forked from GNUsocial/gnu-social
2a4dc77a63
I used this hacky sed-command (run it from your GNU Social root, or change the first grep's path to where it actually lies) to do a rough fix on all ::staticGet calls and rename them to ::getKV sed -i -s -e '/DataObject::staticGet/I!s/::staticGet/::getKV/Ig' $(grep -R ::staticGet `pwd`/* | grep -v -e '^extlib' | grep -v DataObject:: |grep -v "function staticGet"|cut -d: -f1 |sort |uniq) If you're applying this, remember to change the Managed_DataObject and Memcached_DataObject function definitions of staticGet to getKV! This might of course take some getting used to, or modification fo StatusNet plugins, but the result is that all the static calls (to staticGet) are now properly made without breaking PHP Strict Standards. Standards are there to be followed (and they caused some very bad confusion when used with get_called_class) Reasonably any plugin or code that tests for the definition of 'GNUSOCIAL' or similar will take this change into consideration.
372 lines
14 KiB
PHP
372 lines
14 KiB
PHP
<?php
|
||
/**
|
||
* Let the user authorize a remote subscription request
|
||
*
|
||
* PHP version 5
|
||
*
|
||
* @category Action
|
||
* @package StatusNet
|
||
* @author Evan Prodromou <evan@status.net>
|
||
* @author Robin Millette <millette@status.net>
|
||
* @license http://www.fsf.org/licensing/licenses/agpl.html AGPLv3
|
||
* @link http://status.net/
|
||
*
|
||
* StatusNet - the distributed open-source microblogging tool
|
||
* Copyright (C) 2008-2011, StatusNet, Inc.
|
||
*
|
||
* This program is free software: you can redistribute it and/or modify
|
||
* it under the terms of the GNU Affero General Public License as published by
|
||
* the Free Software Foundation, either version 3 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* This program is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU Affero General Public License for more details.
|
||
*
|
||
* You should have received a copy of the GNU Affero General Public License
|
||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||
*/
|
||
|
||
if (!defined('STATUSNET') && !defined('LACONICA')) { exit(1); }
|
||
|
||
require_once dirname(__FILE__) . '/../lib/omb.php';
|
||
require_once dirname(__FILE__) . '/../extlib/libomb/service_provider.php';
|
||
require_once dirname(__FILE__) . '/../extlib/libomb/profile.php';
|
||
define('TIMESTAMP_THRESHOLD', 300);
|
||
|
||
// @todo FIXME: Missing documentation.
|
||
class UserauthorizationAction extends Action
|
||
{
|
||
var $error;
|
||
var $params;
|
||
|
||
function handle($args)
|
||
{
|
||
parent::handle($args);
|
||
|
||
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
|
||
/* Use a session token for CSRF protection. */
|
||
$token = $this->trimmed('token');
|
||
if (!$token || $token != common_session_token()) {
|
||
$srv = $this->getStoredParams();
|
||
// TRANS: Client error displayed when the session token does not match or is not given.
|
||
$this->showForm($srv->getRemoteUser(), _('There was a problem ' .
|
||
'with your session token. Try again, ' .
|
||
'please.'));
|
||
return;
|
||
}
|
||
/* We've shown the form, now post user's choice. */
|
||
$this->sendAuthorization();
|
||
} else {
|
||
if (!common_logged_in()) {
|
||
/* Go log in, and then come back. */
|
||
common_set_returnto($_SERVER['REQUEST_URI']);
|
||
|
||
common_redirect(common_local_url('login'));
|
||
return;
|
||
}
|
||
|
||
$user = common_current_user();
|
||
$profile = $user->getProfile();
|
||
if (!$profile) {
|
||
common_log_db_error($user, 'SELECT', __FILE__);
|
||
// TRANS: Error message displayed when referring to a user without a profile.
