correct handling of bareauth

darcs-hash:20080719171605-84dde-4b23eb6896d9bb6e57ce65de374acaf1703b7463.gz

diff --git a/actions/api.php b/actions/api.php
index 2c1086ae11b96e23c3c297b0e457dfdb920c9309..a525703208e43465a491f676034b680cb872d0ca 100644 (file)
--- a/actions/api.php
+++ b/actions/api.php
@@ -101,23 +101,27 @@ class ApiAction extends Action {
        # Whitelist of API methods that don't need authentication
        function requires_auth() {
                static $noauth = array( 'statuses/public_timeline',
-                                                               'statuses/user_timeline',
                                                                'statuses/show',
                                                                'help/test', 
                                                                'help/downtime_schedule');
                static $bareauth = array('statuses/user_timeline', 'statuses/friends');
 
-               # noauth: never needs auth
-               # bareauth: only needs auth if without an argument
-               
                $fullname = "$this->api_action/$this->api_method";
                
-               if (in_array($fullname, $bareauth) && !$this->api_arg) {
-                       return true;
-               } if (in_array($fullname, $noauth)) {
+               if (in_array($fullname, $bareauth)) {
+                       # bareauth: only needs auth if without an argument
+                       if ($this->api_arg) {
+                               return false;
+                       } else {
+                               return true;
+                       }
+               } else if (in_array($fullname, $noauth)) {
+                       # noauth: never needs auth
                        return false;
+               } else {
+                       # everybody else needs auth
+                       return true;
                }
-               return true;
        }
                
 }