From a063bb43a85afb987e6678274fdfe0b19b7b1279 Mon Sep 17 00:00:00 2001 From: Mikael Nordfeldth Date: Fri, 13 Feb 2015 01:19:59 +0100 Subject: [PATCH] EndSetApiUser will always contain a User --- EVENTS.txt | 4 ++-- lib/apiauthaction.php | 44 +++++++++++++++++++++++-------------------- 2 files changed, 26 insertions(+), 22 deletions(-) diff --git a/EVENTS.txt b/EVENTS.txt index 197b8afe6f..8f094d1643 100644 --- a/EVENTS.txt +++ b/EVENTS.txt @@ -627,10 +627,10 @@ EndSetUser: After setting the currently logged in user - $user: user StartSetApiUser: Before setting the current API user -- $user: user +- &$user: user, can be set during event handling (return false to stop processing) EndSetApiUser: After setting the current API user -- $user: user +- $user: user, only called if this is an actual user StartHasRole: Before determing if the a profile has a given role - $profile: profile in question diff --git a/lib/apiauthaction.php b/lib/apiauthaction.php index 92e35695ef..2eca6b6467 100644 --- a/lib/apiauthaction.php +++ b/lib/apiauthaction.php @@ -212,21 +212,25 @@ class ApiAuthAction extends ApiAction // Set the auth user if (Event::handle('StartSetApiUser', array(&$user))) { $user = User::getKV('id', $appUser->profile_id); - if (!empty($user)) { - if (!$user->hasRight(Right::API)) { - // TRANS: Authorization exception thrown when a user without API access tries to access the API. - throw new AuthorizationException(_('Not allowed to use API.')); - } + } + if ($user instanceof User) { + if (!$user->hasRight(Right::API)) { + // TRANS: Authorization exception thrown when a user without API access tries to access the API. + throw new AuthorizationException(_('Not allowed to use API.')); } $this->auth_user = $user; - // FIXME: setting the value returned by common_current_user() - // There should probably be a better method for this. common_set_user() - // does lots of session stuff. - global $_cur; - $_cur = $this->auth_user; - Event::handle('EndSetApiUser', array($user)); + Event::handle('EndSetApiUser', array($this->auth_user)); + } else { + // If $user is not a real User, let's force it to null. + $this->auth_user = null; } + // FIXME: setting the value returned by common_current_user() + // There should probably be a better method for this. common_set_user() + // does lots of session stuff. + global $_cur; + $_cur = $this->auth_user; + $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " . "application '%s' (id: %d) with %s access."; @@ -297,17 +301,17 @@ class ApiAuthAction extends ApiAction $user = common_check_user($this->auth_user_nickname, $this->auth_user_password); - if (Event::handle('StartSetApiUser', array(&$user))) { - - if ($user instanceof User) { - if (!$user->hasRight(Right::API)) { - // TRANS: Authorization exception thrown when a user without API access tries to access the API. - throw new AuthorizationException(_('Not allowed to use API.')); - } - $this->auth_user = $user; + Event::handle('StartSetApiUser', array(&$user)); + if ($user instanceof User) { + if (!$user->hasRight(Right::API)) { + // TRANS: Authorization exception thrown when a user without API access tries to access the API. + throw new AuthorizationException(_('Not allowed to use API.')); } + $this->auth_user = $user; - Event::handle('EndSetApiUser', array($user)); + Event::handle('EndSetApiUser', array($this->auth_user)); + } else { + $this->auth_user = null; } // By default, basic auth users have rw access