KooperationsstelleGoettingen
diff --git a/‎.travis.yml
+1-1 b/‎.travis.yml
+1-1
diff --git a/‎README.md
+2-6 b/‎README.md
+2-6
diff --git a/‎plugins/restapi.php
+66-4 b/‎plugins/restapi.php
+66-4
diff --git a/‎plugins/restapi/call.php
+47-30 b/‎plugins/restapi/call.php
+47-30
diff --git a/‎plugins/restapi/doc/doc.php
+44-54 b/‎plugins/restapi/doc/doc.php
+44-54
@@ -2,7 +2,6 @@
 # whitelist
 language: php
 php:
-  - 7.0
   - 5.6
   - 5.5
   - 5.4
@@ -21,6 +20,7 @@ before_script:
   - composer self-update
   - composer install --prefer-dist
   - sudo cp -f tests/travis-ci/behat.yml behat.yml
+  - sudo cp -f tests/travis-ci/phpunit.xml tests/phpunit/
 
   # Set MySQL configuration and create the database.
   - mysql -e 'SET GLOBAL wait_timeout = 5400;'
 
@@ -48,9 +48,6 @@ Log in to /admin and the collapsed "Plugins" menu should have two links added: "
 
 Click on the item "RESTAPI" item for more information!
 
-###4. Test
-Click on "restapi test" to test your installation of the API plugin!
-
 ##Access
 Autentication required as admin in phpList.
 
@@ -65,11 +62,10 @@ First login to phpList with *POST* method and body parameters: "login" and "pass
 
 
 ##Client
-To try the RESTAPI, please use a client like CocaRestClient or eqvivalent!
 
-There is an example class in restapi-test/phplist_restapi_helper.php if you like to try it in PHP.
+Some examples and a client class to access the API can be found at
 
-For examples check commands in restapi-test/main.php
+https://github.com/michield/phplist-restapi-client
 
 ##Standard reponse
 All responses is returned in json and encoded to UTF-8.
 
@@ -7,6 +7,16 @@
  * 
  * version history:
  * 
+ * v 3 2015-11-19
+ * - updated some calls
+ * - added more security checks
+ * - added phpunit tests
+ * - removed obsolete fields
+ * - added limit to subscriber retrieval
+ * - added limit to campaign retrieval
+ * - renamed messages to campaigns
+ * - renamed users to subscribers
+ * 
  * v 2 * phpList Api Team https://github.com/orgs/phpList/teams/api
  * - renamed plugin repository to phplist-plugin-restapi
  * - https://github.com/phpList/phplist-plugin-restapi
@@ -20,20 +30,72 @@ class restapi extends phplistPlugin
 {
     public $name = 'RESTAPI';
     public $description = 'Implements a REST API interface to phpList';
+    public $version = 3;
+    public $documentationUrl = 'https://resources.phplist.com/plugin/restapi';
     public $topMenuLinks = array(
       'main' => array('category' => 'system'),
     );
 
-    public function restapi()
+    public $DBstruct = array(
+        'request_log' => array(
+            'id' => array('integer not null primary key auto_increment', 'ID'),
+            'url' => array('text not null', ''),
+            'cmd' => array('varchar(150) not null',''),
+            'ip' => array('varchar(15) not null',''),
+            'request' => array('text not null', ''),
+            'date' => array('timestamp not null', ''),
+            'index_1' => array('dateidx (date)',''),
+            'index_2' => array('cmdidx (cmd)',''),
+            'index_3' => array('ipidx (ip)',''),
+        ),
+    );
+
+    public $settings = array(
+        'restapi_limit' => array(
+            'description' => 'Maximum number of RESTAPI requests per minute',
+            'type' => 'integer',
+            'value' => 60,
+            'allowempty' => false,
+            'min' => 1,
+            'max' => 1200,
+            'category' => 'Security',
+        ),
+        'restapi_enforcessl' => array(
+            'description' => 'Require SSL on Rest API calls',
+            'type' => 'boolean',
+            'allowempty' => true,
+            'value' => false,
+            'category' => 'Security',
+        ),
+        'restapi_ipaddress' => array(
+            'description' => 'IP Address that is allowed to access the API',
+            'type' => 'text',
+            'allowempty' => true,
+            'value' => '',
+            'category' => 'Security',
+        ),
+        'restapi_usesecret' => array(
+            'description' => 'Require the secret code for Rest API calls',
+            'type' => 'boolean',
+            'allowempty' => true,
+            'value' => false,
+            'category' => 'Security',
+        ),
+    );
+    public function __construct()
     {
-        parent::phplistplugin();
-        $this->coderoot = dirname(__FILE__).'/restapi/';
+        $this->coderoot = dirname(__FILE__).'/'.__CLASS__.'/';
+        parent::__construct();
+        if (!Sql_Table_exists($GLOBALS['table_prefix'].'restapi_request_log')) {
+            saveConfig(md5('plugin-restapi-initialised'), false, 0);
+            $this->initialise();
+        }
     }
 
     public function adminmenu()
     {
         return array(
-            'main' => 'RESTAPI',
+            'main' => 'RESTAPI Main',
         );
     }
 }
@@ -4,52 +4,69 @@
 
 defined('PHPLISTINIT') || die;
 
