diff --git a/application/controllers/Api.php b/application/controllers/Api.php index a31d3a5c..2eaf99a7 100644 --- a/application/controllers/Api.php +++ b/application/controllers/Api.php @@ -423,6 +423,8 @@ class API extends CI_Controller { $this->load->model('api_model'); + $this->load->model('stations'); + // Decode JSON and store $obj = json_decode(file_get_contents("php://input"), true); if ($obj === NULL) { @@ -436,6 +438,14 @@ class API extends CI_Controller { die(); } + $userid = $this->api_model->key_userid($obj['key']); + + if(!isset($obj['station_profile_id']) || $this->stations->check_station_against_user($obj['station_profile_id'], $userid) == false) { + http_response_code(401); + echo json_encode(['status' => 'failed', 'reason' => "station id does not belong to the API key owner."]); + die(); + } + $this->api_model->update_last_used($obj['key']); if($obj['type'] == "adif" && $obj['string'] != "") { diff --git a/application/models/Stations.php b/application/models/Stations.php index 364a6419..0639c743 100644 --- a/application/models/Stations.php +++ b/application/models/Stations.php @@ -423,6 +423,17 @@ class Stations extends CI_Model { return null; } } + + public function check_station_against_user($stationid, $userid) { + $this->db->select('station_id'); + $this->db->where('user_id', $userid); + $this->db->where('station_id', $stationid); + $query = $this->db->get('station_profile'); + if ($query->num_rows() == 1) { + return true; + } + return false; + } } ?>