X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=lib%2Fapiauth.php;h=42d32dd624e0014c4e799bc18b3395cfe3725dc1;hb=b6b9baa9a240db9f10c41dc0c0aae81dad0d744a;hp=8b0a3da17bb61abb449673f0a429b078588ca0fe;hpb=59119482ca34540bd7f0a2a1aa994de1d5328ea2;p=quix0rs-gnu-social.git diff --git a/lib/apiauth.php b/lib/apiauth.php index 8b0a3da17b..42d32dd624 100644 --- a/lib/apiauth.php +++ b/lib/apiauth.php @@ -168,16 +168,20 @@ class ApiAuthAction extends ApiAction $app = Oauth_application::getByConsumerKey($consumer); if (empty($app)) { - common_log(LOG_WARNING, - 'Couldn\'t find the OAuth app for consumer key: ' . - $consumer); + common_log( + LOG_WARNING, + 'API OAuth - Couldn\'t find the OAuth app for consumer key: ' . + $consumer + ); // TRANS: OAuth exception thrown when no application is found for a given consumer key. throw new OAuthException(_('No application for that consumer key.')); } // set the source attr + if ($app->name != 'anonymous') { + $this->source = $app->name; + } - $this->source = $app->name; $appUser = Oauth_application_user::staticGet('token', $access_token); @@ -192,32 +196,43 @@ class ApiAuthAction extends ApiAction // Set the auth user if (Event::handle('StartSetApiUser', array(&$user))) { - $this->auth_user = User::staticGet('id', $appUser->profile_id); + $user = User::staticGet('id', $appUser->profile_id); + if (!empty($user)) { + if (!$user->hasRight(Right::API)) { + // TRANS: Authorization exception thrown when a user without API access tries to access the API. + throw new AuthorizationException(_('Not allowed to use API.')); + } + } + $this->auth_user = $user; Event::handle('EndSetApiUser', array($user)); } $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " . - "application '%s' (id: %d) with %s access."; - - common_log(LOG_INFO, sprintf($msg, - $this->auth_user->nickname, - $this->auth_user->id, - $app->name, - $app->id, - ($this->access = self::READ_WRITE) ? - 'read-write' : 'read-only' - )); + "application '%s' (id: %d) with %s access."; + + common_log( + LOG_INFO, + sprintf( + $msg, + $this->auth_user->nickname, + $this->auth_user->id, + $app->name, + $app->id, + ($this->access = self::READ_WRITE) ? 'read-write' : 'read-only' + ) + ); } else { // TRANS: OAuth exception given when an incorrect access token was given for a user. throw new OAuthException(_('Bad access token.')); } } else { - // Also should not happen + // Also should not happen. // TRANS: OAuth exception given when no user was found for a given token (no token was found). throw new OAuthException(_('No user for that token.')); } } catch (OAuthException $e) { + $this->logAuthFailure($e->getMessage()); common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage()); $this->clientError($e->getMessage(), 401, $this->format); exit; @@ -255,7 +270,7 @@ class ApiAuthAction extends ApiAction // show error if the user clicks 'cancel' // TRANS: Client error thrown when authentication fails becaus a user clicked "Cancel". - $this->clientError(_("Could not authenticate you."), 401, $this->format); + $this->clientError(_('Could not authenticate you.'), 401, $this->format); exit; } else { @@ -266,6 +281,10 @@ class ApiAuthAction extends ApiAction if (Event::handle('StartSetApiUser', array(&$user))) { if (!empty($user)) { + if (!$user->hasRight(Right::API)) { + // TRANS: Authorization exception thrown when a user without API access tries to access the API. + throw new AuthorizationException(_('Not allowed to use API.')); + } $this->auth_user = $user; } @@ -276,18 +295,13 @@ class ApiAuthAction extends ApiAction $this->access = self::READ_WRITE; if (empty($this->auth_user) && ($required || isset($_SERVER['PHP_AUTH_USER']))) { - - // basic authentication failed - list($proxy, $ip) = common_client_ip(); - - $msg = sprintf( 'Failed API auth attempt, nickname = %1$s, ' . - 'proxy = %2$s, ip = %3$s', - $this->auth_user_nickname, - $proxy, - $ip); - common_log(LOG_WARNING, $msg); + $msg = sprintf( + "basic auth nickname = %s", + $this->auth_user_nickname + ); + $this->logAuthFailure($msg); // TRANS: Client error thrown when authentication fails. - $this->clientError(_("Could not authenticate you."), 401, $this->format); + $this->clientError(_('Could not authenticate you.'), 401, $this->format); exit; } } @@ -332,4 +346,23 @@ class ApiAuthAction extends ApiAction } } } + + /** + * Log an API authentication failure. Collect the proxy and IP + * and log them + * + * @param string $logMsg additional log message + */ + function logAuthFailure($logMsg) + { + list($proxy, $ip) = common_client_ip(); + + $msg = sprintf( + 'API auth failure (proxy = %1$s, ip = %2$s) - ', + $proxy, + $ip + ); + + common_log(LOG_WARNING, $msg . $logMsg); + } }