X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=actions%2Fuserauthorization.php;h=e91c41fb3e518f555e4ccd94e22f1ff396120549;hb=1ef5cf964ef65b248dc150660124e95dcd933106;hp=f1f2d8305615ca49ee472f55fcb5b0258c22b3f5;hpb=2bf7717dddf4f07df959bbac0da9e6f6e5024261;p=quix0rs-gnu-social.git

diff --git a/actions/userauthorization.php b/actions/userauthorization.php
index f1f2d83056..e91c41fb3e 100644
--- a/actions/userauthorization.php
+++ b/actions/userauthorization.php
@@ -30,39 +30,35 @@ class UserauthorizationAction extends Action {
 			# We've shown the form, now post user's choice
 			$this->send_authorization();
 		} else {
+			if (!common_logged_in()) {
+				# Go log in, and then come back
+				common_debug('userauthorization.php - saving URL for returnto');
+				$argsclone = $_GET;
+				unset($argsclone['action']);
+				common_set_returnto(common_local_url('userauthorization', $argsclone));
+				common_debug('userauthorization.php - redirecting to login');				
+				common_redirect(common_local_url('login'));
+				return;
+			}
 			try {
-				common_debug('userauthorization.php - fetching request');
-				# We get called after login if we have a stored request
-				$req = $this->get_stored_request();
+				# this must be a new request
+				common_debug('userauthorization.php - getting new request');
+				$req = $this->get_new_request();
 				if (!$req) {
-					# this must be a new request
-					common_debug('userauthorization.php - getting new request');
-					$req = $this->get_new_request();
-					if (!$req) {
-						common_server_error(_t('No request found!'));
-					}
-					common_debug('userauthorization.php - validating request');
-					# XXX: only validate new requests, since nonce is one-time use
-					$this->validate_request($req);
+					common_server_error(_t('No request found!'));
 				}
+				common_debug('userauthorization.php - validating request');
+				# XXX: only validate new requests, since nonce is one-time use
+				$this->validate_request($req);
+				common_debug('userauthorization.php - showing form');
+				$this->store_request($req);
+				$this->show_form($req);
 			} catch (OAuthException $e) {
 				$this->clear_request();
 				common_server_error($e->getMessage());
 				return;
 			}
 			
-			if (common_logged_in()) {
-				common_debug('userauthorization.php - showing form');
-				$this->show_form($req);
-			} else {
-				common_debug('userauthorization.php - storing request in session');
-				# Go log in, and then come back
-				$this->store_request($req);
-				common_debug('userauthorization.php - saving URL for returnto');
-				common_set_returnto(common_local_url('userauthorization'));
-				common_debug('userauthorization.php - redirecting to login');				
-				common_redirect(common_local_url('login'));
-			}
 		}
 	}
 
@@ -136,8 +132,12 @@ class UserauthorizationAction extends Action {
 		$callback = $req->get_parameter('oauth_callback');
 
 		if ($this->arg('accept')) {
-			$this->authorize_token($req);
-			$this->save_remote_profile($req);
+			if (!$this->authorize_token($req)) {
+				common_server_error(_t('Error authorizing token'));
+			}
+			if (!$this->save_remote_profile($req)) {
+				common_server_error(_t('Error saving remote profile'));
+			}
 			if (!$callback) {
 				$this->show_accept_message($req->get_parameter('oauth_token'));
 			} else {
@@ -185,15 +185,22 @@ class UserauthorizationAction extends Action {
 	}
 
 	function authorize_token(&$req) {
-		$consumer_key = @$req->get_parameter('oauth_consumer_key');
-		$token_field = @$req->get_parameter('oauth_token');
+		$consumer_key = $req->get_parameter('oauth_consumer_key');
+		$token_field = $req->get_parameter('oauth_token');
+		common_debug('consumer key = "'.$consumer_key.'"', __FILE__);
+		common_debug('token field = "'.$token_field.'"', __FILE__);		
 		$rt = new Token();
 		$rt->consumer_key = $consumer_key;
 		$rt->tok = $token_field;
-		if ($rt->find(TRUE)) {
+		$rt->type = 0;
+		$rt->state = 0;
+		common_debug('request token to look up: "'.print_r($rt,TRUE).'"');
+		if ($rt->find(true)) {
+			common_debug('found request token to authorize', __FILE__);
 			$orig_rt = clone($rt);
 			$rt->state = 1; # Authorized but not used
 			if ($rt->update($orig_rt)) {
+				common_debug('updated request token so it is authorized', __FILE__);
 				return true;
 			}
 		}
@@ -206,7 +213,8 @@ class UserauthorizationAction extends Action {
 		# FIXME: we should really do this when the consumer comes
 		# back for an access token. If they never do, we've got stuff in a 
 		# weird state.
-		
+	
+		$nickname = $req->get_parameter('omb_listenee_nickname');
 		$fullname = $req->get_parameter('omb_listenee_fullname');
 		$profile_url = $req->get_parameter('omb_listenee_profile');		
 		$homepage = $req->get_parameter('omb_listenee_homepage');
@@ -225,7 +233,7 @@ class UserauthorizationAction extends Action {
 		} else {
 			$exists = false;
 			$remote = new Remote_profile();
-			$remote->uri = $omb['listener'];
+			$remote->uri = $listenee;
 			$profile = new Profile();
 		}
 
