define('TIMESTAMP_THRESHOLD', 300);
class UserauthorizationAction extends Action {
+
function handle($args) {
parent::handle($args);
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+ # CSRF protection
+ $token = $this->trimmed('token');
+ if (!$token || $token != common_session_token()) {
+ $req = $this->get_stored_request();
+ $this->show_form(_('There was a problem with your session token. Try again, please.'), $req);
+ return;
+ }
# We've shown the form, now post user's choice
$this->send_authorization();
} else {
if (!common_logged_in()) {
# Go log in, and then come back
- common_debug('userauthorization.php - saving URL for returnto');
+ common_debug('saving URL for returnto', __FILE__);
$argsclone = $_GET;
unset($argsclone['action']);
common_set_returnto(common_local_url('userauthorization', $argsclone));
- common_debug('userauthorization.php - redirecting to login');
+ common_debug('redirecting to login', __FILE__);
common_redirect(common_local_url('login'));
return;
}
try {
# this must be a new request
- common_debug('userauthorization.php - getting new request');
+ common_debug('getting new request', __FILE__);
$req = $this->get_new_request();
if (!$req) {
- common_server_error(_t('No request found!'));
+ $this->client_error(_('No request found!'));
}
- common_debug('userauthorization.php - validating request');
+ common_debug('validating request', __FILE__);
# XXX: only validate new requests, since nonce is one-time use
$this->validate_request($req);
- common_debug('userauthorization.php - showing form');
+ common_debug('showing form', __FILE__);
$this->store_request($req);
$this->show_form($req);
} catch (OAuthException $e) {
$this->clear_request();
- common_server_error($e->getMessage());
+ $this->client_error($e->getMessage());
return;
}
$location = $req->get_parameter('omb_listenee_location');
$avatar = $req->get_parameter('omb_listenee_avatar');
- common_show_header(_t('Authorize subscription'));
- common_element('p', NULL, _t('Please check these details to make sure '.
+ common_show_header(_('Authorize subscription'));
+ common_element('p', NULL, _('Please check these details to make sure '.
'that you want to subscribe to this user\'s notices. '.
'If you didn\'t just ask to subscribe to someone\'s notices, '.
'click "Cancel".'));
'id' => 'userauthorization',
'name' => 'userauthorization',
'action' => common_local_url('userauthorization')));
- common_submit('accept', _t('Accept'));
- common_submit('reject', _t('Reject'));
+ common_hidden('token', common_session_token());
+ common_submit('accept', _('Accept'));
+ common_submit('reject', _('Reject'));
common_element_end('form');
common_show_footer();
}
$req = $this->get_stored_request();
if (!$req) {
- common_user_error(_t('No authorization request!'));
+ common_user_error(_('No authorization request!'));
return;
}
if ($this->arg('accept')) {
if (!$this->authorize_token($req)) {
- common_server_error(_t('Error authorizing token'));
+ $this->client_error(_('Error authorizing token'));
}
if (!$this->save_remote_profile($req)) {
- common_server_error(_t('Error saving remote profile'));
+ $this->client_error(_('Error saving remote profile'));
}
if (!$callback) {
$this->show_accept_message($req->get_parameter('oauth_token'));
}
function show_accept_message($tok) {
- common_show_header(_t('Subscription authorized'));
+ common_show_header(_('Subscription authorized'));
common_element('p', NULL,
- _t('The subscription has been authorized, but no '.
+ _('The subscription has been authorized, but no '.
'callback URL was passed. Check with the site\'s instructions for '.
'details on how to authorize the subscription. Your subscription token is:'));
common_element('blockquote', 'token', $tok);
}
function show_reject_message($tok) {
- common_show_header(_t('Subscription rejected'));
+ common_show_header(_('Subscription rejected'));
common_element('p', NULL,
- _t('The subscription has been rejected, but no '.
+ _('The subscription has been rejected, but no '.
'callback URL was passed. Check with the site\'s instructions for '.
'details on how to fully reject the subscription.'));
common_show_footer();
if ($version != OMB_VERSION_01) {
throw new OAuthException("OpenMicroBlogging version '$version' not supported");
}
- $user = User::staticGet('uri', $req->get_parameter('omb_listener'));
+ $listener = $req->get_parameter('omb_listener');
+ $user = User::staticGet('uri', $listener);
if (!$user) {
throw new OAuthException("Listener URI '$listener' not found here");
}
projects / quix0rs-gnu-social.git / blobdiff