forked from GNUsocial/gnu-social
Check for read vs. read-write access on OAuth authenticated API mehtods.
This commit is contained in:
parent
c2c930a855
commit
1f8ddf716d
@ -53,6 +53,9 @@ if (!defined('STATUSNET')) {
|
||||
|
||||
class ApiAction extends Action
|
||||
{
|
||||
const READ_ONLY = 1;
|
||||
const READ_WRITE = 2;
|
||||
|
||||
var $format = null;
|
||||
var $user = null;
|
||||
var $auth_user = null;
|
||||
@ -62,6 +65,8 @@ class ApiAction extends Action
|
||||
var $since_id = null;
|
||||
var $since = null;
|
||||
|
||||
var $access = self::READ_ONLY; // read (default) or read-write
|
||||
|
||||
/**
|
||||
* Initialization.
|
||||
*
|
||||
|
@ -78,12 +78,27 @@ class ApiAuthAction extends ApiAction
|
||||
$this->checkOAuthRequest();
|
||||
} else {
|
||||
$this->checkBasicAuthUser();
|
||||
// By default, all basic auth users have read and write access
|
||||
|
||||
$this->access = self::READ_WRITE;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
function handle($args)
|
||||
{
|
||||
parent::handle($args);
|
||||
|
||||
if ($this->isReadOnly($args) == false) {
|
||||
if ($this->access == self::READ_ONLY) {
|
||||
$this->clientError(_('API method requires write access.'), 401);
|
||||
exit();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function checkOAuthRequest()
|
||||
{
|
||||
common_debug("We have an OAuth request.");
|
||||
@ -130,6 +145,10 @@ class ApiAuthAction extends ApiAction
|
||||
|
||||
if ($this->oauth_access_type != 0) {
|
||||
|
||||
// Set the read or read-write access for the api call
|
||||
$this->access = ($appUser->access_type & Oauth_application::$writeAccess)
|
||||
? self::READ_WRITE : self::READ_ONLY;
|
||||
|
||||
$this->auth_user = User::staticGet('id', $appUser->profile_id);
|
||||
|
||||
$msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
|
||||
@ -220,6 +239,7 @@ class ApiAuthAction extends ApiAction
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user