Since we are not really handling a fullblown OAuth request (No signature, nonce, consumer) we should not use this class, rather store the plain param array in the session.
When a user subscribes to a remote profile, he is redirected to his own service to confirm the request. This authorization request is specified in http://oauth.net/core/1.0#auth_step2. According to the standard, it does not have to pass consumer_key, nonce, timestamp or signature. The only specified parameters are oauth_token and oauth_callback, both optional.
If the configured domain is mixed-case OAuth throws invalidsignature errors. The current URL is part of the signated parts; since the consumer does not pass the current URL, the service has to get it itself and add it to the other OAuth params for signature rebuilding. OAuth.php uses $_SERVER for this, however, the domain is lcased in $_SERVER. Hence we pass the complete current URL as generated by common_local_url to OAuthRequest.
This commit fixes two issues:
- Allowing remote users to clear profile parameters via OMB.
- Improved handling of profile parameters which evaluate to
false ('0' for example)
People shouldn't be forced to be part of a group, even if they are the
admin. If a group has no admin, we need to figure out what to do with
it, but it's wrong to force anyone to be part of a group.
This reverts commit f9a7ae27b8879569a3f0eff478cbd3b650bdca28.
The OAuth store was failing on getting a request token, because the
token value was forced to be non-null in the DB. Let this value be
null, and use the correct primary key (consumer, timestamp, nonce).
Drop the reference to token table, and don't ever use it.
The OpenID login and registration URLs were not generating correctly.
I added them to the list of "bare" actions in the router class, and
they work great now.
Added a local directory for locally-installed software. This is where
you should put any code you write, themes, plugins, etc. so they don't
get stomped by upgrades.
