]> git.mxchange.org Git - quix0rs-gnu-social.git/blob - actions/finishremotesubscribe.php
projects / quix0rs-gnu-social.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Added is_readonly() method to all Actions
[quix0rs-gnu-social.git] / actions / finishremotesubscribe.php
1 <?php
2 /*
3  * Laconica - a distributed open-source microblogging tool
4  * Copyright (C) 2008, Controlez-Vous, Inc.
5  *
6  * This program is free software: you can redistribute it and/or modify
7  * it under the terms of the GNU Affero General Public License as published by
8  * the Free Software Foundation, either version 3 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU Affero General Public License for more details.
15  *
16  * You should have received a copy of the GNU Affero General Public License
17  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
18  */
19
20 if (!defined('LACONICA')) { exit(1); }
21
22 require_once(INSTALLDIR.'/lib/omb.php');
23
24 class FinishremotesubscribeAction extends Action {
25
26         function is_readonly() {
27                 return false;
28         }
29
30         function handle($args) {
31
32                 parent::handle($args);
33
34                 if (common_logged_in()) {
35                         common_user_error(_('You can use the local subscription!'));
36                     return;
37                 }
38
39                 $omb = $_SESSION['oauth_authorization_request'];
40
41                 if (!$omb) {
42                         common_user_error(_('Not expecting this response!'));
43                         return;
44                 }
45
46                 common_debug('stored request: '.print_r($omb,true), __FILE__);
47
48                 $req = OAuthRequest::from_request();
49
50                 $token = $req->get_parameter('oauth_token');
51
52                 # I think this is the success metric
53
54                 if ($token != $omb['token']) {
55                         common_user_error(_('Not authorized.'));
56                         return;
57                 }
58
59                 $version = $req->get_parameter('omb_version');
60
61                 if ($version != OMB_VERSION_01) {
62                         common_user_error(_('Unknown version of OMB protocol.'));
63                         return;
64                 }
65
66                 $nickname = $req->get_parameter('omb_listener_nickname');
67
68                 if (!$nickname) {
69                         common_user_error(_('No nickname provided by remote server.'));
70                         return;
71                 }
72
73                 $profile_url = $req->get_parameter('omb_listener_profile');
74
75                 if (!$profile_url) {
76                         common_user_error(_('No profile URL returned by server.'));
77                         return;
78                 }
79
80                 if (!Validate::uri($profile_url, array('allowed_schemes' => array('http', 'https')))) {
81                         common_user_error(_('Invalid profile URL returned by server.'));
82                         return;
83                 }
84
85                 common_debug('listenee: "'.$omb['listenee'].'"', __FILE__);
86
87                 $user = User::staticGet('nickname', $omb['listenee']);
88
89                 if (!$user) {
90                         common_user_error(_('User being listened to doesn\'t exist.'));
91                         return;
92                 }
93
94                 $fullname = $req->get_parameter('omb_listener_fullname');
95                 $homepage = $req->get_parameter('omb_listener_homepage');
96                 $bio = $req->get_parameter('omb_listener_bio');
97                 $location = $req->get_parameter('omb_listener_location');
98                 $avatar_url = $req->get_parameter('omb_listener_avatar');
99
100                 list($newtok, $newsecret) = $this->access_token($omb);
101
102                 if (!$newtok || !$newsecret) {
103                         common_user_error(_('Couldn\'t convert request tokens to access tokens.'));
104                         return;
105                 }
106
107                 # XXX: possible attack point; subscribe and return someone else's profile URI
108
109                 $remote = Remote_profile::staticGet('uri', $omb['listener']);
110
111                 if ($remote) {
112                         $exists = true;
113                         $profile = Profile::staticGet($remote->id);
114                         $orig_remote = clone($remote);
115                         $orig_profile = clone($profile);
116                         # XXX: compare current postNotice and updateProfile URLs to the ones
117                         # stored in the DB to avoid (possibly...) above attack
118                 } else {
119                         $exists = false;
120                         $remote = new Remote_profile();
121                         $remote->uri = $omb['listener'];
122                         $profile = new Profile();
123                 }
124
125                 $profile->nickname = $nickname;
126                 $profile->profileurl = $profile_url;
127
128                 if ($fullname) {
129                         $profile->fullname = $fullname;
130                 }
131                 if ($homepage) {
132                         $profile->homepage = $homepage;
