- Patch #214209 by Arancaytar, pwolanin, gabor, etc: blogapi doesn't confirm node type exist.

1 files changed, 33 insertions, 14 deletions

diff --git a/modules/blogapi/blogapi.module b/modules/blogapi/blogapi.module
index cbe316249..40395a8c0 100644
--- a/modules/blogapi/blogapi.module
+++ b/modules/blogapi/blogapi.module
@@ -184,8 +184,13 @@ function blogapi_blogger_new_post($appkey, $blogid, $username, $password, $conte
     return blogapi_error($user);
   }
 
+  if (($error = _blogapi_validate_blogid($blogid)) !== TRUE) {
+    // Return an error if not configured type.
+    return $error;
+  }
+
   $edit = array();
-  $edit['type'] = _blogapi_blogid($blogid);
+  $edit['type'] = $blogid;
   // get the node type defaults
   $node_type_default = variable_get('node_options_'. $edit['type'], array('status', 'promote'));
   $edit['uid'] = $user->uid;
@@ -327,12 +332,16 @@ function blogapi_blogger_get_recent_posts($appkey, $blogid, $username, $password
     return blogapi_error($user);
   }
 
-  $type = _blogapi_blogid($blogid);
+  if (($error = _blogapi_validate_blogid($blogid)) !== TRUE) {
+    // Return an error if not configured type.
+    return $error;
+  }
+
   if ($bodies) {
-    $result = db_query_range("SELECT n.nid, n.title, r.body, r.format, n.comment, n.created, u.name FROM {node} n, {node_revisions} r, {users} u WHERE n.uid = u.uid AND n.vid = r.vid AND n.type = '%s' AND n.uid = %d ORDER BY n.created DESC",  $type, $user->uid, 0, $number_of_posts);
+    $result = db_query_range("SELECT n.nid, n.title, r.body, r.format, n.comment, n.created, u.name FROM {node} n, {node_revisions} r, {users} u WHERE n.uid = u.uid AND n.vid = r.vid AND n.type = '%s' AND n.uid = %d ORDER BY n.created DESC",  $blogid, $user->uid, 0, $number_of_posts);
   }
   else {
-    $result = db_query_range("SELECT n.nid, n.title, n.created, u.name FROM {node} n, {users} u WHERE n.uid = u.uid AND n.type = '%s' AND n.uid = %d ORDER BY n.created DESC", $type, $user->uid, 0, $number_of_posts);
+    $result = db_query_range("SELECT n.nid, n.title, n.created, u.name FROM {node} n, {users} u WHERE n.uid = u.uid AND n.type = '%s' AND n.uid = %d ORDER BY n.created DESC", $blogid, $user->uid, 0, $number_of_posts);
   }
   $blogs = array();
   while ($blog = db_fetch_object($result)) {
@@ -381,8 +390,12 @@ function blogapi_metaweblog_new_media_object($blogid, $username, $password, $fil
  * associated with a blog node.
  */
 function blogapi_metaweblog_get_category_list($blogid, $username, $password) {
-  $type = _blogapi_blogid($blogid);
-  $vocabularies = module_invoke('taxonomy', 'get_vocabularies', $type, 'vid');
+  if (($error = _blogapi_validate_blogid($blogid)) !== TRUE) {
+    // Return an error if not configured type.
+    return $error;
+  }
+
+  $vocabularies = module_invoke('taxonomy', 'get_vocabularies', $blogid, 'vid');
   $categories = array();
   if ($vocabularies) {
     foreach ($vocabularies as $vocabulary) {
@@ -685,13 +698,21 @@ function _blogapi_get_post($node, $bodies = TRUE) {
   return $xmlrpcval;
 }
 
-function _blogapi_blogid($id) {
-  if (is_numeric($id)) {
-    return 'blog';
-  }
-  else {
-    return $id;
+/**
+ * Validate blog ID, which maps to a content type in Drupal.
+ *
+ * Only content types configured to work with Blog API are supported.
+ *
+ * @return
+ *   TRUE if the content type is supported and the user has permission
+ *   to post, or a blogapi_error() XML construct otherwise.
+ */
+function _blogapi_validate_blogid($blogid) {
+  $types = _blogapi_get_node_types();
+  if (in_array($blogid, $types, TRUE)) {
+    return TRUE;
   }
+  return blogapi_error(t("Blog API module is not configured to support the %type content type, or you don't have sufficient permissions to post this type of content.", array('%type' => $blogid)));
 }
 
 function _blogapi_get_node_types() {
@@ -705,5 +726,3 @@ function _blogapi_get_node_types() {
 
   return $types;
 }
-
-