X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;ds=sidebyside;f=lib%2Fapiauth.php;h=8a1af8c27d3d9048f73aa74a082cb26162263516;hb=f23184a8d6778b8aecfb5dca2c8de9dfb850bf15;hp=0cc184c04c678e3ee1183fc53326d390db8a9e12;hpb=c309bbae93aff3e4a47095bf15063725de107215;p=quix0rs-gnu-social.git

diff --git a/lib/apiauth.php b/lib/apiauth.php
index 0cc184c04c..8a1af8c27d 100644
--- a/lib/apiauth.php
+++ b/lib/apiauth.php
@@ -196,7 +196,13 @@ class ApiAuthAction extends ApiAction
 
                     // Set the auth user
                     if (Event::handle('StartSetApiUser', array(&$user))) {
-                        $this->auth_user = User::staticGet('id', $appUser->profile_id);
+                        $user = User::staticGet('id', $appUser->profile_id);
+                        if (!empty($user)) {
+                            if (!$user->hasRight(Right::API)) {
+                                throw new AuthorizationException(_('Not allowed to use API.'));
+                            }
+                        }
+                        $this->auth_user = $user;
                         Event::handle('EndSetApiUser', array($user));
                     }
 
@@ -274,6 +280,9 @@ class ApiAuthAction extends ApiAction
             if (Event::handle('StartSetApiUser', array(&$user))) {
 
                 if (!empty($user)) {
+                    if (!$user->hasRight(Right::API)) {
+                        throw new AuthorizationException(_('Not allowed to use API.'));
+                    }
                     $this->auth_user = $user;
                 }