forked from GNUsocial/gnu-social
Check for read vs. read-write access on OAuth authenticated API mehtods.
This commit is contained in:
parent
c2c930a855
commit
1f8ddf716d
@ -53,6 +53,9 @@ if (!defined('STATUSNET')) {
|
|||||||
|
|
||||||
class ApiAction extends Action
|
class ApiAction extends Action
|
||||||
{
|
{
|
||||||
|
const READ_ONLY = 1;
|
||||||
|
const READ_WRITE = 2;
|
||||||
|
|
||||||
var $format = null;
|
var $format = null;
|
||||||
var $user = null;
|
var $user = null;
|
||||||
var $auth_user = null;
|
var $auth_user = null;
|
||||||
@ -62,6 +65,8 @@ class ApiAction extends Action
|
|||||||
var $since_id = null;
|
var $since_id = null;
|
||||||
var $since = null;
|
var $since = null;
|
||||||
|
|
||||||
|
var $access = self::READ_ONLY; // read (default) or read-write
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Initialization.
|
* Initialization.
|
||||||
*
|
*
|
||||||
|
@ -78,12 +78,27 @@ class ApiAuthAction extends ApiAction
|
|||||||
$this->checkOAuthRequest();
|
$this->checkOAuthRequest();
|
||||||
} else {
|
} else {
|
||||||
$this->checkBasicAuthUser();
|
$this->checkBasicAuthUser();
|
||||||
|
// By default, all basic auth users have read and write access
|
||||||
|
|
||||||
|
$this->access = self::READ_WRITE;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function handle($args)
|
||||||
|
{
|
||||||
|
parent::handle($args);
|
||||||
|
|
||||||
|
if ($this->isReadOnly($args) == false) {
|
||||||
|
if ($this->access == self::READ_ONLY) {
|
||||||
|
$this->clientError(_('API method requires write access.'), 401);
|
||||||
|
exit();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
function checkOAuthRequest()
|
function checkOAuthRequest()
|
||||||
{
|
{
|
||||||
common_debug("We have an OAuth request.");
|
common_debug("We have an OAuth request.");
|
||||||
@ -130,6 +145,10 @@ class ApiAuthAction extends ApiAction
|
|||||||
|
|
||||||
if ($this->oauth_access_type != 0) {
|
if ($this->oauth_access_type != 0) {
|
||||||
|
|
||||||
|
// Set the read or read-write access for the api call
|
||||||
|
$this->access = ($appUser->access_type & Oauth_application::$writeAccess)
|
||||||
|
? self::READ_WRITE : self::READ_ONLY;
|
||||||
|
|
||||||
$this->auth_user = User::staticGet('id', $appUser->profile_id);
|
$this->auth_user = User::staticGet('id', $appUser->profile_id);
|
||||||
|
|
||||||
$msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
|
$msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
|
||||||
@ -220,6 +239,7 @@ class ApiAuthAction extends ApiAction
|
|||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user