CSRF protection for subscription/unsubscription

[quix0rs-gnu-social.git] / actions / twitapiaccount.php

diff --git a/actions/twitapiaccount.php b/actions/twitapiaccount.php
index 3a66e888505147ba58839dd242c8f5d7ce01fd22..3a9b8ba3e2f60db4abc96211c6b6821dc3233a20 100644 (file)
--- a/actions/twitapiaccount.php
+++ b/actions/twitapiaccount.php
@@ -23,6 +23,20 @@ require_once(INSTALLDIR.'/lib/twitterapi.php');
 
 class TwitapiaccountAction extends TwitterapiAction {
 
+       function is_readonly() {
+               
+               static $write_methods = array(  'update_location',
+                                                                               'update_delivery_device');
+               
+               $cmdtext = explode('.', $this->arg('method'));          
+               
+               if (in_array($cmdtext[0], $write_methods)) {                    
+                       return false;
+               }
+                               
+               return true;
+       }
+
        function verify_credentials($args, $apidata) {
 
                if ($apidata['content-type'] == 'xml') {
@@ -32,7 +46,7 @@ class TwitapiaccountAction extends TwitterapiAction {
                        header('Content-Type: application/json; charset=utf-8');                
                        print '{"authorized":true}';
                } else {
-                       common_user_error("API method not found!", $code=404);
+                       common_user_error(_('API method not found!'), $code=404);
                }
                        
                exit();
@@ -40,20 +54,24 @@ class TwitapiaccountAction extends TwitterapiAction {
        
        function end_session($args, $apidata) {
                parent::handle($args);
-               common_server_error("API method under construction.", $code=501);
+               common_server_error(_('API method under construction.'), $code=501);
                exit();
        }
        
        function update_location($args, $apidata) {
                parent::handle($args);
 
+               if ($_SERVER['REQUEST_METHOD'] != 'POST') {
+                       $this->client_error(_('This method requires a POST.'), 400, $apidata['content-type']);
+                       exit();
+               }
+
                $location = trim($this->arg('location'));
 
                if (!is_null($location) && strlen($location) > 255) {
                        
-                       // XXX: But Twitter just truncates and runs with it. -- Zach
-                       header('HTTP/1.1 406 Not Acceptable');                  
-                       print "That's too long. Max notice size is 255 chars.\n";
+                       // XXX: But Twitter just truncates and runs with it. -- Zach                    
+                       $this->client_error(_('That\'s too long. Max notice size is 255 chars.'), 406, $apidate['content-type']);
                        exit();
                }
                
@@ -80,9 +98,11 @@ class TwitapiaccountAction extends TwitterapiAction {
                }
 
                common_broadcast_profile($profile);
+               $type = $apidata['content-type'];
                
-               $apidata['api_arg'] = $user->id;
-               $this->show($args, $apidata);
+               $this->init_document($type);
+               $this->show_profile($profile, $type);
+               $this->end_document($type);
                
                exit();
        }
@@ -90,13 +110,13 @@ class TwitapiaccountAction extends TwitterapiAction {
 
        function update_delivery_device($args, $apidata) {
                parent::handle($args);
-               common_server_error("API method under construction.", $code=501);
+               common_server_error(_('API method under construction.'), $code=501);
                exit();
        }
        
        function rate_limit_status($args, $apidata) {
                parent::handle($args);
-               common_server_error("API method under construction.", $code=501);
+               common_server_error(_('API method under construction.'), $code=501);
                exit();
        }
 }
\ No newline at end of file