allow user plugins to expose public methods out in a limited fashion

2 files changed, 37 insertions, 1 deletions

diff --git a/classes/handler/public.php b/classes/handler/public.php
index c7c86d463..35f677f94 100644
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -1086,5 +1086,37 @@ class Handler_Public extends Handler {
 
 		return "tag:" . parse_url(get_self_url_prefix(), PHP_URL_HOST) . ",$timestamp:/$id";
 	}
+
+	// this should be used very carefully because this endpoint is exposed to unauthenticated users
+	// plugin data is not loaded because there's no user context and owner_uid/session may or may not be available
+	// in general, don't do anything user-related in here and do not modify $_SESSION
+	public function pluginhandler() {
+		$host = new PluginHost();
+
+		$plugin = basename($_REQUEST["plugin"]);
+		$method = $_REQUEST["pmethod"];
+
+		$host->load($plugin, PluginHost::KIND_USER, 0);
+		$host->load_data();
+
+		$pclass = $host->get_plugin($plugin);
+
+		if ($pclass) {
+			if (method_exists($pclass, $method)) {
+				if ($pclass->is_public_method($method)) {
+					$pclass->$method();
+				} else {
+					header("Content-Type: text/json");
+					print error_json(6);
+				}
+			} else {
+				header("Content-Type: text/json");
+				print error_json(13);
+			}
+		} else {
+			header("Content-Type: text/json");
+			print error_json(14);
+		}
+	}
 }
-?>
+?>
\ No newline at end of file
diff --git a/classes/plugin.php b/classes/plugin.php
index 01ac46bae..09204098b 100644
--- a/classes/plugin.php
+++ b/classes/plugin.php
@@ -22,6 +22,10 @@ class Plugin {
 		return array();
 	}
 
+	function is_public_method($method) {
+		return false;
+	}
+
 	function get_js() {
 		return "";
 	}