add some extra checks to avoid remote subscriptions to local users
darcs-hash:20081118180644-84dde-ab152249ac0844a482029b7e0f8db2780a0f15d6.gz
This commit is contained in:
Evan Prodromou
parent
67340ce11c
commit
a179a816b5
@ -80,6 +80,11 @@ class FinishremotesubscribeAction extends Action {
|
||||
return;
|
||||
}
|
||||
|
||||
if ($profile_url == common_local_url('showstream', array('nickname' => $nickname))) {
|
||||
common_user_error(_('You can use the local subscription!'));
|
||||
return;
|
||||
}
|
||||
|
||||
common_debug('listenee: "'.$omb['listenee'].'"', __FILE__);
|
||||
|
||||
$user = User::staticGet('nickname', $omb['listenee']);
|
||||
@ -89,6 +94,13 @@ class FinishremotesubscribeAction extends Action {
|
||||
return;
|
||||
}
|
||||
|
||||
$other = User::staticGet('uri', $omb['listener']);
|
||||
|
||||
if ($other) {
|
||||
common_user_error(_('You can use the local subscription!'));
|
||||
return;
|
||||
}
|
||||
|
||||
$fullname = $req->get_parameter('omb_listener_fullname');
|
||||
$homepage = $req->get_parameter('omb_listener_homepage');
|
||||
$bio = $req->get_parameter('omb_listener_bio');
|
||||
|
||||
@ -130,6 +130,13 @@ class RemotesubscribeAction extends Action {
|
||||
return;
|
||||
}
|
||||
|
||||
if (omb_service_uri($omb[OAUTH_ENDPOINT_REQUEST]) ==
|
||||
common_local_url('requesttoken'))
|
||||
{
|
||||
$this->show_form(_('That\'s a local profile! Login to subscribe.'));
|
||||
return;
|
||||
}
|
||||
|
||||
list($token, $secret) = $this->request_token($omb);
|
||||
|
||||
if (!$token || !$secret) {
|
||||
|
||||
@ -415,6 +415,12 @@ class UserauthorizationAction extends Action {
|
||||
if (strlen($listenee) > 255) {
|
||||
throw new OAuthException("Listenee URI '$listenee' too long");
|
||||
}
|
||||
|
||||
$other = User::staticGet('uri', $listenee);
|
||||
if ($other) {
|
||||
throw new OAuthException("Listenee URI '$listenee' is local user");
|
||||
}
|
||||
|
||||
$remote = Remote_profile::staticGet('uri', $listenee);
|
||||
if ($remote) {
|
||||
$sub = new Subscription();
|
||||
@ -434,6 +440,11 @@ class UserauthorizationAction extends Action {
|
||||
if (!common_valid_http_url($profile)) {
|
||||
throw new OAuthException("Invalid profile URL '$profile'.");
|
||||
}
|
||||
|
||||
if ($profile == common_local_url('showstream', array('nickname' => $nickname))) {
|
||||
throw new OAuthException("Profile URL '$profile' is for a local user.");
|
||||
}
|
||||
|
||||
$license = $req->get_parameter('omb_listenee_license');
|
||||
if (!common_valid_http_url($license)) {
|
||||
throw new OAuthException("Invalid license URL '$license'.");
|
||||
@ -476,6 +487,9 @@ class UserauthorizationAction extends Action {
|
||||
if ($callback && !common_valid_http_url($callback)) {
|
||||
throw new OAuthException("Invalid callback URL '$callback'");
|
||||
}
|
||||
if ($callback && $callback == common_local_url('finishremotesubscribe')) {
|
||||
throw new OAuthException("Callback URL '$callback' is for local site.");
|
||||
}
|
||||
}
|
||||
|
||||
# Snagged from OAuthServer
|
||||
|
||||
Loading…
Reference in New Issue
Block a user