|
||
$this->serverError(_('User has no profile.'));
|
||
return;
|
||
}
|
||
|
||
/* TODO: If no token is passed the user should get a prompt to enter
|
||
it according to OAuth Core 1.0. */
|
||
try {
|
||
$this->validateOmb();
|
||
$srv = new OMB_Service_Provider(
|
||
profile_to_omb_profile($user->uri, $profile),
|
||
omb_oauth_datastore());
|
||
|
||
$remote_user = $srv->handleUserAuth();
|
||
} catch (Exception $e) {
|
||
$this->clearParams();
|
||
$this->clientError($e->getMessage());
|
||
return;
|
||
}
|
||
|
||
$this->storeParams($srv);
|
||
$this->showForm($remote_user);
|
||
}
|
||
}
|
||
|
||
function showForm($params, $error=null)
|
||
{
|
||
$this->params = $params;
|
||
$this->error = $error;
|
||
$this->showPage();
|
||
}
|
||
|
||
function title()
|
||
{
|
||
// TRANS: Page title.
|
||
return _('Authorize subscription');
|
||
}
|
||
|
||
function showPageNotice()
|
||
{
|
||
// TRANS: Page notice on "Authorize subscription" page.
|
||
$this->element('p', null, _('Please check these details to make sure '.
|
||
'that you want to subscribe to this ' .
|
||
'user’s notices. If you didn’t just ask ' .
|
||
'to subscribe to someone’s notices, '.
|
||
'click "Reject".'));
|
||
}
|
||
|
||
function showContent()
|
||
{
|
||
$params = $this->params;
|
||
|
||
$nickname = $params->getNickname();
|
||
$profile = $params->getProfileURL();
|
||
$license = $params->getLicenseURL();
|
||
$fullname = $params->getFullname();
|
||
$homepage = $params->getHomepage();
|
||
$bio = $params->getBio();
|
||
$location = $params->getLocation();
|
||
$avatar = $params->getAvatarURL();
|
||
|
||
$this->elementStart('div', 'entity_profile vcard');
|
||
|
||
if ($avatar) {
|
||
$this->element('img', array('src' => $avatar,
|
||
'class' => 'photo avatar entity_depiction',
|
||
'width' => AVATAR_PROFILE_SIZE,
|
||
'height' => AVATAR_PROFILE_SIZE,
|
||
'alt' => $nickname));
|
||
}
|
||
|
||
// TRANS: Label for nickname on user authorisation page.
|
||
$this->element('div', 'entity_nickname', _('Nickname'));
|
||
|
||
$hasFN = ($fullname !== '') ? 'nickname' : 'fn nickname';
|
||
|
||
// XXX: why are these raw() instead of escaped...?
|
||
|
||
$this->elementStart('a', array('href' => $profile,
|
||
'class' => 'url '.$hasFN));
|
||
$this->raw($nickname);
|
||
$this->elementEnd('a');
|
||
|
||
if (!is_null($fullname)) {
|
||
$this->elementStart('div', 'fn entity_fn');
|
||
$this->raw($fullname);
|
||
$this->elementEnd('div');
|
||
}
|
||
|
||
if (!is_null($location)) {
|
||
$this->elementStart('div', 'label entity_location');
|
||
$this->raw($location);
|
||
}
|
||
|
||
if (!is_null($homepage)) {
|
||
$this->elementStart('a', array('href' => $homepage,
|
||
'class' => 'url entity_url'));
|
||
$this->raw($homepage);
|
||
$this->elementEnd('a');
|
||
}
|
||
|
||
if (!is_null($bio)) {
|
||
$this->elementStart('div', 'note entity_note');
|
||
$this->raw($bio);
|
||
$this->elementEnd('dd');
|
||
}
|
||
|
||
if (!is_null($license)) {
|
||
$this->element('a', array('href' => $license,
|
||
'class' => 'license entity_license'),
|
||
$license);
|
||
}
|
||
|
||
$this->elementEnd('div');
|
||
|
||
$this->elementStart('div', 'entity_actions');
|
||
$this->elementStart('ul');
|
||
$this->elementStart('li', 'entity_subscribe');
|
||
$this->elementStart('form', array('method' => 'post',
|
||
'id' => 'userauthorization',
|
||
'class' => 'form_user_authorization',
|
||
'name' => 'userauthorization',
|
||
'action' => common_local_url(
|
||
'userauthorization')));
|
||
$this->hidden('token', common_session_token());
|
||
|
||
$this->submit('accept',
|
||
// TRANS: Button text on Authorise Subscription page.
