]> git.mxchange.org Git - quix0rs-gnu-social.git/blob - actions/finishremotesubscribe.php
projects / quix0rs-gnu-social.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
maybe an extra \n will help my formatting
[quix0rs-gnu-social.git] / actions / finishremotesubscribe.php
1 <?php
2 /*
3  * Laconica - a distributed open-source microblogging tool
4  * Copyright (C) 2008, Controlez-Vous, Inc.
5  *
6  * This program is free software: you can redistribute it and/or modify
7  * it under the terms of the GNU Affero General Public License as published by
8  * the Free Software Foundation, either version 3 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU Affero General Public License for more details.
15  *
16  * You should have received a copy of the GNU Affero General Public License
17  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
18  */
19
20 if (!defined('LACONICA')) { exit(1); }
21
22 require_once(INSTALLDIR.'/lib/omb.php');
23
24 class FinishremotesubscribeAction extends Action {
25
26         function handle($args) {
27
28                 parent::handle($args);
29
30                 if (common_logged_in()) {
31                         common_user_error(_('You can use the local subscription!'));
32                     return;
33                 }
34
35                 $omb = $_SESSION['oauth_authorization_request'];
36
37                 if (!$omb) {
38                         common_user_error(_('Not expecting this response!'));
39                         return;
40                 }
41
42                 common_debug('stored request: '.print_r($omb,true), __FILE__);
43
44                 $req = OAuthRequest::from_request();
45
46                 $token = $req->get_parameter('oauth_token');
47
48                 # I think this is the success metric
49
50                 if ($token != $omb['token']) {
51                         common_user_error(_('Not authorized.'));
52                         return;
53                 }
54
55                 $version = $req->get_parameter('omb_version');
56
57                 if ($version != OMB_VERSION_01) {
58                         common_user_error(_('Unknown version of OMB protocol.'));
59                         return;
60                 }
61
62                 $nickname = $req->get_parameter('omb_listener_nickname');
63
64                 if (!$nickname) {
65                         common_user_error(_('No nickname provided by remote server.'));
66                         return;
67                 }
68
69                 $profile_url = $req->get_parameter('omb_listener_profile');
70
71                 if (!$profile_url) {
72                         common_user_error(_('No profile URL returned by server.'));
73                         return;
74                 }
75
76                 if (!Validate::uri($profile_url, array('allowed_schemes' => array('http', 'https')))) {
77                         common_user_error(_('Invalid profile URL returned by server.'));
78                         return;
79                 }
80
81                 common_debug('listenee: "'.$omb['listenee'].'"', __FILE__);
82
83                 $user = User::staticGet('nickname', $omb['listenee']);
84
85                 if (!$user) {
86                         common_user_error(_('User being listened to doesn\'t exist.'));
87                         return;
88                 }
89
90                 $fullname = $req->get_parameter('omb_listener_fullname');
91                 $homepage = $req->get_parameter('omb_listener_homepage');
92                 $bio = $req->get_parameter('omb_listener_bio');
93                 $location = $req->get_parameter('omb_listener_location');
94                 $avatar_url = $req->get_parameter('omb_listener_avatar');
95
96                 list($newtok, $newsecret) = $this->access_token($omb);
97
98                 if (!$newtok || !$newsecret) {
99                         common_user_error(_('Couldn\'t convert request tokens to access tokens.'));
100                         return;
101                 }
102
103                 # XXX: possible attack point; subscribe and return someone else's profile URI
104
105                 $remote = Remote_profile::staticGet('uri', $omb['listener']);
106
107                 if ($remote) {
108                         $exists = true;
109                         $profile = Profile::staticGet($remote->id);
110                         $orig_remote = clone($remote);
111                         $orig_profile = clone($profile);
112                         # XXX: compare current postNotice and updateProfile URLs to the ones
113                         # stored in the DB to avoid (possibly...) above attack
114                 } else {
115                         $exists = false;
116                         $remote = new Remote_profile();
117                         $remote->uri = $omb['listener'];
118                         $profile = new Profile();
119                 }
120
121                 $profile->nickname = $nickname;
122                 $profile->profileurl = $profile_url;
123
124                 if ($fullname) {
125                         $profile->fullname = $fullname;
126                 }
127                 if ($homepage) {
128                         $profile->homepage = $homepage;
129                 }
