2016-12-27 20:25:32 +00:00
|
|
|
<?php
|
|
|
|
|
include 'common.php';
|
|
|
|
|
|
|
|
|
|
function error($msg){
|
2016-12-28 09:48:30 +00:00
|
|
|
Log::put("ajax_errors", $msg);
|
2016-12-27 20:25:32 +00:00
|
|
|
header('Content-Type: application/json');
|
|
|
|
|
echo json_encode(["error" => true, "msg" => $msg]);
|
|
|
|
|
exit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check if exists token
|
|
|
|
|
if(empty($_SESSION['token'])){
|
|
|
|
|
error("Direct access violation.");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Validate token
|
|
|
|
|
$headers = apache_request_headers();
|
2016-12-27 21:27:56 +00:00
|
|
|
if(isset($headers['Csrf-Token']) && !empty($_SESSION['token'])){
|
|
|
|
|
if($headers['Csrf-Token'] !== $_SESSION['token']) {
|
2016-12-27 20:25:32 +00:00
|
|
|
error("Wrong CSRF token.");
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
error("No CSRF token.");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Prepare inputs
|
|
|
|
|
$r = array_merge(@$_POST, @$_GET);
|
|
|
|
|
$f = ['Post', @$r["action"]];
|
|
|
|
|
|
|
|
|
|
// If method exists
|
|
|
|
|
if(is_callable($f)){
|
|
|
|
|
$c = call_user_func($f, $r);
|
2016-12-28 09:48:30 +00:00
|
|
|
Log::put("ajax_access", @$r["action"]);
|
2016-12-27 20:25:32 +00:00
|
|
|
} else {
|
|
|
|
|
error("Method was not found.");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Flush
|
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
|
echo json_encode($c);
|
|
|
|
|
exit;
|
