Merge remote-tracking branch 'upstream/2021.12-rc' into user-banner

[friendica.git] / src / Module / BaseApi.php

diff --git a/src/Module/BaseApi.php b/src/Module/BaseApi.php
index cd9cfb8f5cd06948713d0a7e17d6d1bc4e662559..b6824140db632ab8b73afbff30f0042baf6af2ea 100644 (file)
--- a/src/Module/BaseApi.php
+++ b/src/Module/BaseApi.php
@@ -1,6 +1,6 @@
 <?php
 /**
- * @copyright Copyright (C) 2010-2021, the Friendica project
+ * @copyright Copyright (C) 2010-2022, the Friendica project
  *
  * @license GNU AGPL version 3 or any later version
  *
@@ -22,6 +22,7 @@
 namespace Friendica\Module;
 
 use Friendica\App;
+use Friendica\App\Router;
 use Friendica\BaseModule;
 use Friendica\Core\L10n;
 use Friendica\Core\Logger;
@@ -36,6 +37,7 @@ use Friendica\Security\BasicAuth;
 use Friendica\Security\OAuth;
 use Friendica\Util\DateTimeFormat;
 use Friendica\Util\Profiler;
+use Psr\Http\Message\ResponseInterface;
 use Psr\Log\LoggerInterface;
 
 class BaseApi extends BaseModule
@@ -70,40 +72,31 @@ class BaseApi extends BaseModule
                $this->app = $app;
        }
 
-       protected function delete(array $request = [])
-       {
-               self::checkAllowedScope(self::SCOPE_WRITE);
-
-               if (!$this->app->isLoggedIn()) {
-                       throw new HTTPException\ForbiddenException($this->t('Permission denied.'));
-               }
-       }
-
-       protected function patch(array $request = [])
-       {
-               self::checkAllowedScope(self::SCOPE_WRITE);
-
-               if (!$this->app->isLoggedIn()) {
-                       throw new HTTPException\ForbiddenException($this->t('Permission denied.'));
-               }
-       }
-
-       protected function post(array $request = [])
+       /**
+        * Additionally checks, if the caller is permitted to do this action
+        *
+        * {@inheritDoc}
+        *
+        * @throws HTTPException\ForbiddenException
+        */
+       public function run(array $request = [], bool $scopecheck = true): ResponseInterface
        {
-               self::checkAllowedScope(self::SCOPE_WRITE);
-
-               if (!$this->app->isLoggedIn()) {
-                       throw new HTTPException\ForbiddenException($this->t('Permission denied.'));
+               if ($scopecheck) {
+                       switch ($this->args->getMethod()) {
+                               case Router::DELETE:
+                               case Router::PATCH:
+                               case Router::POST:
+                               case Router::PUT:
+                                       self::checkAllowedScope(self::SCOPE_WRITE);
+       
+                                       if (!self::getCurrentUserID()) {
+                                               throw new HTTPException\ForbiddenException($this->t('Permission denied.'));
+                                       }
+                                       break;
+                       }       
                }
-       }
-
-       public function put(array $request = [])
-       {
-               self::checkAllowedScope(self::SCOPE_WRITE);
 
-               if (!$this->app->isLoggedIn()) {
-                       throw new HTTPException\ForbiddenException($this->t('Permission denied.'));
-               }
+               return parent::run($request);
        }
 
        /**