GNUsocial
/
gnu-social
4
0
Fork 1
Code Issues Releases Wiki Activity

API notice access was not access restricted

This commit is contained in:
Mikael Nordfeldth 2015-01-31 16:27:21 +01:00
parent c7dd595984
commit eff3256f59
2 changed files with 9 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
actions/apistatusesshow.php
View File

@ -34,9 +34,7 @@
* @link http://status.net/ * @link http://status.net/
*/ */
if (!defined('STATUSNET')) { if (!defined('GNUSOCIAL')) { exit(1); }
exit(1);
}
/** /**
* Returns the notice specified by id as a Twitter-style status and inline user * Returns the notice specified by id as a Twitter-style status and inline user
@ -65,7 +63,7 @@ class ApiStatusesShowAction extends ApiPrivateAuthAction
* *
* @return boolean success flag * @return boolean success flag
*/ */
function prepare($args) protected function prepare(array $args=array())
{ {
parent::prepare($args); parent::prepare($args);
@ -76,12 +74,12 @@ class ApiStatusesShowAction extends ApiPrivateAuthAction
$this->notice_id = (int)$this->trimmed('id'); $this->notice_id = (int)$this->trimmed('id');
if (empty($notice_id)) { $this->notice = Notice::getKV($this->notice_id);
$this->notice_id = (int)$this->arg('id'); if (!$this->notice->inScope($this->scoped)) {
// TRANS: Client exception thrown when trying a view a notice the user has no access to.
throw new ClientException(_('Access restricted.'), 403);
} }
$this->notice = Notice::getKV((int)$this->notice_id);
return true; return true;
} }
@ -90,13 +88,11 @@ class ApiStatusesShowAction extends ApiPrivateAuthAction
* *
* Check the format and show the notice * Check the format and show the notice
* *
* @param array $args $_REQUEST data (unused)
*
* @return void * @return void
*/ */
function handle($args) protected function handle()
{ {
parent::handle($args); parent::handle();
if (!in_array($this->format, array('xml', 'json', 'atom'))) { if (!in_array($this->format, array('xml', 'json', 'atom'))) {
// TRANS: Client error displayed when coming across a non-supported API method. // TRANS: Client error displayed when coming across a non-supported API method.

2
actions/shownotice.php
View File

@ -77,7 +77,7 @@ class ShownoticeAction extends ManagedAction
if (!$this->notice->inScope($this->scoped)) { if (!$this->notice->inScope($this->scoped)) {
// TRANS: Client exception thrown when trying a view a notice the user has no access to. // TRANS: Client exception thrown when trying a view a notice the user has no access to.
throw new ClientException(_('Not available.'), 403); throw new ClientException(_('Access restricted.'), 403);
} }
$this->profile = $this->notice->getProfile(); $this->profile = $this->notice->getProfile();