actions/userauthorization.php

   1 <?php
   2 /**
   3  * Let the user authorize a remote subscription request
   4  *
   5  * PHP version 5
   6  *
   7  * @category Action
   8  * @package  StatusNet
   9  * @author   Evan Prodromou <evan@status.net>
  10  * @author   Robin Millette <millette@status.net>
  11  * @license  http://www.fsf.org/licensing/licenses/agpl.html AGPLv3
  12  * @link     http://status.net/
  13  *
  14  * StatusNet - the distributed open-source microblogging tool
  15  * Copyright (C) 2008, 2009, StatusNet, Inc.
  16  *
  17  * This program is free software: you can redistribute it and/or modify
  18  * it under the terms of the GNU Affero General Public License as published by
  19  * the Free Software Foundation, either version 3 of the License, or
  20  * (at your option) any later version.
  21  *
  22  * This program is distributed in the hope that it will be useful,
  23  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  24  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  25  * GNU Affero General Public License for more details.
  26  *
  27  * You should have received a copy of the GNU Affero General Public License
  28  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  29  */
  30
  31 if (!defined('STATUSNET') && !defined('LACONICA')) { exit(1); }
  32
  33 require_once INSTALLDIR.'/lib/omb.php';
  34 require_once INSTALLDIR.'/extlib/libomb/service_provider.php';
  35 require_once INSTALLDIR.'/extlib/libomb/profile.php';
  36 define('TIMESTAMP_THRESHOLD', 300);
  37
  38 class UserauthorizationAction extends Action
  39 {
  40     var $error;
  41     var $params;
  42
  43     function handle($args)
  44     {
  45         parent::handle($args);
  46
  47         if ($_SERVER['REQUEST_METHOD'] == 'POST') {
  48             /* Use a session token for CSRF protection. */
  49             $token = $this->trimmed('token');
  50             if (!$token || $token != common_session_token()) {
  51                 $srv = $this->getStoredParams();
  52                 $this->showForm($srv->getRemoteUser(), _('There was a problem ' .
  53                                         'with your session token. Try again, ' .
  54                                         'please.'));
  55                 return;
  56             }
  57             /* We've shown the form, now post user's choice. */
  58             $this->sendAuthorization();
  59         } else {
  60             if (!common_logged_in()) {
  61                 /* Go log in, and then come back. */
  62                 common_set_returnto($_SERVER['REQUEST_URI']);
  63
  64                 common_redirect(common_local_url('login'));
  65                 return;
  66             }
  67
  68             $user    = common_current_user();
  69             $profile = $user->getProfile();
  70             if (!$profile) {
  71                 common_log_db_error($user, 'SELECT', __FILE__);
  72                 $this->serverError(_('User without matching profile.'));
  73                 return;
  74             }
  75
  76             /* TODO: If no token is passed the user should get a prompt to enter
  77                it according to OAuth Core 1.0. */
  78             try {
  79                 $this->validateOmb();
  80                 $srv = new OMB_Service_Provider(
  81                         profile_to_omb_profile($user->uri, $profile),
  82                         omb_oauth_datastore());
  83
  84                 $remote_user = $srv->handleUserAuth();
  85             } catch (Exception $e) {
  86                 $this->clearParams();
  87                 $this->clientError($e->getMessage());
  88                 return;
  89             }
  90
  91             $this->storeParams($srv);
  92             $this->showForm($remote_user);
  93         }
  94     }
  95
  96     function showForm($params, $error=null)
  97     {
  98         $this->params = $params;
  99         $this->error  = $error;
 100         $this->showPage();
 101     }
 102
 103     function title()
 104     {
 105         return _('Authorize subscription');
 106     }
 107
 108     function showPageNotice()
 109     {
 110         $this->element('p', null, _('Please check these details to make sure '.
 111                                     'that you want to subscribe to this ' .
 112                                     'user’s notices. If you didn’t just ask ' .
 113                                     'to subscribe to someone’s notices, '.
