// NOTE: $this->scoped and $this->auth_user has to get set in
// prepare(), not handle(), as subclasses use them in prepares.
- // Allow regular login session
- if (common_logged_in()) {
+ // Allow regular login session, but we have to double-check the
+ // HTTP_REFERER value to avoid cross domain POSTing since the API
+ // doesn't use the "token" form field.
+ if (common_logged_in() && common_local_referer()) {
$this->scoped = Profile::current();
$this->auth_user = $this->scoped->getUser();
if (!$this->auth_user->hasRight(Right::API)) {
// TRANS: Client error thrown when authentication fails because a user clicked "Cancel".
$this->clientError(_('Could not authenticate you.'), 401);
- } elseif ($required) {
+ } else {
// $this->auth_user_nickname - i.e. PHP_AUTH_USER - will have a value since it was not empty
$user = common_check_user($this->auth_user_nickname,
$this->auth_user = null;
}
- // By default, basic auth users have rw access
- $this->access = self::READ_WRITE;
-
- if (!$this->auth_user instanceof User) {
+ if ($required && $this->auth_user instanceof User) {
+ // By default, basic auth users have rw access
+ $this->access = self::READ_WRITE;
+ } elseif ($required) {
$msg = sprintf(
"basic auth nickname = %s",
$this->auth_user_nickname
header('WWW-Authenticate: Basic realm="' . $realm . '"');
// TRANS: Client error thrown when authentication fails.
$this->clientError(_('Could not authenticate you.'), 401);
+ } else {
+ // all get rw access for actions that don't require auth
+ $this->access = self::READ_WRITE;
}
- } else {
- // all get rw access for actions that don't require auth
- $this->access = self::READ_WRITE;
}
}
projects / quix0rs-gnu-social.git / blobdiff