130                 if ($bio) {
131                         $profile->bio = $bio;
132                 }
133                 if ($location) {
134                         $profile->location = $location;
135                 }
136
137                 if ($exists) {
138                         $profile->update($orig_profile);
139                 } else {
140                         $profile->created = DB_DataObject_Cast::dateTime(); # current time
141                         $id = $profile->insert();
142                         if (!$id) {
143                                 common_server_error(_('Error inserting new profile'));
144                                 return;
145                         }
146                         $remote->id = $id;
147                 }
148
149                 if ($avatar_url) {
150                         if (!$this->add_avatar($profile, $avatar_url)) {
151                                 common_server_error(_('Error inserting avatar'));
152                                 return;
153                         }
154                 }
155
156                 $remote->postnoticeurl = $omb['post_notice_url'];
157                 $remote->updateprofileurl = $omb['update_profile_url'];
158
159                 if ($exists) {
160                         if (!$remote->update($orig_remote)) {
161                                 common_server_error(_('Error updating remote profile'));
162                                 return;
163                         }
164                 } else {
165                         $remote->created = DB_DataObject_Cast::dateTime(); # current time
166                         if (!$remote->insert()) {
167                                 common_server_error(_('Error inserting remote profile'));
168                                 return;
169                         }
170                 }
171
172                 $sub = new Subscription();
173                 $sub->subscriber = $remote->id;
174                 $sub->subscribed = $user->id;
175                 $sub->token = $newtok;
176                 $sub->secret = $newsecret;
177                 $sub->created = DB_DataObject_Cast::dateTime(); # current time
178
179                 if (!$sub->insert()) {
180                         common_user_error(_('Couldn\'t insert new subscription.'));
181                         return;
182                 }
183
184                 # Clear the data
185                 unset($_SESSION['oauth_authorization_request']);
186
187                 # If we show subscriptions in reverse chron order, this should
188                 # show up close to the top of the page
189
190                 common_redirect(common_local_url('subscribers', array('nickname' =>
191                                                                                                                          $user->nickname)));
192         }
193
194         function add_avatar($profile, $url) {
195                 $temp_filename = tempnam(sys_get_temp_dir(), 'listener_avatar');
196                 copy($url, $temp_filename);
197                 return $profile->setOriginal($temp_filename);
198         }
199
200         function access_token($omb) {
201
202                 common_debug('starting request for access token', __FILE__);
203
204                 $con = omb_oauth_consumer();
205                 $tok = new OAuthToken($omb['token'], $omb['secret']);
206
207                 common_debug('using request token "'.$tok.'"', __FILE__);
208
209                 $url = $omb['access_token_url'];
210
211                 common_debug('using access token url "'.$url.'"', __FILE__);
212
213                 # XXX: Is this the right thing to do? Strip off GET params and make them
214                 # POST params? Seems wrong to me.
215
216                 $parsed = parse_url($url);
217                 $params = array();
218                 parse_str($parsed['query'], $params);
219
220                 $req = OAuthRequest::from_consumer_and_token($con, $tok, "POST", $url, $params);
221
222                 $req->set_parameter('omb_version', OMB_VERSION_01);
223
224                 # XXX: test to see if endpoint accepts this signature method
225
226                 $req->sign_request(omb_hmac_sha1(), $con, $tok);
227
228                 # We re-use this tool's fetcher, since it's pretty good
229
230                 common_debug('posting to access token url "'.$req->get_normalized_http_url().'"', __FILE__);
231                 common_debug('posting request data "'.$req->to_postdata().'"', __FILE__);
232
233                 $fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
234                 $result = $fetcher->post($req->get_normalized_http_url(),
235                                                                  $req->to_postdata());
236
237                 common_debug('got result: "'.print_r($result,TRUE).'"', __FILE__);
238
239                 if ($result->status != 200) {
240                         return NULL;
241                 }
242
243                 parse_str($result->body, $return);
244
245                 return array($return['oauth_token'], $return['oauth_token_secret']);
246         }
247 }
This is my personal clone from the wonderful software GNUSocial. I may fix or break things here, so use it on your own risk. :-)