3 * Let the user authorize a remote subscription request
9 * @author Evan Prodromou <evan@controlyourself.ca>
10 * @author Robin Millette <millette@controlyourself.ca>
11 * @license http://www.fsf.org/licensing/licenses/agpl.html AGPLv3
12 * @link http://laconi.ca/
14 * Laconica - a distributed open-source microblogging tool
15 * Copyright (C) 2008, 2009, Control Yourself, Inc.
17 * This program is free software: you can redistribute it and/or modify
18 * it under the terms of the GNU Affero General Public License as published by
19 * the Free Software Foundation, either version 3 of the License, or
20 * (at your option) any later version.
22 * This program is distributed in the hope that it will be useful,
23 * but WITHOUT ANY WARRANTY; without even the implied warranty of
24 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25 * GNU Affero General Public License for more details.
27 * You should have received a copy of the GNU Affero General Public License
28 * along with this program. If not, see <http://www.gnu.org/licenses/>.
31 if (!defined('LACONICA')) {
35 require_once INSTALLDIR.'/lib/omb.php';
36 require_once INSTALLDIR.'/extlib/libomb/service_provider.php';
37 require_once INSTALLDIR.'/extlib/libomb/profile.php';
38 define('TIMESTAMP_THRESHOLD', 300);
40 class UserauthorizationAction extends Action
45 function handle($args)
47 parent::handle($args);
49 if ($_SERVER['REQUEST_METHOD'] == 'POST') {
50 /* Use a session token for CSRF protection. */
51 $token = $this->trimmed('token');
52 if (!$token || $token != common_session_token()) {
53 $srv = $this->getStoredParams();
54 $this->showForm($srv->getRemoteUser(), _('There was a problem ' .
55 'with your session token. Try again, ' .
59 /* We've shown the form, now post user's choice. */
60 $this->sendAuthorization();
62 if (!common_logged_in()) {
63 /* Go log in, and then come back. */
64 common_set_returnto($_SERVER['REQUEST_URI']);
66 if (!common_config('site', 'openidonly')) {
67 common_redirect(common_local_url('login'));
69 common_redirect(common_local_url('openidlogin'));
74 $user = common_current_user();
75 $profile = $user->getProfile();
77 common_log_db_error($user, 'SELECT', __FILE__);
78 $this->serverError(_('User without matching profile'));
82 /* TODO: If no token is passed the user should get a prompt to enter
83 it according to OAuth Core 1.0. */
86 $srv = new OMB_Service_Provider(
87 profile_to_omb_profile($user->uri, $profile),
88 omb_oauth_datastore());
90 $remote_user = $srv->handleUserAuth();
91 } catch (Exception $e) {
93 $this->clientError($e->getMessage());
97 $this->storeParams($srv);
98 $this->showForm($remote_user);
102 function showForm($params, $error=null)
104 $this->params = $params;
105 $this->error = $error;
111 return _('Authorize subscription');
114 function showPageNotice()
116 $this->element('p', null, _('Please check these details to make sure '.
117 'that you want to subscribe to this ' .
118 'user’s notices. If you didn’t just ask ' .
119 'to subscribe to someone’s notices, '.
123 function showContent()
125 $params = $this->params;
127 $nickname = $params->getNickname();
128 $profile = $params->getProfileURL();
129 $license = $params->getLicenseURL();
130 $fullname = $params->getFullname();
131 $homepage = $params->getHomepage();
132 $bio = $params->getBio();
133 $location = $params->getLocation();
134 $avatar = $params->getAvatarURL();
136 $this->elementStart('div', array('class' => 'profile'));
137 $this->elementStart('div', 'entity_profile vcard');
138 $this->elementStart('a', array('href' => $profile,
141 $this->element('img', array('src' => $avatar,
142 'class' => 'photo avatar',
143 'width' => AVATAR_PROFILE_SIZE,
144 'height' => AVATAR_PROFILE_SIZE,
145 'alt' => $nickname));
147 $hasFN = ($fullname !== '') ? 'nickname' : 'fn nickname';
148 $this->elementStart('span', $hasFN);
149 $this->raw($nickname);
150 $this->elementEnd('span');
151 $this->elementEnd('a');
153 if (!is_null($fullname)) {
154 $this->elementStart('dl', 'entity_fn');
155 $this->elementStart('dd');
156 $this->elementStart('span', 'fn');
157 $this->raw($fullname);
158 $this->elementEnd('span');
159 $this->elementEnd('dd');
160 $this->elementEnd('dl');
162 if (!is_null($location)) {
163 $this->elementStart('dl', 'entity_location');
164 $this->element('dt', null, _('Location'));
165 $this->elementStart('dd', 'label');
166 $this->raw($location);
167 $this->elementEnd('dd');
168 $this->elementEnd('dl');
171 if (!is_null($homepage)) {
172 $this->elementStart('dl', 'entity_url');
173 $this->element('dt', null, _('URL'));
174 $this->elementStart('dd');
175 $this->elementStart('a', array('href' => $homepage,