@@ -250,18 +258,27 @@ class UserauthorizationAction extends Action {
 		} else {
 			$profile->created = DB_DataObject_Cast::dateTime(); # current time
 			$id = $profile->insert();
+			if (!$id) {
+				return FALSE;
+			}
 			$remote->id = $id;
 		}
 
-		if ($avatar_url) {
-			$this->add_avatar($avatar_url);
-		}
-
 		if ($exists) {
-			$remote->update($orig_remote);
+			if (!$remote->update($orig_remote)) {
+				return FALSE;
+			}
 		} else {
 			$remote->created = DB_DataObject_Cast::dateTime(); # current time
-			$remote->insert();
+			if (!$remote->insert()) {
+				return FALSE;
+			}
+		}
+
+		if ($avatar_url) {
+			if (!$this->add_avatar($profile, $avatar_url)) {
+				return FALSE;
+			}
 		}
 
 		$user = common_current_user();
@@ -276,9 +293,16 @@ class UserauthorizationAction extends Action {
 		$sub->created = DB_DataObject_Cast::dateTime(); # current time
 		
 		if (!$sub->insert()) {
-			common_user_error(_t('Couldn\'t insert new subscription.'));
-			return;
+			return FALSE;
 		}
+		
+		return TRUE;
+	}
+
+	function add_avatar($profile, $url) {
+		$temp_filename = tempnam(sys_get_temp_dir(), 'listenee_avatar');
+		copy($url, $temp_filename);
+		return $profile->setOriginal($temp_filename);
 	}
 	
 	function show_accept_message($tok) {
@@ -305,7 +329,7 @@ class UserauthorizationAction extends Action {
 		$_SESSION['userauthorizationrequest'] = $req;
 	}
 	
-	function clear_request($req) {
+	function clear_request() {
 		common_ensure_session();
 		unset($_SESSION['userauthorizationrequest']);
 	}
@@ -364,12 +388,27 @@ class UserauthorizationAction extends Action {
 		if (!$user) {
 			throw new OAuthException("Listener URI '$listener' not found here");
 		}
+		$cur = common_current_user();
+		if ($cur->id != $user->id) {
+			throw new OAuthException("Can't add for another user!");
+		}
 		$listenee = $req->get_parameter('omb_listenee');
-		if (!Validate::uri($listenee)) {
-			throw new OAuthException("Listenee URI '$listenee' not a valid URI");
-		} else if (strlen($listenee) > 255) {
+		if (!Validate::uri($listenee) &&
+			!common_valid_tag($listenee)) {
+			throw new OAuthException("Listenee URI '$listenee' not a recognizable URI");
+		}
+		if (strlen($listenee) > 255) {
 			throw new OAuthException("Listenee URI '$listenee' too long");
 		}
+		$remote = Remote_profile::staticGet('uri', $listenee);
+		if ($remote) {
+			$sub = new Subscription();
+			$sub->subscriber = $user->id;
+			$sub->subscribed = $remote->id;
+			if ($sub->find(TRUE)) {
+				throw new OAuthException("Already subscribed to user!");
+			}
+		}
 		$nickname = $req->get_parameter('omb_listenee_nickname');
 		if (!Validate::string($nickname, array('min_length' => 1,
 											   'max_length' => 64,
@@ -402,11 +441,24 @@ class UserauthorizationAction extends Action {
 			throw new OAuthException("Location too long '$location'");
 		}
 		$avatar = $req->get_parameter('omb_listenee_avatar');
-		if ($avatar && (!common_valid_http_url($avatar) || strlen($avatar) > 255)) {
-			throw new OAuthException("Invalid avatar '$avatar'");
+		if ($avatar) {
+			if (!common_valid_http_url($avatar) || strlen($avatar) > 255) {
+				throw new OAuthException("Invalid avatar URL '$avatar'");
+			}
+			$size = @getimagesize($avatar);
+			if (!$size) {
+				throw new OAuthException("Can't read avatar URL '$avatar'");
+			}
+			if ($size[0] != AVATAR_PROFILE_SIZE || $size[1] != AVATAR_PROFILE_SIZE) {
+				throw new OAuthException("Wrong size image at '$avatar'");
+			}
+			if (!in_array($size[2], array(IMAGETYPE_GIF, IMAGETYPE_JPEG,
+										  IMAGETYPE_PNG))) {
+				throw new OAuthException("Wrong image type for '$avatar'");
+			}
 		}
 		$callback = $req->get_parameter('oauth_callback');
-		if ($avatar && common_valid_http_url($callback)) {
+		if ($callback && !common_valid_http_url($callback)) {
 			throw new OAuthException("Invalid callback URL '$callback'");
 		}
 	}