Added scope check

diff --git a/database.sql b/database.sql
index 0dcf9afe80b0b782d77979de8d908038297ec3a9..d080b41582998680538def5359567c6d18a3b0ad 100644 (file)
--- a/database.sql
+++ b/database.sql
@@ -1,6 +1,6 @@
 -- ------------------------------------------
 -- Friendica 2021.06-dev (Siberian Iris)
--- DB_UPDATE_VERSION 1417
+-- DB_UPDATE_VERSION 1418
 -- ------------------------------------------
 
 
@@ -378,6 +378,7 @@ CREATE TABLE IF NOT EXISTS `application` (
        `read` boolean COMMENT 'Read scope',
        `write` boolean COMMENT 'Write scope',
        `follow` boolean COMMENT 'Follow scope',
+       `push` boolean COMMENT 'Push scope',
         PRIMARY KEY(`id`),
         UNIQUE INDEX `client_id` (`client_id`)
 ) DEFAULT COLLATE utf8mb4_general_ci COMMENT='OAuth application';
@@ -395,6 +396,7 @@ CREATE TABLE IF NOT EXISTS `application-token` (
        `read` boolean COMMENT 'Read scope',
        `write` boolean COMMENT 'Write scope',
        `follow` boolean COMMENT 'Follow scope',
+       `push` boolean COMMENT 'Push scope',
         PRIMARY KEY(`application-id`,`uid`),
         INDEX `uid_id` (`uid`,`application-id`),
        FOREIGN KEY (`application-id`) REFERENCES `application` (`id`) ON UPDATE RESTRICT ON DELETE CASCADE,
@@ -1525,7 +1527,8 @@ CREATE VIEW `application-view` AS SELECT
        `application-token`.`scopes` AS `scopes`,
        `application-token`.`read` AS `read`,
        `application-token`.`write` AS `write`,
-       `application-token`.`follow` AS `follow`
+       `application-token`.`follow` AS `follow`,
+       `application-token`.`push` AS `push`
        FROM `application-token`
                        INNER JOIN `application` ON `application-token`.`application-id` = `application`.`id`;
 

diff --git a/src/Factory/Api/Mastodon/Error.php b/src/Factory/Api/Mastodon/Error.php
index 086cceef98e55ca31e7794deec0c30f6bc038d72..4ec8744bffb3fe925414965fb1fbf1377abac2c2 100644 (file)
--- a/src/Factory/Api/Mastodon/Error.php
+++ b/src/Factory/Api/Mastodon/Error.php
@@ -54,6 +54,15 @@ class Error extends BaseFactory
                System::jsonError(401, $errorobj->toArray());
        }
 
+       public function Forbidden(string $error = '')
+       {
+               $error = $error ?: DI::l10n()->t('Token is not authorized with a valid user or is missing a required scope');
+               $error_description = '';
+               $errorobj = New \Friendica\Object\Api\Mastodon\Error($error, $error_description);
+
+               System::jsonError(403, $errorobj->toArray());
+       }
+
        public function InternalError(string $error = '')
        {
                $error = $error ?: DI::l10n()->t('Internal Server Error');

diff --git a/src/Module/Api/Friendica/Events/Index.php b/src/Module/Api/Friendica/Events/Index.php
index 08225682ab583c00dbc7e2ce4b722c3beaad4211..3efa1a919e602588ee57d66e43fcf9f7b5f00958 100644 (file)
--- a/src/Module/Api/Friendica/Events/Index.php
+++ b/src/Module/Api/Friendica/Events/Index.php
@@ -35,7 +35,7 @@ class Index extends BaseApi
 {
        public static function rawContent(array $parameters = [])
        {
-               if (self::login() === false) {
+               if (self::login(self::SCOPE_READ) === false) {
                        throw new HTTPException\ForbiddenException();
                }
 

diff --git a/src/Module/Api/Friendica/Profile/Show.php b/src/Module/Api/Friendica/Profile/Show.php
index ae0d1a79dfbb49e261c5f1bf597e221c6e36135c..e550f839ccc048087436daa385c48e7fd3a57fa8 100644 (file)
--- a/src/Module/Api/Friendica/Profile/Show.php
+++ b/src/Module/Api/Friendica/Profile/Show.php
@@ -37,7 +37,7 @@ class Show extends BaseApi
 {
        public static function rawContent(array $parameters = [])
        {
-               if (self::login() === false) {
+               if (self::login(self::SCOPE_READ) === false) {
                        throw new HTTPException\ForbiddenException();
                }
 

diff --git a/src/Module/Api/Mastodon/Accounts/Block.php b/src/Module/Api/Mastodon/Accounts/Block.php
index edbae8a1d33822d03f2a35b86cc613a3d5079701..fa12daaf4ff830e97d733e83701fd1de7392cb39 100644 (file)
--- a/src/Module/Api/Mastodon/Accounts/Block.php
+++ b/src/Module/Api/Mastodon/Accounts/Block.php
@@ -33,7 +33,7 @@ class Block extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_FOLLOW);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Accounts/Follow.php b/src/Module/Api/Mastodon/Accounts/Follow.php
index 921fac69a021d53b030cbb323f0fe0f3831389a8..bdd21c73750357c05c7bfc52bcd78e1e5c241993 100644 (file)
--- a/src/Module/Api/Mastodon/Accounts/Follow.php
+++ b/src/Module/Api/Mastodon/Accounts/Follow.php
@@ -33,7 +33,7 @@ class Follow extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_FOLLOW);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {
@@ -42,6 +42,6 @@ class Follow extends BaseApi
 