177 $this->raw($homepage);
178 $this->elementEnd('a');
179 $this->elementEnd('dd');
180 $this->elementEnd('dl');
183 if (!is_null($bio)) {
184 $this->elementStart('dl', 'entity_note');
185 $this->element('dt', null, _('Note'));
186 $this->elementStart('dd', 'note');
188 $this->elementEnd('dd');
189 $this->elementEnd('dl');
192 if (!is_null($license)) {
193 $this->elementStart('dl', 'entity_license');
194 $this->element('dt', null, _('License'));
195 $this->elementStart('dd', 'license');
196 $this->element('a', array('href' => $license,
197 'class' => 'license'),
199 $this->elementEnd('dd');
200 $this->elementEnd('dl');
202 $this->elementEnd('div');
204 $this->elementStart('div', 'entity_actions');
205 $this->elementStart('ul');
206 $this->elementStart('li', 'entity_subscribe');
207 $this->elementStart('form', array('method' => 'post',
208 'id' => 'userauthorization',
209 'class' => 'form_user_authorization',
210 'name' => 'userauthorization',
211 'action' => common_local_url(
212 'userauthorization')));
213 $this->hidden('token', common_session_token());
215 $this->submit('accept', _('Accept'), 'submit accept', null,
216 _('Subscribe to this user'));
217 $this->submit('reject', _('Reject'), 'submit reject', null,
218 _('Reject this subscription'));
219 $this->elementEnd('form');
220 $this->elementEnd('li');
221 $this->elementEnd('ul');
222 $this->elementEnd('div');
223 $this->elementEnd('div');
226 function sendAuthorization()
228 $srv = $this->getStoredParams();
231 $this->clientError(_('No authorization request!'));
235 $accepted = $this->arg('accept');
237 list($val, $token) = $srv->continueUserAuth($accepted);
238 } catch (Exception $e) {
239 $this->clientError($e->getMessage());
242 if ($val !== false) {
243 common_redirect($val, 303);
244 } elseif ($accepted) {
245 $this->showAcceptMessage($token);
247 $this->showRejectMessage();
251 function showAcceptMessage($tok)
253 common_show_header(_('Subscription authorized'));
254 $this->element('p', null,
255 _('The subscription has been authorized, but no '.
256 'callback URL was passed. Check with the site’s ' .
257 'instructions for details on how to authorize the ' .
258 'subscription. Your subscription token is:'));
259 $this->element('blockquote', 'token', $tok);
260 common_show_footer();
263 function showRejectMessage()
265 common_show_header(_('Subscription rejected'));
266 $this->element('p', null,
267 _('The subscription has been rejected, but no '.
268 'callback URL was passed. Check with the site’s ' .
269 'instructions for details on how to fully reject ' .
270 'the subscription.'));
271 common_show_footer();
274 function storeParams($params)
276 common_ensure_session();
277 $_SESSION['userauthorizationparams'] = serialize($params);
280 function clearParams()
282 common_ensure_session();
283 unset($_SESSION['userauthorizationparams']);
286 function getStoredParams()
288 common_ensure_session();
289 $params = unserialize($_SESSION['userauthorizationparams']);
293 function validateOmb()
295 $listener = $_GET['omb_listener'];
296 $listenee = $_GET['omb_listenee'];
297 $nickname = $_GET['omb_listenee_nickname'];
298 $profile = $_GET['omb_listenee_profile'];
300 $user = User::staticGet('uri', $listener);
302 throw new Exception(sprintf(_('Listener URI ‘%s’ not found here'),
306 if (strlen($listenee) > 255) {
307 throw new Exception(sprintf(_('Listenee URI ‘%s’ is too long.'),
311 $other = User::staticGet('uri', $listenee);
313 throw new Exception(sprintf(_('Listenee URI ‘%s’ is a local user.'),
317 $remote = Remote_profile::staticGet('uri', $listenee);
319 $sub = new Subscription();
320 $sub->subscriber = $user->id;
321 $sub->subscribed = $remote->id;
322 if ($sub->find(true)) {
323 throw new Exception('You are already subscribed to this user.');
327 if ($profile == common_profile_url($nickname)) {
328 throw new Exception(sprintf(_('Profile URL ‘%s’ is for a local user.'),
333 $license = $_GET['omb_listenee_license'];
334 $site_license = common_config('license', 'url');
335 if (!common_compatible_license($license, $site_license)) {
336 throw new Exception(sprintf(_('Listenee stream license ‘%s’ is not ' .
337 'compatible with site license ‘%s’.'),
338 $license, $site_license));
341 $avatar = $_GET['omb_listenee_avatar'];
343 if (!common_valid_http_url($avatar) || strlen($avatar) > 255) {
344 throw new Exception(sprintf(_('Avatar URL ‘%s’ is not valid.'),
347 $size = @getimagesize($avatar);
349 throw new Exception(sprintf(_('Can’t read avatar URL ‘%s’.'),
352 if (!in_array($size[2], array(IMAGETYPE_GIF, IMAGETYPE_JPEG,
354 throw new Exception(sprintf(_('Wrong image type for avatar URL '.