X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=lib%2Fapiauth.php;h=25e2196cf2c4bc0e004d5eb930146961c35112ab;hb=32084e33a266797b306158df29e48f057651b410;hp=d441014addfaa1c283b6d79d3555055de9be6325;hpb=324590c46eba2900164d0487a2d525ea4e9f93b8;p=quix0rs-gnu-social.git

diff --git a/lib/apiauth.php b/lib/apiauth.php
index d441014add..25e2196cf2 100644
--- a/lib/apiauth.php
+++ b/lib/apiauth.php
@@ -55,11 +55,11 @@ class ApiAuthAction extends ApiAction
 {
     var $auth_user_nickname = null;
     var $auth_user_password = null;
-    var $access_token       = null;
     var $oauth_source       = null;
 
     /**
-     * Take arguments for running, and output basic auth header if needed
+     * Take arguments for running, looks for an OAuth request,
+     * and outputs basic auth header if needed
      *
      * @param array $args $_REQUEST args
      *
@@ -71,34 +71,26 @@ class ApiAuthAction extends ApiAction
     {
         parent::prepare($args);
 
-        $this->consumer_key = $this->arg('oauth_consumer_key');
-        $this->access_token = $this->arg('oauth_token');
-
         // NOTE: $this->auth_user has to get set in prepare(), not handle(),
         // because subclasses do stuff with it in their prepares.
 
-        if ($this->requiresAuth()) {
-            if (!empty($this->access_token)) {
-                $this->checkOAuthRequest();
-            } else {
-                $this->checkBasicAuthUser(true);
-            }
-        } else {
+        $oauthReq = $this->getOAuthRequest();
 
-            // Check to see if a basic auth user is there even
-            // if one's not required
-
-            if (empty($this->access_token)) {
+        if (!$oauthReq) {
+            if ($this->requiresAuth()) {
+                $this->checkBasicAuthUser(true);
+            } else {
+                // Check to see if a basic auth user is there even
+                // if one's not required
                 $this->checkBasicAuthUser(false);
             }
+        } else {
+            $this->checkOAuthRequest($oauthReq);
         }
 
         // Reject API calls with the wrong access level
 
         if ($this->isReadOnly($args) == false) {
-
-            common_debug(get_class($this) . ' is not read-only!');
-
             if ($this->access != self::READ_WRITE) {
                 $msg = _('API resource requires read-write access, ' .
                          'but you only have read access.');
@@ -110,12 +102,42 @@ class ApiAuthAction extends ApiAction
         return true;
     }
 
-    function handle($args)
+    /**
+     * Determine whether the request is an OAuth request.
+     * This is to avoid doign any unnecessary DB lookups.
+     *
+     * @return mixed the OAuthRequest or false
+     */
+
+    function getOAuthRequest()
     {
-        parent::handle($args);
+        ApiOauthAction::cleanRequest();
+
+        $req  = OAuthRequest::from_request();
+
+        $consumer    = $req->get_parameter('oauth_consumer_key');
+        $accessToken = $req->get_parameter('oauth_token');
+
+        // XXX: Is it good enough to assume it's not meant to be an
+        // OAuth request if there is no consumer or token? --Z
+
+        if (empty($consumer) || empty($accessToken)) {
+            return false;
+        }
+
+        return $req;
     }
 
-    function checkOAuthRequest()
+    /**
+     * Verifies the OAuth request signature, sets the auth user
+     * and access type (read-only or read-write)
+     *
+     * @param OAuthRequest $request the OAuth Request
+     *
+     * @return nothing
+     */
+
+    function checkOAuthRequest($request)
     {
         $datastore   = new ApiStatusNetOAuthDataStore();
         $server      = new OAuthServer($datastore);
@@ -123,22 +145,19 @@ class ApiAuthAction extends ApiAction
 
         $server->add_signature_method($hmac_method);
 
-        ApiOauthAction::cleanRequest();
-
         try {
 
-            $req  = OAuthRequest::from_request();
-            $server->verify_request($req);
+            $server->verify_request($request);
 
-            $app = Oauth_application::getByConsumerKey($this->consumer_key);
+            $consumer     = $request->get_parameter('oauth_consumer_key');
+            $access_token = $request->get_parameter('oauth_token');
 
-            if (empty($app)) {
+            $app = Oauth_application::getByConsumerKey($consumer);
 
-                // this should probably not happen
+            if (empty($app)) {
                 common_log(LOG_WARNING,
                            'Couldn\'t find the OAuth app for consumer key: ' .
-                           $this->consumer_key);
-
+                           $consumer);
                 throw new OAuthException('No application for that consumer key.');
             }
 
@@ -146,11 +165,7 @@ class ApiAuthAction extends ApiAction
 
             $this->oauth_source = $app->name;
 
-            $appUser = Oauth_application_user::staticGet('token',
-                                                         $this->access_token);
-
-            // XXX: Check that app->id and appUser->application_id and consumer all
-            // match?
+            $appUser = Oauth_application_user::staticGet('token', $access_token);
 
             if (!empty($appUser)) {
 
@@ -164,6 +179,8 @@ class ApiAuthAction extends ApiAction
                     $this->access = ($appUser->access_type & Oauth_application::$writeAccess)
                       ? self::READ_WRITE : self::READ_ONLY;
 
+                    // Set the auth user
+
                     if (Event::handle('StartSetApiUser', array(&$user))) {
                         $this->auth_user = User::staticGet('id', $appUser->profile_id);
                         Event::handle('EndSetApiUser', array($user));
@@ -180,7 +197,6 @@ class ApiAuthAction extends ApiAction
                                                  ($this->access = self::READ_WRITE) ?
                                                  'read-write' : 'read-only'
                                                  ));
-                    return;
                 } else {
                     throw new OAuthException('Bad access token.');
                 }