue;
  588. }
  589. $query = "UPDATE " . PHOTO_GROUP_PERMISSION_TABLE . " SET permission = permission | $type WHERE shareid = " . $id . " AND groupid = " . $gid;
  590. $db_result = PHOTO_DB_Query($query);
  591. if (false === ($row = PHOTO_DB_FetchRow($db_result))) {
  592. $date = date('Y-m-d H:i:s');
  593. $query = "INSERT INTO " . PHOTO_GROUP_PERMISSION_TABLE . " (groupid, shareid, permission, create_time) ";
  594. $query = $query . "VALUES (" . $gid . ", " . $id . ", " . $type . ", '" . $date . "')";
  595. $db_result = PHOTO_DB_Query($query);
  596. }
  597. }
  598. }
  599. private function DeleteGroupPermission($shareid, $groups, $type)
  600. {
  601. if ($shareid == null || $shareid == "" || $groups == null || $groups == "") {
  602. return;
  603. }
  604. $type = -1 - $type;
  605. $ids = explode(',', $groups);
  606. foreach ($ids as $id) {
  607. if ('' === $id) {
  608. continue;
  609. }
  610. $query = "UPDATE " . PHOTO_GROUP_PERMISSION_TABLE . " SET permission = permission & $type WHERE shareid = " . $shareid . " AND groupid = " . $id;
  611. $db_result = PHOTO_DB_Query($query);
  612. }
  613. $query = "DELETE FROM " . PHOTO_GROUP_PERMISSION_TABLE . " WHERE permission = 0";
  614. $db_result = PHOTO_DB_Query($query);
  615. }
  616. private function DeleteAlbumPermission($gid, $albums, $type)
  617. {
  618. if ($gid == null || $gid == "" || $albums == null || $albums == "") {
  619. return;
  620. }
  621. $type = -1 - $type;
  622. $ids = explode(',', $albums);
  623. foreach ($ids as $id) {
  624. if ('' === $id) {
  625. continue;
  626. }
  627. $query = "UPDATE " . PHOTO_GROUP_PERMISSION_TABLE . " SET permission = permission & $type WHERE shareid = " . $id . " AND groupid = " . $gid;
  628. $db_result = PHOTO_DB_Query($query);
  629. }
  630. $query = "DELETE FROM " . PHOTO_GROUP_PERMISSION_TABLE . " WHERE permission = 0";
  631. $db_result = PHOTO_DB_Query($query);
  632. }
  633. private function AddChildGroupRightBySharename($sharename, $groups, $type)
  634. {
  635. if($sharename == null || $sharename == "" || $groups == null || $groups == "") {
  636. return;
  637. }
  638. $queryParam = array();
  639. if ("/" === $sharename) {
  640. $query = "SELECT shareid FROM photo_share WHERE sharename <> '/' AND sharename NOT LIKE '%/%/%'";
  641. } else {
  642. $query = "SELECT shareid FROM photo_share WHERE sharename LIKE ? AND sharename NOT LIKE ?";
  643. $queryParam = array("$sharename/%", "$sharename/%/%");
  644. }
  645. if ($table === PHOTO_ACCESS_RIGHT_TABLE) {
  646. $query .= " AND public='f'";
  647. }
  648. $query .= " AND password=''";
  649. $db_result = PHOTO_DB_Query($query, $queryParam);
  650. while ($row = PHOTO_DB_FetchRow($db_result)) {
  651. $shareid = $row['shareid'];
  652. $this->AddGroupPermission($shareid, $groups, $type);
  653. }
  654. }
  655. private function DeleteChildGroupRightBySharename($sharename, $groups, $type)
  656. {
  657. if($sharename == null || $sharename == "" || $groups == null || $groups == "") {
  658. return;
  659. }
  660. $escape = PHOTO_DB_GetEscape();
  661. $query = "SELECT shareid FROM photo_share WHERE sharename LIKE ?";
  662. $db_result = PHOTO_DB_Query($query, array("$sharename/%"));
  663. while ($row = PHOTO_DB_FetchRow($db_result)) {
  664. $shareid = $row['shareid'];
  665. $this->DeleteGroupPermission($shareid, $groups, $type);
  666. }
  667. }
  668. private function DeleteParentGroupRightBySharename($sharename, $groups, $type)
  669. {
  670. if($sharename == null || $sharename == "" || $groups == null || $groups == "") {
  671. return;
  672. }
  673. if ('/' === $sharename || '' === $sharename) {
  674. return;
  675. }
