X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=lib%2Fapiauth.php;h=42d32dd624e0014c4e799bc18b3395cfe3725dc1;hb=57198a74647f8350db4de03b0b7ef157091a4359;hp=9c68e27713a1148193c24ea4477de0de0735589c;hpb=696aeea113b88fd0f6b7c4c88eebc2f4f369d245;p=quix0rs-gnu-social.git diff --git a/lib/apiauth.php b/lib/apiauth.php index 9c68e27713..42d32dd624 100644 --- a/lib/apiauth.php +++ b/lib/apiauth.php @@ -30,6 +30,7 @@ * @author Sarven Capadisli * @author Zach Copley * @copyright 2009-2010 StatusNet, Inc. + * @copyright 2009 Free Software Foundation, Inc http://www.fsf.org * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @link http://status.net/ */ @@ -67,7 +68,6 @@ require_once INSTALLDIR . '/lib/apioauth.php'; * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @link http://status.net/ */ - class ApiAuthAction extends ApiAction { var $auth_user_nickname = null; @@ -82,7 +82,6 @@ class ApiAuthAction extends ApiAction * @return boolean success flag * */ - function prepare($args) { parent::prepare($args); @@ -125,7 +124,6 @@ class ApiAuthAction extends ApiAction * * @return mixed the OAuthRequest or false */ - function getOAuthRequest() { ApiOauthAction::cleanRequest(); @@ -153,7 +151,6 @@ class ApiAuthAction extends ApiAction * * @return nothing */ - function checkOAuthRequest($request) { $datastore = new ApiStatusNetOAuthDataStore(); @@ -163,7 +160,6 @@ class ApiAuthAction extends ApiAction $server->add_signature_method($hmac_method); try { - $server->verify_request($request); $consumer = $request->get_parameter('oauth_consumer_key'); @@ -172,61 +168,73 @@ class ApiAuthAction extends ApiAction $app = Oauth_application::getByConsumerKey($consumer); if (empty($app)) { - common_log(LOG_WARNING, - 'Couldn\'t find the OAuth app for consumer key: ' . - $consumer); - throw new OAuthException('No application for that consumer key.'); + common_log( + LOG_WARNING, + 'API OAuth - Couldn\'t find the OAuth app for consumer key: ' . + $consumer + ); + // TRANS: OAuth exception thrown when no application is found for a given consumer key. + throw new OAuthException(_('No application for that consumer key.')); } // set the source attr + if ($app->name != 'anonymous') { + $this->source = $app->name; + } - $this->source = $app->name; $appUser = Oauth_application_user::staticGet('token', $access_token); if (!empty($appUser)) { - // If access_type == 0 we have either a request token // or a bad / revoked access token if ($appUser->access_type != 0) { - // Set the access level for the api call - $this->access = ($appUser->access_type & Oauth_application::$writeAccess) ? self::READ_WRITE : self::READ_ONLY; // Set the auth user - if (Event::handle('StartSetApiUser', array(&$user))) { - $this->auth_user = User::staticGet('id', $appUser->profile_id); + $user = User::staticGet('id', $appUser->profile_id); + if (!empty($user)) { + if (!$user->hasRight(Right::API)) { + // TRANS: Authorization exception thrown when a user without API access tries to access the API. + throw new AuthorizationException(_('Not allowed to use API.')); + } + } + $this->auth_user = $user; Event::handle('EndSetApiUser', array($user)); } $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " . - "application '%s' (id: %d) with %s access."; - - common_log(LOG_INFO, sprintf($msg, - $this->auth_user->nickname, - $this->auth_user->id, - $app->name, - $app->id, - ($this->access = self::READ_WRITE) ? - 'read-write' : 'read-only' - )); + "application '%s' (id: %d) with %s access."; + + common_log( + LOG_INFO, + sprintf( + $msg, + $this->auth_user->nickname, + $this->auth_user->id, + $app->name, + $app->id, + ($this->access = self::READ_WRITE) ? 