 114                                     'click “Reject”.'));
 115     }
 116
 117     function showContent()
 118     {
 119         $params = $this->params;
 120
 121         $nickname = $params->getNickname();
 122         $profile  = $params->getProfileURL();
 123         $license  = $params->getLicenseURL();
 124         $fullname = $params->getFullname();
 125         $homepage = $params->getHomepage();
 126         $bio      = $params->getBio();
 127         $location = $params->getLocation();
 128         $avatar   = $params->getAvatarURL();
 129
 130         $this->elementStart('div', 'entity_profile vcard');
 131
 132         if ($avatar) {
 133             $this->element('img', array('src' => $avatar,
 134                                         'class' => 'photo avatar entity_depiction',
 135                                         'width' => AVATAR_PROFILE_SIZE,
 136                                         'height' => AVATAR_PROFILE_SIZE,
 137                                         'alt' => $nickname));
 138         }
 139
 140         $this->element('div', 'entity_nickname', _('Nickname'));
 141
 142         $hasFN = ($fullname !== '') ? 'nickname' : 'fn nickname';
 143
 144         // XXX: why are these raw() instead of escaped...?
 145
 146         $this->elementStart('a', array('href' => $profile,
 147                                        'class' => 'url '.$hasFN));
 148         $this->raw($nickname);
 149         $this->elementEnd('a');
 150
 151         if (!is_null($fullname)) {
 152             $this->elementStart('div', 'fn entity_fn');
 153             $this->raw($fullname);
 154             $this->elementEnd('div');
 155         }
 156
 157         if (!is_null($location)) {
 158             $this->elementStart('div', 'label entity_location');
 159             $this->raw($location);
 160         }
 161
 162         if (!is_null($homepage)) {
 163             $this->elementStart('a', array('href' => $homepage,
 164                                            'class' => 'url entity_url'));
 165             $this->raw($homepage);
 166             $this->elementEnd('a');
 167         }
 168
 169         if (!is_null($bio)) {
 170             $this->elementStart('div', 'note entity_note');
 171             $this->raw($bio);
 172             $this->elementEnd('dd');
 173         }
 174
 175         if (!is_null($license)) {
 176             $this->element('a', array('href' => $license,
 177                                       'class' => 'license entity_license'),
 178                            $license);
 179         }
 180
 181         $this->elementEnd('div');
 182
 183         $this->elementStart('div', 'entity_actions');
 184         $this->elementStart('ul');
 185         $this->elementStart('li', 'entity_subscribe');
 186         $this->elementStart('form', array('method' => 'post',
 187                                           'id' => 'userauthorization',
 188                                           'class' => 'form_user_authorization',
 189                                           'name' => 'userauthorization',
 190                                           'action' => common_local_url(
 191                                                          'userauthorization')));
 192         $this->hidden('token', common_session_token());
 193
 194         $this->submit('accept', _('Accept'), 'submit accept', null,
 195                       _('Subscribe to this user'));
 196         $this->submit('reject', _('Reject'), 'submit reject', null,
 197                       _('Reject this subscription'));
 198         $this->elementEnd('form');
 199         $this->elementEnd('li');
 200         $this->elementEnd('ul');
 201         $this->elementEnd('div');
 202     }
 203
 204     function sendAuthorization()
 205     {
 206         $srv = $this->getStoredParams();
 207
 208         if (is_null($srv)) {
 209             $this->clientError(_('No authorization request!'));
 210             return;
 211         }
 212
 213         $accepted = $this->arg('accept');
 214         try {
 215             list($val, $token) = $srv->continueUserAuth($accepted);
 216         } catch (Exception $e) {
 217             $this->clientError($e->getMessage());
 218             return;
 219         }
 220         if ($val !== false) {
 221             common_redirect($val, 303);
 222         } elseif ($accepted) {
 223             $this->showAcceptMessage($token);
 224         } else {
 225             $this->showRejectMessage();
 226         }
 227     }
 228
 229     function showAcceptMessage($tok)
 230     {
 231         common_show_header(_('Subscription authorized'));
 232         $this->element('p', null,
 233                        _('The subscription has been authorized, but no '.