  676. $parentName = substr($sharename, 0, strrpos($sharename, '/'));
  677. if ('' === $parentName) {
  678. $parentName = '/';
  679. }
  680. $escape = PHOTO_DB_GetEscape();
  681. $query = "SELECT shareid FROM photo_share WHERE sharename=?";
  682. $db_result = PHOTO_DB_Query($query, array($parentName));
  683. if ($row = PHOTO_DB_FetchRow($db_result)) {
  684. $shareid = $row['shareid'];
  685. $this->DeleteGroupPermission($shareid, $groups, $type);
  686. }
  687. $this->DeleteParentGroupRightBySharename($parentName, $groups, $type);
  688. }
  689. private function ListPublicShare()
  690. {
  691. $ret = false;
  692. if (!isset($_REQUEST['type']) || !isset($_REQUEST['offset']) || !isset($_REQUEST['limit'])) {
  693. $this->SetError(PHOTOSTATION_PERMISSION_BAD_PARAMS);
  694. goto End;
  695. }
  696. $type = $_REQUEST['type'];
  697. // fetch list
  698. if ($type === 'user') {
  699. $list_result = $this->GetAllUsers($_REQUEST['offset'], $_REQUEST['limit'], "");
  700. } else if ($type === 'group') {
  701. $list_result = $this->GetAllGroups($_REQUEST['offset'], $_REQUEST['limit'], "");
  702. } else {
  703. $this->SetError(PHOTOSTATION_PERMISSION_BAD_PARAMS);
  704. goto End;
  705. }
  706. // fetch all public_share permission
  707. $table_name = "photo_" . ($type === 'group' ? 'group_' : '') . "public_share_right";
  708. if ($_SESSION[SYNOPHOTO_ADMIN_USER]['use_dsm_account']) {
  709. $table_name .= '_for_dsm_account';
  710. }
  711. $query = "SELECT * FROM $table_name";
  712. $db_result = PHOTO_DB_Query($query);
  713. $permission_list = array();
  714. while ($row = PHOTO_DB_FetchRow($db_result)) {
  715. $permission_list[$row[0]] = 1;
  716. }
  717. // combine list and permission
  718. $result = array();
  719. $result['total'] = $list_result['totalCount'];
  720. $result['items'] = array();
  721. $item['type'] = $type;
  722. foreach($list_result['all_' .$type. 's'] as $list_item) {
  723. $item['id'] = $list_item[$type . 'id'];
  724. $item['name'] = $list_item[$type . 'name'];
  725. $item['allow_public_share'] = isset($permission_list[$item['id']]);
  726. $result['items'][] = $item;
  727. }
  728. $ret = true;
  729. $this->SetResponse($result);
  730. End:
  731. return $ret;
  732. }
  733. private function EditPublicShare()
  734. {
  735. $table_name = "photo_public_share_right";
  736. if ($_SESSION[SYNOPHOTO_ADMIN_USER]['use_dsm_account']) {
  737. $table_name .= '_for_dsm_account';
  738. }
  739. if (isset($_REQUEST['enable_user'])) {
  740. $this->EnablePublicShare($table_name, explode(",", $_REQUEST['enable_user']));
  741. }
  742. if (isset($_REQUEST['disable_user'])) {
  743. $this->DisablePublicShare($table_name, explode(",", $_REQUEST['disable_user']), 'user');
  744. }
  745. $table_name = "photo_group_public_share_right";
  746. if ($_SESSION[SYNOPHOTO_ADMIN_USER]['use_dsm_account']) {
  747. $table_name .= '_for_dsm_account';
  748. }
  749. if (isset($_REQUEST['enable_group'])) {
  750. $this->EnablePublicShare($table_name, explode(",", $_REQUEST['enable_group']));
  751. }
  752. if (isset($_REQUEST['disable_group'])) {
  753. $this->DisablePublicShare($table_name, explode(",", $_REQUEST['disable_group']), 'group');
  754. }
  755. }
  756. private function EnablePublicShare($table, $ids)
  757. {
  758. $query = "INSERT INTO $table VALUES (?)";
  759. foreach ($ids as $id) {
  760. PHOTO_DB_Query($query, array($id));
  761. }
  762. }
  763. private function DisablePublicShare($table, $ids, $type)
  764. {
  765. $query = "DELETE FROM $table WHERE " . $type ."id = (?)";
  766. foreach ($ids as $id) {
  767. PHOTO_DB_Query($query, array($id));
  768. }
  769. }
  770. }
  771. $api = new PermissionAPI();
  772. $api->Run();