|
||
_m('BUTTON','Accept'), 'submit accept', null,
|
||
// TRANS: Title for button on Authorise Subscription page.
|
||
_('Subscribe to this user.'));
|
||
$this->submit('reject',
|
||
// TRANS: Button text on Authorise Subscription page.
|
||
_m('BUTTON','Reject'), 'submit reject', null,
|
||
// TRANS: Title for button on Authorise Subscription page.
|
||
_('Reject this subscription.'));
|
||
$this->elementEnd('form');
|
||
$this->elementEnd('li');
|
||
$this->elementEnd('ul');
|
||
$this->elementEnd('div');
|
||
}
|
||
|
||
function sendAuthorization()
|
||
{
|
||
$srv = $this->getStoredParams();
|
||
|
||
if (is_null($srv)) {
|
||
// TRANS: Client error displayed for an empty authorisation request.
|
||
$this->clientError(_('No authorization request!'));
|
||
return;
|
||
}
|
||
|
||
$accepted = $this->arg('accept');
|
||
try {
|
||
list($val, $token) = $srv->continueUserAuth($accepted);
|
||
} catch (Exception $e) {
|
||
$this->clientError($e->getMessage());
|
||
return;
|
||
}
|
||
if ($val !== false) {
|
||
common_redirect($val, 303);
|
||
} elseif ($accepted) {
|
||
$this->showAcceptMessage($token);
|
||
} else {
|
||
$this->showRejectMessage();
|
||
}
|
||
}
|
||
|
||
function showAcceptMessage($tok)
|
||
{
|
||
// TRANS: Accept message header from Authorise subscription page.
|
||
common_show_header(_('Subscription authorized'));
|
||
$this->element('p', null,
|
||
// TRANS: Accept message text from Authorise subscription page.
|
||
_('The subscription has been authorized, but no '.
|
||
'callback URL was passed. Check with the site\'s ' .
|
||
'instructions for details on how to authorize the ' .
|
||
'subscription. Your subscription token is:'));
|
||
$this->element('blockquote', 'token', $tok);
|
||
common_show_footer();
|
||
}
|
||
|
||
function showRejectMessage()
|
||
{
|
||
// TRANS: Reject message header from Authorise subscription page.
|
||
common_show_header(_('Subscription rejected'));
|
||
$this->element('p', null,
|
||
// TRANS: Reject message from Authorise subscription page.
|
||
_('The subscription has been rejected, but no '.
|
||
'callback URL was passed. Check with the site\'s ' .
|
||
'instructions for details on how to fully reject ' .
|
||
'the subscription.'));
|
||
common_show_footer();
|
||
}
|
||
|
||
function storeParams($params)
|
||
{
|
||
common_ensure_session();
|
||
$_SESSION['userauthorizationparams'] = serialize($params);
|
||
}
|
||
|
||
function clearParams()
|
||
{
|
||
common_ensure_session();
|
||
unset($_SESSION['userauthorizationparams']);
|
||
}
|
||
|
||
function getStoredParams()
|
||
{
|
||
common_ensure_session();
|
||
$params = unserialize($_SESSION['userauthorizationparams']);
|
||
return $params;
|
||
}
|
||
|
||
function validateOmb()
|
||
{
|
||
$listener = $_GET['omb_listener'];
|
||
$listenee = $_GET['omb_listenee'];
|
||
$nickname = $_GET['omb_listenee_nickname'];
|
||
$profile = $_GET['omb_listenee_profile'];
|
||
|
||
$user = User::getKV('uri', $listener);
|
||
if (!$user) {
|
||
// TRANS: Exception thrown when no valid user is found for an authorisation request.
