1 files changed, 22 insertions, 10 deletions

diff --git a/public.php b/public.php
index 36308e25e..28f95d0a9 100644
--- a/public.php
+++ b/public.php
@@ -1,14 +1,11 @@
 <?php
-	set_include_path(dirname(__FILE__) ."/include" . PATH_SEPARATOR .
+	set_include_path(__DIR__ ."/include" . PATH_SEPARATOR .
 		get_include_path());
 
 	require_once "autoload.php";
 	require_once "sessions.php";
 	require_once "functions.php";
 	require_once "sanity_check.php";
-	require_once "config.php";
-	require_once "db.php";
-	require_once "db-prefs.php";
 
 	startup_gettext();
 
@@ -16,11 +13,18 @@
 
 	if (!init_plugins()) return;
 
-	if (ENABLE_GZIP_OUTPUT && function_exists("ob_gzhandler")) {
-		ob_start("ob_gzhandler");
-	}
+	$method = (string)clean($_REQUEST["op"]);
+
+	// shortcut syntax for public (exposed) methods (?op=plugin--pmethod&...params)
+	if (strpos($method, PluginHost::PUBLIC_METHOD_DELIMITER) !== false) {
+		list ($plugin, $pmethod) = explode(PluginHost::PUBLIC_METHOD_DELIMITER, $method, 2);
 
-	$method = $_REQUEST["op"];
+		// TODO: better implementation that won't modify $_REQUEST
+		$_REQUEST["plugin"] = $plugin;
+		$_REQUEST["pmethod"] = $pmethod;
+
+		$method = "pluginhandler";
+	}
 
 	$override = PluginHost::getInstance()->lookup_handler("public", $method);
 
@@ -30,6 +34,13 @@
 		$handler = new Handler_Public($_REQUEST);
 	}
 
+	if (strpos($method, "_") === 0) {
+		user_error("Refusing to invoke method $method which starts with underscore.", E_USER_WARNING);
+		header("Content-Type: text/json");
+		print Errors::to_json(Errors::E_UNAUTHORIZED);
+		return;
+	}
+
 	if (implements_interface($handler, "IHandler") && $handler->before($method)) {
 		if ($method && method_exists($handler, $method)) {
 			$reflection = new ReflectionMethod($handler, $method);
@@ -37,8 +48,9 @@
 			if ($reflection->getNumberOfRequiredParameters() == 0) {
 				$handler->$method();
 			} else {
+				user_error("Refusing to invoke method $method which has required parameters.", E_USER_WARNING);
 				header("Content-Type: text/json");
-				print error_json(6);
+				print Errors::to_json(Errors::E_UNAUTHORIZED);
 			}
 		} else if (method_exists($handler, 'index')) {
 			$handler->index();
@@ -48,5 +60,5 @@
 	}
 
 	header("Content-Type: text/plain");
-	print error_json(13);
+	print Errors::to_json(Errors::E_UNKNOWN_METHOD);
 ?>