allow_api removed

diff --git a/include/api.php b/include/api.php
index 5f89b7ecf8dbf0ffbcbc58c4c08e3c591c2682c8..20d77b7548fa52752c86d0ad3050e3c6622c86d6 100644 (file)
--- a/include/api.php
+++ b/include/api.php
@@ -73,27 +73,6 @@ define('API_LOG_PREFIX', 'API {action} - ');
 $API = [];
 $called_api = [];
 
-/**
- * Auth API user
- *
- * It is not sufficient to use local_user() to check whether someone is allowed to use the API,
- * because this will open CSRF holes (just embed an image with src=friendicasite.com/api/statuses/update?status=CSRF
- * into a page, and visitors will post something without noticing it).
- */
-function api_user()
-{
-       $user = OAuth::getCurrentUserID();
-       if (!empty($user)) {
-               return $user;
-       }
-
-       if (!empty($_SESSION['allow_api'])) {
-               return local_user();
-       }
-
-       return false;
-}
-
 /**
  * Get source name from API client
  *

diff --git a/src/Security/BasicAuth.php b/src/Security/BasicAuth.php
index d4c8bc6dcb7df1a227a192d9471171e924149382..52657057e9078bedd34af0a2e5d75a700b18fa8d 100644 (file)
--- a/src/Security/BasicAuth.php
+++ b/src/Security/BasicAuth.php
@@ -123,7 +123,6 @@ class BasicAuth
        private static function getUserIdByAuth(bool $do_login = true):int
        {
                $a = DI::app();
-               Session::set('allow_api', false);
                self::$current_user_id = 0;
 
                // workaround for HTTP-auth in CGI mode
@@ -187,15 +186,10 @@ class BasicAuth
 
                DI::auth()->setForUser($a, $record, false, false, $login_refresh);
 
-               Session::set('allow_api', true);
-
                Hook::callAll('logged_in', $record);
 
-               if (Session::get('allow_api')) {
-                       self::$current_user_id = local_user();
-               } else {
-                       self::$current_user_id = 0;
-               }
+               self::$current_user_id = local_user();
+
                return self::$current_user_id;
        }
 }

diff --git a/tests/legacy/ApiTest.php b/tests/legacy/ApiTest.php
index 34f3f6659b519964db1c3e22a0a2c4a3a1d006a1..f4dda4c6b06a2dead9f8b264bbdcad9499f5c897 100644 (file)
--- a/tests/legacy/ApiTest.php
+++ b/tests/legacy/ApiTest.php
@@ -110,7 +110,6 @@ class ApiTest extends FixtureTest
 
                // Most API require login so we force the session
                $_SESSION = [
-                       'allow_api'     => true,
                        'authenticated' => true,
                        'uid'           => $this->selfUser['id']
                ];
@@ -234,8 +233,7 @@ class ApiTest extends FixtureTest
         */
        public function testApiUserWithUnallowedUser()
        {
-               $_SESSION = ['allow_api' => false];
-               self::assertEquals(false, api_user());
+               // self::assertEquals(false, api_user());
        }
 
        /**
@@ -715,7 +713,6 @@ class ApiTest extends FixtureTest
                /*
                $_SERVER['PHP_AUTH_USER'] = 'Test user';
                $_SERVER['PHP_AUTH_PW']   = 'password';
-               $_SESSION['allow_api']    = false;
                BasicAuth::setCurrentUserID();
                self::assertFalse(api_get_user());
                */
@@ -1432,7 +1429,6 @@ class ApiTest extends FixtureTest
        public function testApiSearchWithUnallowedUser()
        {
                $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-               $_SESSION['allow_api'] = false;
                $_GET['screen_name']   = $this->selfUser['nick'];
                BasicAuth::setCurrentUserID();
                api_search('json');
@@ -1489,7 +1485,6 @@ class ApiTest extends FixtureTest
        public function testApiStatusesHomeTimelineWithUnallowedUser()
        {
                $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-               $_SESSION['allow_api'] = false;
                $_GET['screen_name']   = $this->selfUser['nick'];
                BasicAuth::setCurrentUserID();
                api_statuses_home_timeline('json');
@@ -1561,7 +1556,6 @@ class ApiTest extends FixtureTest
        public function testApiStatusesPublicTimelineWithUnallowedUser()
        {
                $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-               $_SESSION['allow_api'] = false;
                $_GET['screen_name']   = $this->selfUser['nick'];
                BasicAuth::setCurrentUserID();
                api_statuses_public_timeline('json');
@@ -1616,7 +1610,6 @@ class ApiTest extends FixtureTest
        public function testApiStatusesNetworkpublicTimelineWithUnallowedUser()
        {
                $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-               $_SESSION['allow_api'] = false;
                $_GET['screen_name']   = $this->selfUser['nick'];
                BasicAuth::setCurrentUserID();
                api_statuses_networkpublic_timeline('json');
@@ -1680,7 +1673,6 @@ class ApiTest extends FixtureTest
        public function testApiStatusesShowWithUnallowedUser()
        {
                $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-               $_SESSION['allow_api'] = false;
                $_GET['screen_name']   = $this->selfUser['nick'];
                BasicAuth::setCurrentUserID();
                api_statuses_show('json');
@@ -1722,7 +1714,6 @@ class ApiTest extends FixtureTest
        public function testApiConversationShowWithUnallowedUser()
        {
                $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-               $_SESSION['allow_api'] = false;
                $_GET['screen_name']   = $this->selfUser['nick'];
                BasicAuth::setCurrentUserID();
                api_conversation_show('json');
@@ -1839,7 +1830,6 @@ class ApiTest extends FixtureTest
        public function testApiStatusesMentionsWithUnallowedUser()
        {
                $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-               $_SESSION['allow_api'] = false;
                $_GET['screen_name']   = $this->selfUser['nick'];
                BasicAuth::setCurrentUserID();
                api_statuses_mentions('json');
@@ -1907,7 +1897,6 @@ class ApiTest extends FixtureTest
        public function testApiStatusesUserTimelineWithUnallowedUser()
        {
                $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-               $_SESSION['allow_api'] = false;
                $_GET['screen_name']   = $this->selfUser['nick'];
                BasicAuth::setCurrentUserID();
                api_statuses_user_timeline('json');
@@ -2037,7 +2026,6 @@ class ApiTest extends FixtureTest
        public function testApiFavoritesWithUnallowedUser()
        {
                $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-               $_SESSION['allow_api'] = false;
                $_GET['screen_name']   = $this->selfUser['nick'];
                BasicAuth::setCurrentUserID();
                api_favorites('json');
@@ -2464,7 +2452,6 @@ class ApiTest extends FixtureTest
        public function testApiListsStatusesWithUnallowedUser()
        {
                $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-               $_SESSION['allow_api'] = false;
                $_GET['screen_name']   = $this->selfUser['nick'];
                BasicAuth::setCurrentUserID();
                api_lists_statuses('json');
@@ -2893,7 +2880,6 @@ class ApiTest extends FixtureTest
        public function testApiDirectMessagesBoxWithUnallowedUser()
        {
                $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-               $_SESSION['allow_api'] = false;
                $_GET['screen_name']   = $this->selfUser['nick'];
                BasicAuth::setCurrentUserID();
                api_direct_messages_box('json', 'sentbox', 'false');