 234                          'callback URL was passed. Check with the site’s ' .
 235                          'instructions for details on how to authorize the ' .
 236                          'subscription. Your subscription token is:'));
 237         $this->element('blockquote', 'token', $tok);
 238         common_show_footer();
 239     }
 240
 241     function showRejectMessage()
 242     {
 243         common_show_header(_('Subscription rejected'));
 244         $this->element('p', null,
 245                        _('The subscription has been rejected, but no '.
 246                          'callback URL was passed. Check with the site’s ' .
 247                          'instructions for details on how to fully reject ' .
 248                          'the subscription.'));
 249         common_show_footer();
 250     }
 251
 252     function storeParams($params)
 253     {
 254         common_ensure_session();
 255         $_SESSION['userauthorizationparams'] = serialize($params);
 256     }
 257
 258     function clearParams()
 259     {
 260         common_ensure_session();
 261         unset($_SESSION['userauthorizationparams']);
 262     }
 263
 264     function getStoredParams()
 265     {
 266         common_ensure_session();
 267         $params = unserialize($_SESSION['userauthorizationparams']);
 268         return $params;
 269     }
 270
 271     function validateOmb()
 272     {
 273         $listener = $_GET['omb_listener'];
 274         $listenee = $_GET['omb_listenee'];
 275         $nickname = $_GET['omb_listenee_nickname'];
 276         $profile  = $_GET['omb_listenee_profile'];
 277
 278         $user = User::staticGet('uri', $listener);
 279         if (!$user) {
 280             throw new Exception(sprintf(_('Listener URI ‘%s’ not found here.'),
 281                                         $listener));
 282         }
 283
 284         if (strlen($listenee) > 255) {
 285             throw new Exception(sprintf(_('Listenee URI ‘%s’ is too long.'),
 286                                         $listenee));
 287         }
 288
 289         $other = User::staticGet('uri', $listenee);
 290         if ($other) {
 291             throw new Exception(sprintf(_('Listenee URI ‘%s’ is a local user.'),
 292                                         $listenee));
 293         }
 294
 295         $remote = Remote_profile::staticGet('uri', $listenee);
 296         if ($remote) {
 297             $sub             = new Subscription();
 298             $sub->subscriber = $user->id;
 299             $sub->subscribed = $remote->id;
 300             if ($sub->find(true)) {
 301                 throw new Exception('You are already subscribed to this user.');
 302             }
 303         }
 304
 305         if ($profile == common_profile_url($nickname)) {
 306             throw new Exception(sprintf(_('Profile URL ‘%s’ is for a local user.'),
 307                                         $profile));
 308
 309         }
 310
 311         $license      = $_GET['omb_listenee_license'];
 312         $site_license = common_config('license', 'url');
 313         if (!common_compatible_license($license, $site_license)) {
 314             throw new Exception(sprintf(_('Listenee stream license ‘%1$s’ is not ' .
 315                                           'compatible with site license ‘%2$s’.'),
 316                                         $license, $site_license));
 317         }
 318
 319         $avatar = $_GET['omb_listenee_avatar'];
 320         if ($avatar) {
 321             if (!common_valid_http_url($avatar) || strlen($avatar) > 255) {
 322                 throw new Exception(sprintf(_('Avatar URL ‘%s’ is not valid.'),
 323                                             $avatar));
 324             }
 325             $size = @getimagesize($avatar);
 326             if (!$size) {
 327                 throw new Exception(sprintf(_('Can’t read avatar URL ‘%s’.'),
 328                                             $avatar));
 329             }
 330             if (!in_array($size[2], array(IMAGETYPE_GIF, IMAGETYPE_JPEG,
 331                                           IMAGETYPE_PNG))) {
 332                 throw new Exception(sprintf(_('Wrong image type for avatar URL '.
 333                                               '‘%s’.'), $avatar));
 334             }
 335         }
 336     }
 337 }