133                 }
134                 if ($bio) {
135                         $profile->bio = $bio;
136                 }
137                 if ($location) {
138                         $profile->location = $location;
139                 }
140
141                 if ($exists) {
142                         $profile->update($orig_profile);
143                 } else {
144                         $profile->created = DB_DataObject_Cast::dateTime(); # current time
145                         $id = $profile->insert();
146                         if (!$id) {
147                                 common_server_error(_('Error inserting new profile'));
148                                 return;
149                         }
150                         $remote->id = $id;
151                 }
152
153                 if ($avatar_url) {
154                         if (!$this->add_avatar($profile, $avatar_url)) {
155                                 common_server_error(_('Error inserting avatar'));
156                                 return;
157                         }
158                 }
159
160                 $remote->postnoticeurl = $omb['post_notice_url'];
161                 $remote->updateprofileurl = $omb['update_profile_url'];
162
163                 if ($exists) {
164                         if (!$remote->update($orig_remote)) {
165                                 common_server_error(_('Error updating remote profile'));
166                                 return;
167                         }
168                 } else {
169                         $remote->created = DB_DataObject_Cast::dateTime(); # current time
170                         if (!$remote->insert()) {
171                                 common_server_error(_('Error inserting remote profile'));
172                                 return;
173                         }
174                 }
175
176                 $sub = new Subscription();
177                 $sub->subscriber = $remote->id;
178                 $sub->subscribed = $user->id;
179                 $sub->token = $newtok;
180                 $sub->secret = $newsecret;
181                 $sub->created = DB_DataObject_Cast::dateTime(); # current time
182
183                 if (!$sub->insert()) {
184                         common_user_error(_('Couldn\'t insert new subscription.'));
185                         return;
186                 }
187
188                 # Clear the data
189                 unset($_SESSION['oauth_authorization_request']);
190
191                 # If we show subscriptions in reverse chron order, this should
192                 # show up close to the top of the page
193
194                 common_redirect(common_local_url('subscribers', array('nickname' =>
195                                                                                                                          $user->nickname)));
196         }
197
198         function add_avatar($profile, $url) {
199                 $temp_filename = tempnam(sys_get_temp_dir(), 'listener_avatar');
200                 copy($url, $temp_filename);
201                 return $profile->setOriginal($temp_filename);
202         }
203
204         function access_token($omb) {
205
206                 common_debug('starting request for access token', __FILE__);
207
208                 $con = omb_oauth_consumer();
209                 $tok = new OAuthToken($omb['token'], $omb['secret']);
210
211                 common_debug('using request token "'.$tok.'"', __FILE__);
212
213                 $url = $omb['access_token_url'];
214
215                 common_debug('using access token url "'.$url.'"', __FILE__);
216
217                 # XXX: Is this the right thing to do? Strip off GET params and make them
218                 # POST params? Seems wrong to me.
219
220                 $parsed = parse_url($url);
221                 $params = array();
222                 parse_str($parsed['query'], $params);
223
224                 $req = OAuthRequest::from_consumer_and_token($con, $tok, "POST", $url, $params);
225
226                 $req->set_parameter('omb_version', OMB_VERSION_01);
227
228                 # XXX: test to see if endpoint accepts this signature method
229
230                 $req->sign_request(omb_hmac_sha1(), $con, $tok);
231
232                 # We re-use this tool's fetcher, since it's pretty good
233
234                 common_debug('posting to access token url "'.$req->get_normalized_http_url().'"', __FILE__);
235                 common_debug('posting request data "'.$req->to_postdata().'"', __FILE__);
236
237                 $fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
238                 $result = $fetcher->post($req->get_normalized_http_url(),
239                                                                  $req->to_postdata());
240
241                 common_debug('got result: "'.print_r($result,TRUE).'"', __FILE__);
242
243                 if ($result->status != 200) {
244                         return NULL;
245                 }
246
247                 parse_str($result->body, $return);
248
249                 return array($return['oauth_token'], $return['oauth_token_secret']);
250         }
251 }
This is my personal clone from the wonderful software GNUSocial. I may fix or break things here, so use it on your own risk. :-)