X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=lib%2Fapiauth.php;h=42d32dd624e0014c4e799bc18b3395cfe3725dc1;hb=b6b9baa9a240db9f10c41dc0c0aae81dad0d744a;hp=0cc184c04c678e3ee1183fc53326d390db8a9e12;hpb=6455461c196fcb8e7c0047870d480e4a97986709;p=quix0rs-gnu-social.git diff --git a/lib/apiauth.php b/lib/apiauth.php index 0cc184c04c..42d32dd624 100644 --- a/lib/apiauth.php +++ b/lib/apiauth.php @@ -196,7 +196,14 @@ class ApiAuthAction extends ApiAction // Set the auth user if (Event::handle('StartSetApiUser', array(&$user))) { - $this->auth_user = User::staticGet('id', $appUser->profile_id); + $user = User::staticGet('id', $appUser->profile_id); + if (!empty($user)) { + if (!$user->hasRight(Right::API)) { + // TRANS: Authorization exception thrown when a user without API access tries to access the API. + throw new AuthorizationException(_('Not allowed to use API.')); + } + } + $this->auth_user = $user; Event::handle('EndSetApiUser', array($user)); } @@ -219,7 +226,7 @@ class ApiAuthAction extends ApiAction throw new OAuthException(_('Bad access token.')); } } else { - // Also should not happen + // Also should not happen. // TRANS: OAuth exception given when no user was found for a given token (no token was found). throw new OAuthException(_('No user for that token.')); } @@ -274,6 +281,10 @@ class ApiAuthAction extends ApiAction if (Event::handle('StartSetApiUser', array(&$user))) { if (!empty($user)) { + if (!$user->hasRight(Right::API)) { + // TRANS: Authorization exception thrown when a user without API access tries to access the API. + throw new AuthorizationException(_('Not allowed to use API.')); + } $this->auth_user = $user; }