|
||
// TRANS: %s is a listener URI.
|
||
throw new Exception(sprintf(_('Listener URI "%s" not found here.'),
|
||
$listener));
|
||
}
|
||
|
||
if (strlen($listenee) > 255) {
|
||
// TRANS: Exception thrown when listenee URI is too long for an authorisation request.
|
||
// TRANS: %s is a listenee URI.
|
||
throw new Exception(sprintf(_('Listenee URI "%s" is too long.'),
|
||
$listenee));
|
||
}
|
||
|
||
$other = User::getKV('uri', $listenee);
|
||
if ($other) {
|
||
// TRANS: Exception thrown when listenee URI is a local user for an authorisation request.
|
||
// TRANS: %s is a listenee URI.
|
||
throw new Exception(sprintf(_('Listenee URI "%s" is a local user.'),
|
||
$listenee));
|
||
}
|
||
|
||
$remote = Remote_profile::getKV('uri', $listenee);
|
||
if ($remote) {
|
||
$sub = new Subscription();
|
||
$sub->subscriber = $user->id;
|
||
$sub->subscribed = $remote->id;
|
||
if ($sub->find(true)) {
|
||
// TRANS: Exception thrown when already subscribed.
|
||
throw new Exception('You are already subscribed to this user.');
|
||
}
|
||
}
|
||
|
||
if ($profile == common_profile_url($nickname)) {
|
||
// TRANS: Exception thrown when profile URL is a local user for an authorisation request.
|
||
// TRANS: %s is a profile URL.
|
||
throw new Exception(sprintf(_('Profile URL "%s" is for a local user.'),
|
||
$profile));
|
||
|
||
}
|
||
|
||
$license = $_GET['omb_listenee_license'];
|
||
$site_license = common_config('license', 'url');
|
||
if (!common_compatible_license($license, $site_license)) {
|
||
// TRANS: Exception thrown when licenses are not compatible for an authorisation request.
|
||
// TRANS: %1$s is the license for the listenee, %2$s is the license for "this" StatusNet site.
|
||
throw new Exception(sprintf(_('Listenee stream license "%1$s" is not ' .
|
||
'compatible with site license "%2$s".'),
|
||
$license, $site_license));
|
||
}
|
||
|
||
$avatar = $_GET['omb_listenee_avatar'];
|
||
if ($avatar) {
|
||
if (!common_valid_http_url($avatar) || strlen($avatar) > 255) {
|
||
// TRANS: Exception thrown when avatar URL is invalid for an authorisation request.
|
||
// TRANS: %s is an avatar URL.
|
||
throw new Exception(sprintf(_('Avatar URL "%s" is not valid.'),
|
||
$avatar));
|
||
}
|
||
$size = @getimagesize($avatar);
|
||
if (!$size) {
|
||
// TRANS: Exception thrown when avatar URL could not be read for an authorisation request.
|
||
// TRANS: %s is an avatar URL.
|
||
throw new Exception(sprintf(_('Cannot read avatar URL "%s".'),
|
||
$avatar));
|
||
}
|
||
if (!in_array($size[2], array(IMAGETYPE_GIF, IMAGETYPE_JPEG,
|
||
IMAGETYPE_PNG))) {
|
||
// TRANS: Exception thrown when avatar URL return an invalid image type for an authorisation request.
|
||
// TRANS: %s is an avatar URL.
|
||
throw new Exception(sprintf(_('Wrong image type for avatar URL '.
|
||
'"%s".'), $avatar));
|
||
}
|
||
}
|
||
}
|
||
}
|