add some extra checks to avoid remote subscriptions to local users

darcs-hash:20081118180644-84dde-ab152249ac0844a482029b7e0f8db2780a0f15d6.gz
This commit is contained in:
Evan Prodromou 2008-11-18 13:06:44 -05:00
parent 67340ce11c
commit a179a816b5
3 changed files with 33 additions and 0 deletions

View File

@ -80,6 +80,11 @@ class FinishremotesubscribeAction extends Action {
return; return;
} }
if ($profile_url == common_local_url('showstream', array('nickname' => $nickname))) {
common_user_error(_('You can use the local subscription!'));
return;
}
common_debug('listenee: "'.$omb['listenee'].'"', __FILE__); common_debug('listenee: "'.$omb['listenee'].'"', __FILE__);
$user = User::staticGet('nickname', $omb['listenee']); $user = User::staticGet('nickname', $omb['listenee']);
@ -89,6 +94,13 @@ class FinishremotesubscribeAction extends Action {
return; return;
} }
$other = User::staticGet('uri', $omb['listener']);
if ($other) {
common_user_error(_('You can use the local subscription!'));
return;
}
$fullname = $req->get_parameter('omb_listener_fullname'); $fullname = $req->get_parameter('omb_listener_fullname');
$homepage = $req->get_parameter('omb_listener_homepage'); $homepage = $req->get_parameter('omb_listener_homepage');
$bio = $req->get_parameter('omb_listener_bio'); $bio = $req->get_parameter('omb_listener_bio');

View File

@ -130,6 +130,13 @@ class RemotesubscribeAction extends Action {
return; return;
} }
if (omb_service_uri($omb[OAUTH_ENDPOINT_REQUEST]) ==
common_local_url('requesttoken'))
{
$this->show_form(_('That\'s a local profile! Login to subscribe.'));
return;
}
list($token, $secret) = $this->request_token($omb); list($token, $secret) = $this->request_token($omb);
if (!$token || !$secret) { if (!$token || !$secret) {

View File

@ -415,6 +415,12 @@ class UserauthorizationAction extends Action {
if (strlen($listenee) > 255) { if (strlen($listenee) > 255) {
throw new OAuthException("Listenee URI '$listenee' too long"); throw new OAuthException("Listenee URI '$listenee' too long");
} }
$other = User::staticGet('uri', $listenee);
if ($other) {
throw new OAuthException("Listenee URI '$listenee' is local user");
}
$remote = Remote_profile::staticGet('uri', $listenee); $remote = Remote_profile::staticGet('uri', $listenee);
if ($remote) { if ($remote) {
$sub = new Subscription(); $sub = new Subscription();
@ -434,6 +440,11 @@ class UserauthorizationAction extends Action {
if (!common_valid_http_url($profile)) { if (!common_valid_http_url($profile)) {
throw new OAuthException("Invalid profile URL '$profile'."); throw new OAuthException("Invalid profile URL '$profile'.");
} }
if ($profile == common_local_url('showstream', array('nickname' => $nickname))) {
throw new OAuthException("Profile URL '$profile' is for a local user.");
}
$license = $req->get_parameter('omb_listenee_license'); $license = $req->get_parameter('omb_listenee_license');
if (!common_valid_http_url($license)) { if (!common_valid_http_url($license)) {
throw new OAuthException("Invalid license URL '$license'."); throw new OAuthException("Invalid license URL '$license'.");
@ -476,6 +487,9 @@ class UserauthorizationAction extends Action {
if ($callback && !common_valid_http_url($callback)) { if ($callback && !common_valid_http_url($callback)) {
throw new OAuthException("Invalid callback URL '$callback'"); throw new OAuthException("Invalid callback URL '$callback'");
} }
if ($callback && $callback == common_local_url('finishremotesubscribe')) {
throw new OAuthException("Callback URL '$callback' is for local site.");
}
} }
# Snagged from OAuthServer # Snagged from OAuthServer