<?php
-/*
+/**
+ * Handler for remote subscription finish callback
+ *
+ * PHP version 5
+ *
+ * @category Action
+ * @package Laconica
+ * @author Evan Prodromou <evan@controlyourself.ca>
+ * @author Robin Millette <millette@controlyourself.ca>
+ * @license http://www.fsf.org/licensing/licenses/agpl.html AGPLv3
+ * @link http://laconi.ca/
+ *
* Laconica - a distributed open-source microblogging tool
- * Copyright (C) 2008, Controlez-Vous, Inc.
+ * Copyright (C) 2008, 2009, Control Yourself, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
- */
+ **/
+
+if (!defined('LACONICA')) {
+ exit(1);
+}
-if (!defined('LACONICA')) { exit(1); }
-
-require_once(INSTALLDIR.'/lib/omb.php');
-require_once('Auth/Yadis/Yadis.php');
-
-class FinishremotesubscribeAction extends Action {
-
- function handle($args) {
-
- parent::handle($args);
-
- if (common_logged_in()) {
- common_user_error(_t('You can use the local subscription!'));
- return;
- }
-
- $omb = $_SESSION['oauth_authorization_request'];
-
- if (!$omb) {
- common_user_error(_t('Not expecting this response!'));
- return;
- }
-
- common_debug('stored request: '.print_r($omb,true), __FILE__);
-
- $req = OAuthRequest::from_request();
-
- $token = $req->get_parameter('oauth_token');
-
- # I think this is the success metric
-
- if ($token != $omb['token']) {
- common_user_error(_t('Not authorized.'));
- return;
- }
-
- $version = $req->get_parameter('omb_version');
-
- if ($version != OMB_VERSION_01) {
- common_user_error(_t('Unknown version of OMB protocol.'));
- return;
- }
-
- $nickname = $req->get_parameter('omb_listener_nickname');
-
- if (!$nickname) {
- common_user_error(_t('No nickname provided by remote server.'));
- return;
- }
-
- $profile_url = $req->get_parameter('omb_listener_profile');
-
- if (!$profile_url) {
- common_user_error(_t('No profile URL returned by server.'));
- return;
- }
-
- if (!Validate::uri($profile_url, array('allowed_schemes' => array('http', 'https')))) {
- common_user_error(_t('Invalid profile URL returned by server.'));
- return;
- }
-
- common_debug('listenee: "'.$omb['listenee'].'"', __FILE__);
-
- $user = User::staticGet('nickname', $omb['listenee']);
-
- if (!$user) {
- common_user_error(_t('User being listened to doesn\'t exist.'));
- return;
- }
-
- $fullname = $req->get_parameter('omb_listener_fullname');
- $homepage = $req->get_parameter('omb_listener_homepage');
- $bio = $req->get_parameter('omb_listener_bio');
- $location = $req->get_parameter('omb_listener_location');
- $avatar_url = $req->get_parameter('omb_listener_avatar');
-
- list($newtok, $newsecret) = $this->access_token($omb);
-
- if (!$newtok || !$newsecret) {
- common_user_error(_t('Couldn\'t convert request tokens to access tokens.'));
- return;
- }
-
- # XXX: possible attack point; subscribe and return someone else's profile URI
-
- $remote = Remote_profile::staticGet('uri', $omb['listener']);
-
- if ($remote) {
- $exists = true;
- $profile = Profile::staticGet($remote->id);
- $orig_remote = clone($remote);
- $orig_profile = clone($profile);
- # XXX: compare current postNotice and updateProfile URLs to the ones
- # stored in the DB to avoid (possibly...) above attack
- } else {
- $exists = false;
- $remote = new Remote_profile();
- $remote->uri = $omb['listener'];
- $profile = new Profile();
- }
-
- $profile->nickname = $nickname;
- $profile->profileurl = $profile_url;
-
- if ($fullname) {
- $profile->fullname = $fullname;
- }
- if ($homepage) {
- $profile->homepage = $homepage;
- }
- if ($bio) {
- $profile->bio = $bio;
- }
- if ($location) {
- $profile->location = $location;
- }
-
- if ($exists) {
- $profile->update($orig_profile);
- } else {
- $profile->created = DB_DataObject_Cast::dateTime(); # current time
- $id = $profile->insert();
- $remote->id = $id;
- }
-
- if ($avatar_url) {
- $this->add_avatar($profile, $avatar_url);
- }
-
- $remote->postnoticeurl = $omb[OMB_ENDPOINT_POSTNOTICE];
- $remote->updateprofileurl = $omb[OMB_ENDPOINT_UPDATEPROFILE];
-
- if ($exists) {
- $remote->update($orig_remote);
- } else {
- $remote->created = DB_DataObject_Cast::dateTime(); # current time
- $remote->insert;
- }
-
- $sub = new Subscription();
- $sub->subscriber = $remote->id;
- $sub->subscribed = $user->id;
- $sub->token = $newtok;
- $sub->secret = $newsecret;
- $sub->created = DB_DataObject_Cast::dateTime(); # current time
-
- if (!$sub->insert()) {
- common_user_error(_t('Couldn\'t insert new subscription.'));
- return;
- }
-
- # Clear the data
- unset($_SESSION['oauth_authorization_request']);
-
- # If we show subscriptions in reverse chron order, this should
- # show up close to the top of the page
-
- common_redirect(common_local_url('subscribed', array('nickname' =>
- $user->nickname)));
- }
-
- function add_avatar($profile, $url) {
- $temp_filename = tempnam(sys_get_temp_dir(), 'listener_avatar');
- copy($url, $temp_filename);
- return $profile->setOriginal($temp_filename);
- }
-
- function access_token($omb) {
-
- common_debug('starting request for access token', __FILE__);
-
- $con = omb_oauth_consumer();
- $tok = new OAuthToken($omb['token'], $omb['secret']);
-
- common_debug('using request token "'.$tok.'"', __FILE__);
-
- $url = omb_service_uri($omb[OAUTH_ENDPOINT_ACCESS]);
-
- common_debug('using access token url "'.$url.'"', __FILE__);
-
- # XXX: Is this the right thing to do? Strip off GET params and make them
- # POST params? Seems wrong to me.
