Check for read vs. read-write access on OAuth authenticated API mehtods.

This commit is contained in:
Zach Copley 2010-01-14 02:16:03 +00:00
parent c2c930a855
commit 1f8ddf716d
2 changed files with 25 additions and 0 deletions

View File

@ -53,6 +53,9 @@ if (!defined('STATUSNET')) {
class ApiAction extends Action
{
const READ_ONLY = 1;
const READ_WRITE = 2;
var $format = null;
var $user = null;
var $auth_user = null;
@ -62,6 +65,8 @@ class ApiAction extends Action
var $since_id = null;
var $since = null;
var $access = self::READ_ONLY; // read (default) or read-write
/**
* Initialization.
*

View File

@ -78,12 +78,27 @@ class ApiAuthAction extends ApiAction
$this->checkOAuthRequest();
} else {
$this->checkBasicAuthUser();
// By default, all basic auth users have read and write access
$this->access = self::READ_WRITE;
}
}
return true;
}
function handle($args)
{
parent::handle($args);
if ($this->isReadOnly($args) == false) {
if ($this->access == self::READ_ONLY) {
$this->clientError(_('API method requires write access.'), 401);
exit();
}
}
}
function checkOAuthRequest()
{
common_debug("We have an OAuth request.");
@ -130,6 +145,10 @@ class ApiAuthAction extends ApiAction
if ($this->oauth_access_type != 0) {
// Set the read or read-write access for the api call
$this->access = ($appUser->access_type & Oauth_application::$writeAccess)
? self::READ_WRITE : self::READ_ONLY;
$this->auth_user = User::staticGet('id', $appUser->profile_id);
$msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
@ -220,6 +239,7 @@ class ApiAuthAction extends ApiAction
exit;
}
}
return true;
}