From e7daa6762813709deccdaec1c2ba944dd2640e76 Mon Sep 17 00:00:00 2001
From: Rudi Grinberg <rudi.grinberg@sourcefabric.org>
Date: Tue, 17 Jul 2012 13:52:24 -0400
Subject: [PATCH] cc-4105: Made reloadMetadataGroupAction safer by validating
 input

---
 .../application/controllers/ApiController.php    | 16 ++++++++++------
 python_apps/api_clients/api_client.py            |  4 ++--
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/airtime_mvc/application/controllers/ApiController.php b/airtime_mvc/application/controllers/ApiController.php
index 45ae48b6d..d0ae4a568 100644
--- a/airtime_mvc/application/controllers/ApiController.php
+++ b/airtime_mvc/application/controllers/ApiController.php
@@ -538,30 +538,34 @@ class ApiController extends Zend_Controller_Action
         // The key does not have any meaning as of yet but it could potentially correspond
         // to some unique id.
         $responses = array();
+        $params = $request->getParams();
+        die( json_encode($params) );
         foreach ($request->getParams() as $k => $raw_json) {
+            if( !preg_match('/^md\d+$/', $k) ) { continue; }
             $info_json = json_decode($raw_json, $assoc=true);
             if( !array_key_exists('mode', $info_json) ) {
                 Logging::log("Received bad request, no 'mode' parameter. Bad request is:");
                 Logging::log( $info_json );
+                array_push( $responses, array('error' => "Bad request. no 'mode' parameter passed.") );
                 continue;
             }
+            Logging::log("we got here mang");
+            die( json_encode('damn straight') );
             $mode = $info_json['mode'];
             unset( $info_json['mode'] );
             // TODO : remove the $dry_run parameter after finished testing
             $response = $this->dispatchMetadataAction($info_json, $info_json['mode'], $dry_run=true);
             array_push($responses, $response);
-            // Like wise, remove the following line when done
             // On recorded show requests we do some extra work here. Not sure what it actually is and it
-            // was usually called from the python api
-            if( $info_json['is_record'] ) {
-                // TODO : must check for error in $response before proceeding...
+            // was usually called from the python api. Now we just call it straight from the controller to 
+            // save the http roundtrip
+            if( $info_json['is_record'] and !array_key_exists('error', $response) ) {
                 $this->uploadRecordedActionParam($info_json['showinstanceid'],$info_json['fileid']);
             }
             // TODO : Remove this line when done debugging
             Logging::log( $info_json );
-
         }
-        die(json_encode( array('successes' => 19, 'fails' => 123) ));
+        die( json_encode($responses) );
     }
 
     public function reloadMetadataAction()
diff --git a/python_apps/api_clients/api_client.py b/python_apps/api_clients/api_client.py
index 4d03d8ff2..938f55250 100644
--- a/python_apps/api_clients/api_client.py
+++ b/python_apps/api_clients/api_client.py
@@ -397,8 +397,8 @@ class AirtimeApiClient():
                         action['is_record'] = True
                     else: action['is_record'] = False
                     valid_actions.append(action)
-
-            md_list = dict((i, json.dumps(convert_dict_value_to_utf8(md))) for i,md in enumerate(valid_actions))
+            # Note that we must prefix every key with: mdX where x is a number
+            md_list = dict((("md%d" % i), json.dumps(convert_dict_value_to_utf8(md))) for i,md in enumerate(valid_actions))
             data = urllib.urlencode(md_list)
             req = urllib2.Request(url, data)
             response = self.get_response_from_server(req)