'read-write' : 'read-only' + ) + ); } else { - throw new OAuthException('Bad access token.'); + // TRANS: OAuth exception given when an incorrect access token was given for a user. + throw new OAuthException(_('Bad access token.')); } } else { - - // Also should not happen - - throw new OAuthException('No user for that token.'); + // Also should not happen. + // TRANS: OAuth exception given when no user was found for a given token (no token was found). + throw new OAuthException(_('No user for that token.')); } } catch (OAuthException $e) { + $this->logAuthFailure($e->getMessage()); common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage()); - $this->showAuthError(); + $this->clientError($e->getMessage(), 401, $this->format); exit; } } @@ -236,7 +244,6 @@ class ApiAuthAction extends ApiAction * * @return boolean true */ - function requiresAuth() { return true; @@ -248,7 +255,6 @@ class ApiAuthAction extends ApiAction * * @return boolean true or false */ - function checkBasicAuthUser($required = true) { $this->basicAuthProcessHeader(); @@ -263,8 +269,8 @@ class ApiAuthAction extends ApiAction header('WWW-Authenticate: Basic realm="' . $realm . '"'); // show error if the user clicks 'cancel' - - $this->showAuthError(); + // TRANS: Client error thrown when authentication fails becaus a user clicked "Cancel". + $this->clientError(_('Could not authenticate you.'), 401, $this->format); exit; } else { @@ -275,6 +281,10 @@ class ApiAuthAction extends ApiAction if (Event::handle('StartSetApiUser', array(&$user))) { if (!empty($user)) { + if (!$user->hasRight(Right::API)) { + // TRANS: Authorization exception thrown when a user without API access tries to access the API. + throw new AuthorizationException(_('Not allowed to use API.')); + } $this->auth_user = $user; } @@ -282,22 +292,16 @@ class ApiAuthAction extends ApiAction } // By default, basic auth users have rw access - $this->access = self::READ_WRITE; if (empty($this->auth_user) && ($required || isset($_SERVER['PHP_AUTH_USER']))) { - - // basic authentication failed - - list($proxy, $ip) = common_client_ip(); - - $msg = sprintf( 'Failed API auth attempt, nickname = %1$s, ' . - 'proxy = %2$s, ip = %3$s', - $this->auth_user_nickname, - $proxy, - $ip); - common_log(LOG_WARNING, $msg); - $this->showAuthError(); + $msg = sprintf( + "basic auth nickname = %s", + $this->auth_user_nickname + ); + $this->logAuthFailure($msg); + // TRANS: Client error thrown when authentication fails. + $this->clientError(_('Could not authenticate you.'), 401, $this->format); exit; } } @@ -309,7 +313,6 @@ class ApiAuthAction extends ApiAction * * @return void */ - function basicAuthProcessHeader() { $authHeaders = array('AUTHORIZATION', @@ -331,7 +334,6 @@ class ApiAuthAction extends ApiAction // Decode the HTTP_AUTHORIZATION header on php-cgi server self // on fcgid server the header name is AUTHORIZATION - $auth_hash = base64_decode(substr($authorization_header, 6)); list($this->auth_user_nickname, $this->auth_user_password) = explode(':', $auth_hash); @@ -346,34 +348,21 @@ class ApiAuthAction extends ApiAction } /** - * Output an authentication error message. Use XML or JSON if one - * of those formats is specified, otherwise output plain text + * Log an API authentication failure. Collect the proxy and IP + * and log them * - * @return void + * @param string $logMsg additional log message */ - - function showAuthError() - { - header('HTTP/1.1 401 Unauthorized'); - $msg = 'Could not authenticate you.'; - - if ($this->format == 'xml') { - header('Content-Type: application/xml; charset=utf-8'); - $this->startXML(); - $this->elementStart('hash'); - $this->element('error', null, $msg); - $this->element('request', null, $_SERVER['REQUEST_URI']); - $this->elementEnd('hash'); - $this->endXML(); - } elseif ($this->format == 'json') { - header('Content-Type: application/json; charset=utf-8'); - $error_array = array('error' => $msg, - 'request' => $_SERVER['REQUEST_URI']); - print(json_encode($error_array)); - } else { - header('Content-type: text/plain'); - print "$msg\n"; - } - } - + function logAuthFailure($logMsg) + { + list($proxy, $ip) = common_client_ip(); + + $msg = sprintf( + 'API auth failure (proxy = %1$s, ip = %2$s) - ', + $proxy, + $ip + ); + + common_log(LOG_WARNING, $msg . $logMsg); + } }