-//No HTML-output, please!
-ob_end_clean();
 
 //Getting phpList globals for this plugin
 $plugin = $GLOBALS['plugins'][$_GET['pi']];
 
-include 'includes/response.php';
-include 'includes/pdo.php';
-
-include 'includes/common.php';
-
-include 'includes/actions.php';
-include 'includes/lists.php';
-include 'includes/subscribers.php';
-include 'includes/templates.php';
-include 'includes/messages.php';
-
-include 'doc/doc.php';
-
-if (function_exists('api_request_log')) {
-    api_request_log();
-}
-
-//Check if this is called outside phpList auth, this should never occur!
-if (empty($plugin->coderoot)) {
-    Response::outputErrorMessage('Not authorized! Please login with [login] and [password] as admin first!');
-}
-
+include_once 'includes/response.php';
+include_once 'includes/pdo.php';
+include_once 'includes/common.php';
+include_once 'includes/actions.php';
+include_once 'includes/lists.php';
+include_once 'includes/subscribers.php';
+include_once 'includes/templates.php';
+include_once 'includes/campaigns.php';
 //If other than POST then assume documentation report
 if (strcmp($_SERVER['REQUEST_METHOD'], 'POST')) {
-    $doc = new \phpListRestapiDoc();
+    include_once 'doc/doc.php';
+    $doc = new phpListRestapiDoc();
     $doc->addClass('Actions');
     $doc->addClass('Lists');
     $doc->addClass('Subscribers');
     $doc->addClass('Templates');
-    $doc->addClass('Messages');
-    $doc->output();
+    $doc->addClass('Campaigns');
+    print $doc->output();
+    return;
 }
+ob_end_clean();
 
-//Check if command is empty!
 $cmd = $_REQUEST['cmd'];
 $cmd = preg_replace('/\W/', '', $cmd);
 if (empty($cmd)) {
     Response::outputMessage('OK! For action, please provide Post Param Key [cmd] !');
 }
 
+if (function_exists('api_request_log')) {
+    api_request_log();
+}
+
+if (empty($plugin->coderoot)) {
+    Response::outputErrorMessage('Not authorized! Please login with [login] and [password] as admin first!');
+}
+
+if ($cmd != 'login') {
+  Common::logRequest($cmd);
+  Common::enforceRequestLimit(getConfig('restapi_limit'));
+}
+$ipAddress = getConfig('restapi_ipaddress');
+if (!empty($ipAddress) && ($GLOBALS['remoteAddr'] != $ipAddress)) {
+    $response->outputErrorMessage('Incorrect ip address for request. Check your settings.');
+    die(0);
+} 
+$requireSecret = getConfig('restapi_usesecret');
+if ($requireSecret) {
+  $secret = getConfig('remote_processing_secret');
+  if (empty($_REQUEST['secret']) || $_REQUEST['secret'] != $secret) {
+    $response->outputErrorMessage('Incorrect processing secret. Check your settings.');
+    die(0);
+  }
+} 
+$enforceSSL = getConfig('restapi_enforcessl');
+if ($enforceSSL && empty($_SERVER['HTTPS'])) {
+    $response->outputErrorMessage('Invalid API request. Request is not using SSL, which is enforced by the plugin settings.');
+    die(0);
+}
+
 //Now bind the commands with static functions
 if (is_callable(array('phpListRestapi\Lists',       $cmd))) {
     Lists::$cmd();
@@ -63,8 +80,8 @@
 if (is_callable(array('phpListRestapi\Templates',   $cmd))) {
     Templates::$cmd();
 }
-if (is_callable(array('phpListRestapi\Messages',    $cmd))) {
-    Messages::$cmd();
+if (is_callable(array('phpListRestapi\Campaigns',    $cmd))) {
+    Campaigns::$cmd();
 }
 
 //If no command found, return error message!
 
