steffentchr · December 15, 2016 22:52
diff --git a/custom-protection-with-twentythree.php b/custom-protection-with-twentythree.php
 <?php
  require_once('visualvideo.php');
  header("Cache-Control: no-store, no-cache, must-revalidate");
  header("Content-Type: application/javascript");

  function getProtectedToken($objectType, $objectId) {
    // Fix: The result of this method should be cached and reused with memcached or similar
    // Fix: The client should be loaded as a global outside of the function
    $client = new VisualVideo('http://mydomain.23video.com', 
                              $consumerKey, 
                              $consumerSecret,
                              $accessToken, 
                              $accessTokenSecret);
    if($objectType=="live") {
      $endpoint = '/api/live/list';
      $parameterKey = 'live_id';
      $arrayKey = 'live';
    } else {
      $endpoint = '/api/photo/list';
      $parameterKey = 'photo_id';
      $arrayKey = 'photos';
    }
  
    // Fix: A bit of extra error handling here would be good
    $response = json_decode($client->get($endpoint, array($parameterKey => $objectId, 'format' => 'json', 'raw' => 1)), true);
    // Also: The query above can be extended to include unpublished content if needed.
    //       In that case, extra care should be taken in managing access rights

    if( array_key_exists($arrayKey, $response) && sizeof($response[$arrayKey])>0) {
      $ret = $response[$arrayKey][0]['protected_token'];
    } else {
      $ret = "";
    }
    return($ret);
  }

  // Fix: Verify the type and content of the GET parameters.
  //      In this example, these are simply printed back to the client, so failure
  //      to validate could result in XSS issues.
  $callback = $_GET["callback"];
  $object_type = $_GET["object_type"];
  $object_id = $_GET["object_id"];
  $protected_token = getProtectedToken($object_type, $object_id);
  if($protected_token) {
    $result = array('status'=>'ok', 'protectedtoken'=>array('object_id'=>$object_id, 'object_type'=>$object_type, 'protected_token'=>$protected_token));
  } else {
    $result = array('status'=>'error', 'message'=>'You do not have access to this video.');
  }
  $json_result = json_encode($result);
  echo($callback . '(' . $json_result . ');');
 ?>
	<?php
	require_once('visualvideo.php');
	header("Cache-Control: no-store, no-cache, must-revalidate");
	header("Content-Type: application/javascript");

	function getProtectedToken($objectType, $objectId) {
	// Fix: The result of this method should be cached and reused with memcached or similar
	// Fix: The client should be loaded as a global outside of the function
	$client = new VisualVideo('http://mydomain.23video.com',
	$consumerKey,
	$consumerSecret,
	$accessToken,
	$accessTokenSecret);
	if($objectType=="live") {
	$endpoint = '/api/live/list';
	$parameterKey = 'live_id';
	$arrayKey = 'live';
	} else {
	$endpoint = '/api/photo/list';
	$parameterKey = 'photo_id';
	$arrayKey = 'photos';
	}

	// Fix: A bit of extra error handling here would be good
	$response = json_decode($client->get($endpoint, array($parameterKey => $objectId, 'format' => 'json', 'raw' => 1)), true);
	// Also: The query above can be extended to include unpublished content if needed.
	// In that case, extra care should be taken in managing access rights

	if( array_key_exists($arrayKey, $response) && sizeof($response[$arrayKey])>0) {
	$ret = $response[$arrayKey][0]['protected_token'];
	} else {
	$ret = "";
	}
	return($ret);
	}

	// Fix: Verify the type and content of the GET parameters.
	// In this example, these are simply printed back to the client, so failure
	// to validate could result in XSS issues.
	$callback = $_GET["callback"];
	$object_type = $_GET["object_type"];
	$object_id = $_GET["object_id"];
	$protected_token = getProtectedToken($object_type, $object_id);
	if($protected_token) {
	$result = array('status'=>'ok', 'protectedtoken'=>array('object_id'=>$object_id, 'object_type'=>$object_type, 'protected_token'=>$protected_token));
	} else {
	$result = array('status'=>'error', 'message'=>'You do not have access to this video.');
	}
	$json_result = json_encode($result);
	echo($callback . '(' . $json_result . ');');
	?>