-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathdelete-api.php
142 lines (118 loc) · 5.74 KB
/
delete-api.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
<?php
// Require relevent information for settings.config.inc.php, including functions and database access
require_once("../includes/settings.config.inc.php");
// Set $page_name so that the title of each page is correct
$page_name = PAGENAME_API;
// Check if $user is authenticated
if(!$user->authenticated) {
$user->logout('not_authenticated');
}; // Close if(!$user->authenticated)
// If the value of i in GET exists
if(isset($_GET["i"])) {
// Find API token in database
$api = new API();
$api->find_id($_GET['i']);
// If a API token is found in the database
if($api->found) {
// Set page name as API token could be found
$subpage_name = $api->token . ' - ' . PAGENAME_APIDELETE;
// Obtain a CSRF token to be used to prevent CSRF - this is stored in the $_SESSION
$csrf_token = CSRF::get_token();
// Check that the user has submitted the form
if(isset($_POST["submit"]) && $_POST["submit"] == "submit") {
// Ensure that the user actually wants to delete the API token
if(isset($_POST["confirm_delete"])) {
// Validate all fields and ensure that required fields are submitted
// Initialise the $errors are where errors will be sent and then retrieved from
$errors = array();
// Check that the submitted CSRF token is the same as the one in the $_SESSION to prevent cross site request forgery
if(!CSRF::check_token($_POST['csrf_token'])) { $errors[] = $validation['invalid']['security']['csrf_token']; };
// If no errors have been found during the field validations
if(empty($errors)) {
// Delete the API token
$result = $api->delete();
// Check if API token delete was successful
if($result) {
// API token successfully deleted
$session->message_alert($notification["api"]["delete"]["success"], "success");
// Log action of database entry success
$log = new Log('api_delete_success', 'API token (' . $api->token . ') was deleted.');
// Redirect the user
Redirect::to(PAGELINK_API);
} else {
// API token failed to be deleted
$session->message_alert($notification["contact"]["delete"]["failure"], "danger");
// Log action of database entry failing
// Create new Log instance, and log the action to the database
$log = new Log('api_delete_failed', 'database');
}
} else {
// Form field validation has failed - $errors array is not empty
// If there are any error messages in the $errors array then display them to the screen
$session->message_validation($errors);
// Log action of failing form process
// Create new Log instance, and log the action to the database
$log = new Log('api_delete_failed', 'Failed contact delete due to form validation errors.');
};
} else {
// User did not confirm that they would like to delete the API token
// Set a failure session message and redirect them to view the API token
$session->message_alert($validation["field_required"]["api"]["confirm_delete"], "danger");
// Log action of failing to confirm delete
// Create new Log instance, and log the action to the database
$log = new Log('api_delete_failed', 'User did not confirm that they wanted to delete the API token.');
// Redirect the user
Redirect::to(PAGELINK_APIDELETE . '?i=' . urlencode($api->token));
};
}; // User has not submitted the form - do nothing
// User has accessed the page and not sumitted the form
// Create new Log instance, and log the page view to the database
$log = new Log('view');
} else {
// API token could not be found in the database
// Send session message and redirect
$session->message_alert($notification["api"]["delete"]["not_found"], "danger");
// Set $subpage_name so that the title of each page is correct - contact couldn't be found
$subpage_name = 'API Token Not Found - ' . PAGENAME_APIDELETE;
// Create new Log instance, and log the action to the database
$log = new Log('not_found');
// Redirect the user
Redirect::to(PAGELINK_API);
};
} else {
// Value of i in GET doesn't exist, send session message and redirect
$session->message_alert($notification["api"]["delete"]["not_found"], "danger");
// Set $page_name so that the title of each page is correct - GET value not correct
$subpage_name = 'Invalid GET Value - ' . PAGENAME_APIDELETE;
// Create new Log instance, and log the action to the database
$log = new Log('not_found');
// Redirect the user
Redirect::to(PAGELINK_API);
};
// Require head content in the page
require_once("../includes/layout.head.inc.php");
// Requre navigation content in the page
require_once("../includes/layout.navigation.inc.php");
?>
<!-- CONTENT -->
<?php $session->output_message(); ?>
<h3>WARNING</h3>
<p><strong>This process is <u>IRREVERSIBLE</u>. Once an API token has been deleted there is no way to restore - you will need to create a new API token.</strong></p>
<p>Please confirm that you would like to <strong>permanently delete</strong> API token <?php echo $api->token; ?> from the system.</p>
<form class="form-horizontal" action="" method="post">
<div class="checkbox">
<label>
<input type="checkbox" name="confirm_delete"> Yes, I am sure that I want to <strong>permanently delete</strong> API token <?php echo $api->token; ?>
</label>
</div>
<input type="hidden" name="csrf_token" value="<?php echo htmlentities($csrf_token); ?>"/>
<hr>
<div >
<button type="submit" name="submit" value="submit" class="btn btn-danger">Delete API Token</button>
</div>
</form>
<!-- /CONTENT -->
<?php
// Requre footer content in the page, including any relevant scripts
require_once("../includes/layout.footer.inc.php");
?>