X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=lib%2Fapiauthaction.php;h=0e81082c35ea79a322a3dc26d92f6848074036cc;hb=d4be5349b30f49fa049dbfc854bb2a95eeb1d5c1;hp=56100cd49453babbf18226832f93d6c40d568c96;hpb=f46d675a20bd1c70eeb492d7068fabae83e6a6f5;p=quix0rs-gnu-social.git diff --git a/lib/apiauthaction.php b/lib/apiauthaction.php index 56100cd494..0e81082c35 100644 --- a/lib/apiauthaction.php +++ b/lib/apiauthaction.php @@ -39,7 +39,7 @@ /*! @page authentication Authentication - StatusNet supports HTTP Basic Authentication and OAuth for API calls. + GNU social supports HTTP Basic Authentication and OAuth for API calls. @warning Currently, users who have created accounts without setting a password via OpenID, Facebook Connect, etc., cannot use the API until @@ -82,30 +82,43 @@ class ApiAuthAction extends ApiAction { parent::prepare($args); - // NOTE: $this->auth_user has to get set in prepare(), not handle(), - // because subclasses do stuff with it in their prepares. + // NOTE: $this->scoped and $this->auth_user has to get set in + // prepare(), not handle(), as subclasses use them in prepares. - $oauthReq = $this->getOAuthRequest(); + // Allow regular login session + if (common_logged_in()) { + $this->scoped = Profile::current(); + $this->auth_user = $this->scoped->getUser(); + if (!$this->auth_user->hasRight(Right::API)) { + // TRANS: Authorization exception thrown when a user without API access tries to access the API. + throw new AuthorizationException(_('Not allowed to use API.')); + } + // Let's run this in the same way as if we've just authenticated the user (basic/oauth auth) + Event::handle('EndSetApiUser', array($this->auth_user)); + $this->access = self::READ_WRITE; + } else { + $oauthReq = $this->getOAuthRequest(); - if (!$oauthReq) { - if ($this->requiresAuth()) { - $this->checkBasicAuthUser(true); + if ($oauthReq instanceof OAuthRequest) { + $this->checkOAuthRequest($oauthReq); } else { - // Check to see if a basic auth user is there even - // if one's not required - $this->checkBasicAuthUser(false); + // If not using OAuth, check if there is a basic auth + // and require it if the current action requires it. + $this->checkBasicAuthUser($this->requiresAuth()); } - } else { - $this->checkOAuthRequest($oauthReq); - } - // NOTE: Make sure we're scoped properly based on the auths! - if (isset($this->auth_user) && !empty($this->auth_user)) { - $this->scoped = $this->auth_user->getProfile(); - } else { - $this->scoped = null; + // NOTE: Make sure we're scoped properly based on the auths! + if (isset($this->auth_user) && $this->auth_user instanceof User) { + $this->scoped = $this->auth_user->getProfile(); + } else { + $this->scoped = null; + } } + // legacy user transferral + // TODO: remove when sure no extended classes need it + $this->user = $this->auth_user; + // Reject API calls with the wrong access level if ($this->isReadOnly($args) == false) { @@ -199,21 +212,25 @@ class ApiAuthAction extends ApiAction // Set the auth user if (Event::handle('StartSetApiUser', array(&$user))) { $user = User::getKV('id', $appUser->profile_id); - if (!empty($user)) { - if (!$user->hasRight(Right::API)) { - // TRANS: Authorization exception thrown when a user without API access tries to access the API. - throw new AuthorizationException(_('Not allowed to use API.')); - } + } + if ($user instanceof User) { + if (!$user->hasRight(Right::API)) { + // TRANS: Authorization exception thrown when a user without API access tries to access the API. + throw new AuthorizationException(_('Not allowed to use API.')); } $this->auth_user = $user; - // FIXME: setting the value returned by common_current_user() - // There should probably be a better method for this. common_set_user() - // does lots of session stuff. - global $_cur; - $_cur = $this->auth_user; - Event::handle('EndSetApiUser', array($user)); + Event::handle('EndSetApiUser', array($this->auth_user)); + } else { + // If $user is not a real User, let's force it to null. + $this->auth_user = null; } + // FIXME: setting the value returned by common_current_user() + // There should probably be a better method for this. common_set_user() + // does lots of session stuff. + global $_cur; + $_cur = $this->auth_user; + $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " . "application '%s' (id: %d) with %s access."; @@ -275,38 +292,45 @@ class ApiAuthAction extends ApiAction header('WWW-Authenticate: Basic realm="' . $realm . '"'); // show error if the user clicks 'cancel' - // TRANS: Client error thrown when authentication fails becaus a user clicked "Cancel". + // TRANS: Client error thrown when authentication fails because a user clicked "Cancel". $this->clientError(_('Could not authenticate you.'), 401); } else { + // $this->auth_user_nickname - i.e. PHP_AUTH_USER - will have a value since it was not empty $user = common_check_user($this->auth_user_nickname, $this->auth_user_password); - if (Event::handle('StartSetApiUser', array(&$user))) { - - if (!empty($user)) { - if (!$user->hasRight(Right::API)) { - // TRANS: Authorization exception thrown when a user without API access tries to access the API. - throw new AuthorizationException(_('Not allowed to use API.')); - } - $this->auth_user = $user; + Event::handle('StartSetApiUser', array(&$user)); + if ($user instanceof User) { + if (!$user->hasRight(Right::API)) { + // TRANS: Authorization exception thrown when a user without API access tries to access the API. + throw new AuthorizationException(_('Not allowed to use API.')); } + $this->auth_user = $user; - Event::handle('EndSetApiUser', array($user)); + Event::handle('EndSetApiUser', array($this->auth_user)); + } else { + $this->auth_user = null; } - // By default, basic auth users have rw access - $this->access = self::READ_WRITE; - - if (empty($this->auth_user) && ($required || isset($_SERVER['PHP_AUTH_USER']))) { + if ($required && $this->auth_user instanceof User) { + // By default, basic auth users have rw access + $this->access = self::READ_WRITE; + } elseif ($required) { $msg = sprintf( "basic auth nickname = %s", $this->auth_user_nickname ); $this->logAuthFailure($msg); + + // We must present WWW-Authenticate in accordance to HTTP status code 401 + header('WWW-Authenticate: Basic realm="' . $realm . '"'); // TRANS: Client error thrown when authentication fails. $this->clientError(_('Could not authenticate you.'), 401); + } else { + // all get rw access for actions that don't require auth + $this->access = self::READ_WRITE; } } }