• Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

    • 😌 This community is user driven. Be polite with other users.
    • 👉 Is required to purchase a Chevereto license to participate in this community (doesn't apply to Pre-sales).
    • 💸 Purchase a Pro Subscription to get access to active software support and faster ticket response times.
  • Chevereto Support CLST

    Support response

    Support checklist

Version 3.0 API

So unless you create a new API we are screwed. Are the blocked requests only remote ones, or it include local ones (like made with a local php script).

The system nows ask for auth_token which compares to the current session and the tokens must match or else the request is denied. This has been done in such way to avoid any kind of malicious attacks that could cause unattended actions like delete images, albums, etc. So if you don't provide a valid request token you won't do anything.

I will like to add that the complains against the API seems that have lost the nature of what API means: Application programmable interface. Is not something that non-developers should play with and I removed the default one because it didn't have any security or request logging to avoid things like massive abuse of the system and other bad practices.

So the deal here is that the old API was used pretty much just to upload pictures. Well, if you notice the route.json.php file from 3.X upload anything is pretty easy:
Code:
http://demo.chevereto.com/json/?action=upload&type=<url|file>&source=<source>

Along with several other kinds of actions for everything what you can imagine.

Making a custom API for V3 is just copy route.json.php in routes/overrides as route.myapi.php and then remove this:
PHP:
       // CSRF protection
        if(!$handler::checkAuthToken($_REQUEST['auth_token'])) {
            throw new Exception(_s('Request denied'), 400);
        }

Not recommended but still.
 
The system nows ask for auth_token which compares to the current session and the tokens must match or else the request is denied. This has been done in such way to avoid any kind of malicious attacks that could cause unattended actions like delete images, albums, etc. So if you don't provide a valid request token you won't do anything.

I will like to add that the complains against the API seems that have lost the nature of what API means: Application programmable interface. Is not something that non-developers should play with and I removed the default one because it didn't have any security or request logging to avoid things like massive abuse of the system and other bad practices.

So the deal here is that the old API was used pretty much just to upload pictures. Well, if you notice the route.json.php file from 3.X upload anything is pretty easy:
Code:
http://demo.chevereto.com/json/?action=upload&type=<url|file>&source=<source>

Along with several other kinds of actions for everything what you can imagine.

Making a custom API for V3 is just copy route.json.php in routes/overrides as route.myapi.php and then remove this:
PHP:
       // CSRF protection
        if(!$handler::checkAuthToken($_REQUEST['auth_token'])) {
            throw new Exception(_s('Request denied'), 400);
        }

Not recommended but still.

Very awesome, tested it out and works perfectly, Rodolfo great addition.
 
After some trials I did manage to make the extension work, but after upload i just get the code from the json function, any suggestion on how to redirect people to the uploaded image?
 
After some trials I did manage to make the extension work, but after upload i just get the code from the json function, any suggestion on how to redirect people to the uploaded image?
Great to hear! Well there are a few ways you can do this, to make it easier in the sense you can use jQuery and parse out the data on success and you can therefore you can use the parsed object (in this case url) to create your new tab as a redirection
 
Great to hear! Well there are a few ways you can do this, to make it easier in the sense you can use jQuery and parse out the data on success and you can therefore you can use the parsed object (in this case url) to create your new tab as a redirection
Thanks, I did read about it, but it's way out of my league. As you probably have already done it for your extension, could you share some code about this? Would be much appreciated and I'm sure will help several people like me.
 
Back
Top