From 1f8ddf716d0b54cc40aa89e595fe2232a10e7a2a Mon Sep 17 00:00:00 2001 From: Zach Copley Date: Thu, 14 Jan 2010 02:16:03 +0000 Subject: [PATCH] Check for read vs. read-write access on OAuth authenticated API mehtods. --- lib/api.php | 5 +++++ lib/apiauth.php | 20 ++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/lib/api.php b/lib/api.php index 707e4ac21a..794b140507 100644 --- a/lib/api.php +++ b/lib/api.php @@ -53,6 +53,9 @@ if (!defined('STATUSNET')) { class ApiAction extends Action { + const READ_ONLY = 1; + const READ_WRITE = 2; + var $format = null; var $user = null; var $auth_user = null; @@ -62,6 +65,8 @@ class ApiAction extends Action var $since_id = null; var $since = null; + var $access = self::READ_ONLY; // read (default) or read-write + /** * Initialization. * diff --git a/lib/apiauth.php b/lib/apiauth.php index 431f3ac4fd..8374c24a7f 100644 --- a/lib/apiauth.php +++ b/lib/apiauth.php @@ -78,12 +78,27 @@ class ApiAuthAction extends ApiAction $this->checkOAuthRequest(); } else { $this->checkBasicAuthUser(); + // By default, all basic auth users have read and write access + + $this->access = self::READ_WRITE; } } return true; } + function handle($args) + { + parent::handle($args); + + if ($this->isReadOnly($args) == false) { + if ($this->access == self::READ_ONLY) { + $this->clientError(_('API method requires write access.'), 401); + exit(); + } + } + } + function checkOAuthRequest() { common_debug("We have an OAuth request."); @@ -130,6 +145,10 @@ class ApiAuthAction extends ApiAction if ($this->oauth_access_type != 0) { + // Set the read or read-write access for the api call + $this->access = ($appUser->access_type & Oauth_application::$writeAccess) + ? self::READ_WRITE : self::READ_ONLY; + $this->auth_user = User::staticGet('id', $appUser->profile_id); $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " . @@ -220,6 +239,7 @@ class ApiAuthAction extends ApiAction exit; } } + return true; }