From 16557465e43e7a18a9917592de2f9e70ced96b54 Mon Sep 17 00:00:00 2001
From: Sebastian Grewe <sebgrewe@bigpoint.net>
Date: Thu, 15 Aug 2013 08:58:50 +0200
Subject: [PATCH 1/2] Added: getuserbalance API call

* Adds getbalance to API
* Admins: Can fetch any users balance
* Users: Can fetch only their own balance

Fixes #605
---
 .../include/pages/api/getuserbalance.inc.php  | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 public/include/pages/api/getuserbalance.inc.php

diff --git a/public/include/pages/api/getuserbalance.inc.php b/public/include/pages/api/getuserbalance.inc.php
new file mode 100644
index 00000000..9b765ce7
--- /dev/null
+++ b/public/include/pages/api/getuserbalance.inc.php
@@ -0,0 +1,28 @@
+<?php
+
+// Make sure we are called from index.php
+if (!defined('SECURITY')) die('Hacking attempt');
+
+// Check if the API is activated
+$api->isActive();
+
+// Check user token
+$user_id = $user->checkApiKey($_REQUEST['api_key']);
+
+// We have to check if that user is admin too
+if ( ! $user->isAdmin($user_id) && ($_REQUEST['id'] != $user_id && !empty($_REQUEST['id']))) {
+  header("HTTP/1.1 401 Unauthorized");
+  die("Access denied");
+} else if ($user->isAdmin($user_id)) {
+  $id = $_REQUEST['id'];
+  ctype_digit($_REQUEST['id']) ? $id = $_REQUEST['id'] : $id = $user->getUserId($_REQUEST['id']);
+} else {
+  $id = $user_id;
+}
+
+// Output JSON format
+echo json_encode(array('getuserbalance' => $transaction->getBalance($id)));
+
+// Supress master template
+$supress_master = 1;
+?>

From 59bd71c75d49b5d29592faf67240f0607de156cb Mon Sep 17 00:00:00 2001
From: Sebastian Grewe <sebgrewe@bigpoint.net>
Date: Mon, 19 Aug 2013 09:59:41 +0200
Subject: [PATCH 2/2] Fixing admin requests

Fixes #605
---
 public/include/pages/api/getuserbalance.inc.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/public/include/pages/api/getuserbalance.inc.php b/public/include/pages/api/getuserbalance.inc.php
index 9b765ce7..76462c00 100644
--- a/public/include/pages/api/getuserbalance.inc.php
+++ b/public/include/pages/api/getuserbalance.inc.php
@@ -9,11 +9,13 @@ $api->isActive();
 // Check user token
 $user_id = $user->checkApiKey($_REQUEST['api_key']);
 
+echo $user_id;
+
 // We have to check if that user is admin too
 if ( ! $user->isAdmin($user_id) && ($_REQUEST['id'] != $user_id && !empty($_REQUEST['id']))) {
   header("HTTP/1.1 401 Unauthorized");
   die("Access denied");
-} else if ($user->isAdmin($user_id)) {
+} else if ($user->isAdmin($user_id) && !empty($_REQUEST['id'])) {
   $id = $_REQUEST['id'];
   ctype_digit($_REQUEST['id']) ? $id = $_REQUEST['id'] : $id = $user->getUserId($_REQUEST['id']);
 } else {