X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=actions%2Fapi.php;h=b8da852b536d469682f6fcee277894247696695e;hb=b4e649fe906a793cd5e62d6390065ea5d41c40db;hp=47c1196052e25bd5a3ccf3dfe0a84b1ddcd55765;hpb=12c475c101c070cbcc4c63f7b1049f6d3282b9ee;p=quix0rs-gnu-social.git

diff --git a/actions/api.php b/actions/api.php
index 47c1196052..b8da852b53 100644
--- a/actions/api.php
+++ b/actions/api.php
@@ -67,15 +67,20 @@ class ApiAction extends Action
                     $this->process_command();
                 } else {
                     # basic authentication failed
+                    common_log(LOG_WARNING, "Failed API auth attempt, nickname: $nickname.");
                     $this->show_basic_auth_error();
                 }
             }
         } else {
 
-            # Look for the user in the session
-            if (common_logged_in()) {
-                 $this->user = common_current_user();
-            }
+			# Caller might give us a username even if not required
+			if (isset($_SERVER['PHP_AUTH_USER'])) {
+				$user = User::staticGet('nickname', $_SERVER['PHP_AUTH_USER']);
+				if ($user) {
+					$this->user = $user;
+				}
+				# Twitter doesn't throw an error if the user isn't found
+			}
 
             $this->process_command();
         }
@@ -123,21 +128,24 @@ class ApiAction extends Action
                                 'laconica/wadl');
 
         static $bareauth = array('statuses/user_timeline',
+                                 'statuses/friends_timeline',
                                  'statuses/friends',
+                                 'statuses/replies',
+                                 'statuses/mentions',
                                  'statuses/followers',
                                  'favorites/favorites');
 
-        # If the site is "private", all API methods need authentication
+        $fullname = "$this->api_action/$this->api_method";
 
+        // If the site is "private", all API methods except laconica/config
+        // need authentication
         if (common_config('site', 'private')) {
-            return true;
+            return $fullname != 'laconica/config' || false;
         }
 
-        $fullname = "$this->api_action/$this->api_method";
-
         if (in_array($fullname, $bareauth)) {
-            # bareauth: only needs auth if without an argument
-            if ($this->api_arg) {
+            # bareauth: only needs auth if without an argument or query param specifying user
+            if ($this->api_arg || $this->arg('id') || is_numeric($this->arg('user_id')) || $this->arg('screen_name')) {
                 return false;
             } else {
                 return true;
@@ -158,12 +166,12 @@ class ApiAction extends Action
 
         if ($this->content_type == 'xml') {
             header('Content-Type: application/xml; charset=utf-8');
-            common_start_xml();
+            $this->startXML();
             $this->elementStart('hash');
             $this->element('error', null, $msg);
             $this->element('request', null, $_SERVER['REQUEST_URI']);
             $this->elementEnd('hash');
-            common_end_xml();
+            $this->endXML();
         } else if ($this->content_type == 'json')  {
             header('Content-Type: application/json; charset=utf-8');
             $error_array = array('error' => $msg, 'request' => $_SERVER['REQUEST_URI']);
@@ -174,11 +182,11 @@ class ApiAction extends Action
         }
     }
 
-    function isReadOnly()
+    function isReadOnly($args)
     {
-        # NOTE: before handle(), can't use $this->arg
-        $apiaction = $_REQUEST['apiaction'];
-        $method = $_REQUEST['method'];
+        $apiaction = $args['apiaction'];
+        $method = $args['method'];
+
         list($cmdtext, $fmt) = explode('.', $method);
 
         static $write_methods = array(
@@ -201,5 +209,4 @@ class ApiAction extends Action
 
         return false;
     }
-
 }