-
- $parsed = parse_url($url);
- $params = array();
- parse_str($parsed['query'], $params);
-
- $req = OAuthRequest::from_consumer_and_token($con, $tok, "POST", $url, $params);
-
- $req->set_parameter('omb_version', OMB_VERSION_01);
-
- # XXX: test to see if endpoint accepts this signature method
-
- $req->sign_request(omb_hmac_sha1(), $con, $tok);
-
- # We re-use this tool's fetcher, since it's pretty good
-
- common_debug('posting to access token url "'.$req->get_normalized_http_url().'"', __FILE__);
- common_debug('posting request data "'.$req->to_postdata().'"', __FILE__);
-
- $fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
- $result = $fetcher->post($req->get_normalized_http_url(),
- $req->to_postdata());
-
- common_debug('got result: "'.print_r($result,TRUE).'"', __FILE__);
-
- if ($result->status != 200) {
- return NULL;
- }
-
- parse_str($result->body, $return);
-
- return array($return['oauth_token'], $return['oauth_token_secret']);
- }
-}
\ No newline at end of file
+require_once INSTALLDIR.'/extlib/libomb/service_consumer.php';
+require_once INSTALLDIR.'/lib/omb.php';
+
+/**
+ * Handler for remote subscription finish callback
+ *
+ * When a remote user subscribes a local user, a redirect to this action is
+ * issued after the remote user authorized his service to subscribe.
+ *
+ * @category Action
+ * @package Laconica
+ * @author Evan Prodromou <evan@controlyourself.ca>
+ * @author Robin Millette <millette@controlyourself.ca>
+ * @license http://www.fsf.org/licensing/licenses/agpl.html AGPLv3
+ * @link http://laconi.ca/
+ */
+class FinishremotesubscribeAction extends Action
+{
+
+ /**
+ * Class handler.
+ *
+ * @param array $args query arguments
+ *
+ * @return nothing
+ *
+ **/
+ function handle($args)
+ {
+ parent::handle($args);
+
+ /* Restore session data. RemotesubscribeAction should have stored
+ this entry. */
+ $service = unserialize($_SESSION['oauth_authorization_request']);
+
+ if (!$service) {
+ $this->clientError(_('Not expecting this response!'));
+ return;
+ }
+
+ common_debug('stored request: '. print_r($service, true), __FILE__);
+
+ /* Create user objects for both users. Do it early for request
+ validation. */
+ $user = User::staticGet('uri', $service->getListeneeURI());
+
+ if (!$user) {
+ $this->clientError(_('User being listened to does not exist.'));
+ return;
+ }
+
+ $other = User::staticGet('uri', $service->getListenerURI());
+
+ if ($other) {
+ $this->clientError(_('You can use the local subscription!'));
+ return;
+ }
+
+ $remote = Remote_profile::staticGet('uri', $service->getListenerURI());
+
+ $profile = Profile::staticGet($remote->id);
+
+ if ($user->hasBlocked($profile)) {
+ $this->clientError(_('That user has blocked you from subscribing.'));
+ return;
+ }
+
+ /* Perform the handling itself via libomb. */
+ try {
+ $service->finishAuthorization();
+ } catch (OAuthException $e) {
+ if ($e->getMessage() == 'The authorized token does not equal the ' .
+ 'submitted token.') {
+ $this->clientError(_('You are not authorized.'));
+ return;
+ } else {
+ $this->clientError(_('Could not convert request token to ' .
+ 'access token.'));
+ return;
+ }
+ } catch (OMB_RemoteServiceException $e) {
+ $this->clientError(_('Remote service uses unknown version of ' .
+ 'OMB protocol.'));
+ return;
+ } catch (Exception $e) {
+ common_debug('Got exception ' . print_r($e, true), __FILE__);
+ $this->clientError($e->getMessage());
+ return;
+ }
+
+ /* The service URLs are not accessible from datastore, so setting them
+ after insertion of the profile. */
+ $orig_remote = clone($remote);
+
+ $remote->postnoticeurl =
+ $service->getServiceURI(OMB_ENDPOINT_POSTNOTICE);
+ $remote->updateprofileurl =
+ $service->getServiceURI(OMB_ENDPOINT_UPDATEPROFILE);
+
+ if (!$remote->update($orig_remote)) {
+ $this->serverError(_('Error updating remote profile'));
+ return;
+ }
+
+ /* Clear the session data. */
+ unset($_SESSION['oauth_authorization_request']);
+
+ /* If we show subscriptions in reverse chronological order, the new one
+ should show up close to the top of the page. */
+ common_redirect(common_local_url('subscribers', array('nickname' =>
+ $user->nickname)),
+ 303);
+ }
+}
projects / quix0rs-gnu-social.git / blobdiff