From a179a816b589d8fc097c7fff068dbe5b053e9e27 Mon Sep 17 00:00:00 2001
From: Evan Prodromou <evan@prodromou.name>
Date: Tue, 18 Nov 2008 13:06:44 -0500
Subject: [PATCH] add some extra checks to avoid remote subscriptions to local
 users

darcs-hash:20081118180644-84dde-ab152249ac0844a482029b7e0f8db2780a0f15d6.gz
---
 actions/finishremotesubscribe.php | 12 ++++++++++++
 actions/remotesubscribe.php       |  7 +++++++
 actions/userauthorization.php     | 14 ++++++++++++++
 3 files changed, 33 insertions(+)

diff --git a/actions/finishremotesubscribe.php b/actions/finishremotesubscribe.php
index ae62fe4b32..cacf545b5f 100644
--- a/actions/finishremotesubscribe.php
+++ b/actions/finishremotesubscribe.php
@@ -80,6 +80,11 @@ class FinishremotesubscribeAction extends Action {
 			return;
 		}
 
+		if ($profile_url == common_local_url('showstream', array('nickname' => $nickname))) {
+			common_user_error(_('You can use the local subscription!'));
+		    return;
+		}
+			
 		common_debug('listenee: "'.$omb['listenee'].'"', __FILE__);
 
 		$user = User::staticGet('nickname', $omb['listenee']);
@@ -89,6 +94,13 @@ class FinishremotesubscribeAction extends Action {
 			return;
 		}
 
+		$other = User::staticGet('uri', $omb['listener']);
+		
+		if ($other) {
+			common_user_error(_('You can use the local subscription!'));
+			return;
+		}
+			
 		$fullname = $req->get_parameter('omb_listener_fullname');
 		$homepage = $req->get_parameter('omb_listener_homepage');
 		$bio = $req->get_parameter('omb_listener_bio');
diff --git a/actions/remotesubscribe.php b/actions/remotesubscribe.php
index 7137b42a26..2c932178fa 100644
--- a/actions/remotesubscribe.php
+++ b/actions/remotesubscribe.php
@@ -130,6 +130,13 @@ class RemotesubscribeAction extends Action {
 			return;
 		}
 
+		if (omb_service_uri($omb[OAUTH_ENDPOINT_REQUEST]) ==
+			common_local_url('requesttoken'))
+		{
+			$this->show_form(_('That\'s a local profile! Login to subscribe.'));
+			return;
+		}
+		
 		list($token, $secret) = $this->request_token($omb);
 
 		if (!$token || !$secret) {
diff --git a/actions/userauthorization.php b/actions/userauthorization.php
index 680f55094c..11e2d71359 100644
--- a/actions/userauthorization.php
+++ b/actions/userauthorization.php
@@ -415,6 +415,12 @@ class UserauthorizationAction extends Action {
 		if (strlen($listenee) > 255) {
 			throw new OAuthException("Listenee URI '$listenee' too long");
 		}
+		
+		$other = User::staticGet('uri', $listenee);
+		if ($other) {
+			throw new OAuthException("Listenee URI '$listenee' is local user");
+		}
+		
 		$remote = Remote_profile::staticGet('uri', $listenee);
 		if ($remote) {
 			$sub = new Subscription();
@@ -434,6 +440,11 @@ class UserauthorizationAction extends Action {
 		if (!common_valid_http_url($profile)) {
 			throw new OAuthException("Invalid profile URL '$profile'.");
 		}
+		
+		if ($profile == common_local_url('showstream', array('nickname' => $nickname))) {
+			throw new OAuthException("Profile URL '$profile' is for a local user.");
+		}
+		
 		$license = $req->get_parameter('omb_listenee_license');
 		if (!common_valid_http_url($license)) {
 			throw new OAuthException("Invalid license URL '$license'.");
@@ -476,6 +487,9 @@ class UserauthorizationAction extends Action {
 		if ($callback && !common_valid_http_url($callback)) {
 			throw new OAuthException("Invalid callback URL '$callback'");
 		}
+		if ($callback && $callback == common_local_url('finishremotesubscribe')) {
+			throw new OAuthException("Callback URL '$callback' is for local site.");
+		}
 	}
 
 	# Snagged from OAuthServer