@@ -1,4 +1,5 @@
 <?php
+namespace phpListRestapi;
 
 class phpListRestapiDoc
 {
@@ -15,97 +16,86 @@ public function addClass($classname)
 
     public function output()
     {
-        $this->header();
+        $output = $this->header();
 
         foreach ($this->classes as $class) {
             $reflect = new \ReflectionClass($class);
             $methods = $reflect->getMethods();
             foreach ($methods as $method) {
-                echo '<section>';
-                echo '<div class="page-header">';
-                echo '<h2>'.$method->name.'</h2>';
-                echo '</div>';
-                echo '<div class="row">';
-                echo '<div class="span12">';
-
-                $comment = $method->getDocComment();
-
-                $comment = str_replace('/**', '', $comment);
-                $comment = str_replace('*/', '', $comment);
-                $comment = str_replace('[*', '<span class="label label-warning">', $comment);
-                $comment = str_replace('[', '<span class="label label-success">', $comment);
-                $comment = str_replace(']', '</span>', $comment);
-                $comment = str_replace('{', '<span class="badge">', $comment);
-                $comment = str_replace('}', '</span>', $comment);
-                $comment = str_replace('*', '', $comment);
-                //$comment = str_replace( '<br><br>', '', $comment );
-
-                echo trim($comment);
-
-                echo '</div>';
-                echo '</div>';
-                echo '<br/>';
-                echo '<section>';
+                if (Common::method_allowed($reflect->getShortName(),$method->name)) {
+                  $output .= '<section>';
+                  $output .= '<div class="page-header">';
+             #     $output .= '<h2>'.$reflect->getShortName().'</h2>';
+                  $output .= '<h2>'.$method->name.'</h2>';
+                  $output .= '</div>';
+                  $output .= '<div class="row">';
+                  $output .= '<div class="span12">';
+
+                  $comment = $method->getDocComment();
+
+                  $comment = str_replace('/**', '', $comment);
+                  $comment = str_replace('*/', '', $comment);
+                  $comment = str_replace('[*', '<span class="restapi-param param-required">', $comment);
+                  $comment = str_replace('[', '<span class="restapi-param param-optional">', $comment);
+                  $comment = str_replace(']', '</span>', $comment);
+                  $comment = str_replace('{', '<span class="restapi-datatype">', $comment);
+                  $comment = str_replace('}', '</span>', $comment);
+                  $comment = str_replace('*', '', $comment);
+                  //$comment = str_replace( '<br><br>', '', $comment );
+
+                  $output .= trim($comment);
+
+                  $output .= '</div>';
+                  $output .= '</div>';
+                  $output .= '<br/>';
+                  $output .= '</section>';
+               }
             }
         }
 
-        $this->footer();
+        $output .= $this->footer();
 
-        exit;
+        return $output;
     }
 
     public function header()
     {
-        ?>
-
-        <!DOCTYPE html>
-        <html>
-            <head>
-                <title>API Plugin to phpList</title>
-                <!-- Bootstrap -->
-                <link href="http://netdna.bootstrapcdn.com/bootswatch/2.1.1/cerulean/bootstrap.min.css" rel="stylesheet" media="screen">
-            </head>
-            <body>
-                <div class="container">
-
-                    <p>&nbsp;</p>
+        return '
 
                     <header class="jumbotron subhead" id="overview">
                         <div class="row">
-                            <div class="span6">
+                            <div class="xspan6">
                                 <h1>API Plugin to phpList</h1>
-                                <p class="lead">Documentation generated <?php echo date('Y-m-d H:i:s');
-        ?></p>
+                                <p class="lead">Documentation generated '. date('Y-m-d H:i:s').'
+        </p>
                             </div>
                         </div>
                     </header>
                     <div class="row">
-                        <div class="span12">
+                        <div class="xspan12">
                             <div class="well">
                                 The following methods is called by Body Param [cmd] to the plugin URL via request method POST.
                                 <p>
-                                    <span class="label label-warning">Required body parameter</span><br/>
-                                    <span class="label label-success">Optional body parameter</span><br/>
-                                    <span class="badge">Datatype</span><br/>
+                                    <span class="restapi-param param-required">Required body parameter</span><br/>
+                                    <span class="restapi-param param-optional">Optional body parameter</span><br/>
+                                    <span class="restapi-datatype">Datatype</span><br/>
                                 </p>
                             </div>
                         </div>
                     </div>
-        <?php
+        ';
 
     }
 
     public function footer()
     {
-        ?>
+        return '
                   <footer id="footer">
                       <p class="pull-right"><a href="#">Back to top</a></p>
                   </footer>
-                </div>
-            </body>
-        </html>
 
-        <?php
+
+        ';
 
     }
 }