X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=lib%2Fapiauth.php;h=1061e6b68c0b6a9d6c034d3b2e4604e1a26c3c6f;hb=0bd26ed3f07e349129e6e72576f081f493779a78;hp=0cc184c04c678e3ee1183fc53326d390db8a9e12;hpb=3a24b95edb87a20302f5d9911763867a0fcb8277;p=quix0rs-gnu-social.git diff --git a/lib/apiauth.php b/lib/apiauth.php index 0cc184c04c..1061e6b68c 100644 --- a/lib/apiauth.php +++ b/lib/apiauth.php @@ -196,8 +196,20 @@ class ApiAuthAction extends ApiAction // Set the auth user if (Event::handle('StartSetApiUser', array(&$user))) { - $this->auth_user = User::staticGet('id', $appUser->profile_id); - Event::handle('EndSetApiUser', array($user)); + $user = User::staticGet('id', $appUser->profile_id); + if (!empty($user)) { + if (!$user->hasRight(Right::API)) { + // TRANS: Authorization exception thrown when a user without API access tries to access the API. + throw new AuthorizationException(_('Not allowed to use API.')); + } + } + $this->auth_user = $user; + // FIXME: setting the value returned by common_current_user() + // There should probably be a better method for this. common_set_user() + // does lots of session stuff. + global $_cur; + $_cur = $this->auth_user; + Event::handle('EndSetApiUser', array($user)); } $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " . @@ -219,7 +231,7 @@ class ApiAuthAction extends ApiAction throw new OAuthException(_('Bad access token.')); } } else { - // Also should not happen + // Also should not happen. // TRANS: OAuth exception given when no user was found for a given token (no token was found). throw new OAuthException(_('No user for that token.')); } @@ -274,6 +286,10 @@ class ApiAuthAction extends ApiAction if (Event::handle('StartSetApiUser', array(&$user))) { if (!empty($user)) { + if (!$user->hasRight(Right::API)) { + // TRANS: Authorization exception thrown when a user without API access tries to access the API. + throw new AuthorizationException(_('Not allowed to use API.')); + } $this->auth_user = $user; }