                $cid = Contact::follow($parameters['id'], self::getCurrentUserID());
 
-               System::jsonExit(DI::mstdnRelationship()->createFromContactId($cid)->toArray());
+               System::jsonExit(DI::mstdnRelationship()->createFromContactId($cid, $uid)->toArray());
        }
 }

diff --git a/src/Module/Api/Mastodon/Accounts/Followers.php b/src/Module/Api/Mastodon/Accounts/Followers.php
index 7e082edbd3e49bae3ceccb075a676c7387c3b928..4f560776c5c30cb081cd0a5daabaa7cab48cb356 100644 (file)
--- a/src/Module/Api/Mastodon/Accounts/Followers.php
+++ b/src/Module/Api/Mastodon/Accounts/Followers.php
@@ -37,7 +37,7 @@ class Followers extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Accounts/Following.php b/src/Module/Api/Mastodon/Accounts/Following.php
index 87e9117ea427dccd86173408dde23596e93e2fd9..7edf4e987fb9578823aef7e8c05bba2acc2c8273 100644 (file)
--- a/src/Module/Api/Mastodon/Accounts/Following.php
+++ b/src/Module/Api/Mastodon/Accounts/Following.php
@@ -37,7 +37,7 @@ class Following extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Accounts/IdentityProofs.php b/src/Module/Api/Mastodon/Accounts/IdentityProofs.php
index 5a7d3a8409f35820fb7ebcd3375e1c0fd276e3c9..f92de6cada18f3255bae148226a4e3351da74408 100644 (file)
--- a/src/Module/Api/Mastodon/Accounts/IdentityProofs.php
+++ b/src/Module/Api/Mastodon/Accounts/IdentityProofs.php
@@ -35,7 +35,7 @@ class IdentityProofs extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
 
                System::jsonExit([]);
        }

diff --git a/src/Module/Api/Mastodon/Accounts/Lists.php b/src/Module/Api/Mastodon/Accounts/Lists.php
index 6ba7953ab15483c89428f18593bb0d44b939e25e..6a3e87b42608021ab46f4704451e3995716cbfe1 100644 (file)
--- a/src/Module/Api/Mastodon/Accounts/Lists.php
+++ b/src/Module/Api/Mastodon/Accounts/Lists.php
@@ -38,7 +38,7 @@ class Lists extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Accounts/Mute.php b/src/Module/Api/Mastodon/Accounts/Mute.php
index e3975771faa96173c46e34f171d4d02dadfbe61a..19413bacfc200f31d6594e36184738660067aee7 100644 (file)
--- a/src/Module/Api/Mastodon/Accounts/Mute.php
+++ b/src/Module/Api/Mastodon/Accounts/Mute.php
@@ -33,7 +33,7 @@ class Mute extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_FOLLOW);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Accounts/Note.php b/src/Module/Api/Mastodon/Accounts/Note.php
index bbb53d93ac55f0bd3b7f03bc7a2862b963c15597..1f3dd8d91cab7088909dec1bb4c89c16df4ea31c 100644 (file)
--- a/src/Module/Api/Mastodon/Accounts/Note.php
+++ b/src/Module/Api/Mastodon/Accounts/Note.php
@@ -34,7 +34,7 @@ class Note extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_WRITE);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Accounts/Relationships.php b/src/Module/Api/Mastodon/Accounts/Relationships.php
index a989460a3217d44dc094ce49e1efdfe285f2f0a7..c134adf4817a4e9338829bc349d2e10ab3eeca92 100644 (file)
--- a/src/Module/Api/Mastodon/Accounts/Relationships.php
+++ b/src/Module/Api/Mastodon/Accounts/Relationships.php
@@ -37,7 +37,7 @@ class Relationships extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                if (empty($_REQUEST['id']) || !is_array($_REQUEST['id'])) {

diff --git a/src/Module/Api/Mastodon/Accounts/Search.php b/src/Module/Api/Mastodon/Accounts/Search.php
index 77906661d2e195da45589338d45e4f0dcea5eb1b..9f1d0aadfe5e136ab17d8b781289b398f2274e95 100644 (file)
--- a/src/Module/Api/Mastodon/Accounts/Search.php
+++ b/src/Module/Api/Mastodon/Accounts/Search.php
@@ -40,7 +40,7 @@ class Search extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                // What to search for

diff --git a/src/Module/Api/Mastodon/Accounts/Unblock.php b/src/Module/Api/Mastodon/Accounts/Unblock.php
index 7de5a4cfbcc89dd83a247733088fa09f06379356..14152c458f51947a7033f989a64471cbfe860116 100644 (file)
--- a/src/Module/Api/Mastodon/Accounts/Unblock.php
+++ b/src/Module/Api/Mastodon/Accounts/Unblock.php
@@ -33,7 +33,7 @@ class Unblock extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_FOLLOW);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Accounts/Unfollow.php b/src/Module/Api/Mastodon/Accounts/Unfollow.php
index b2efde7b01bf02195219d0153638342a72d0d670..2d00ea45531539571a25456600da0f12a58d7cb1 100644 (file)
--- a/src/Module/Api/Mastodon/Accounts/Unfollow.php
+++ b/src/Module/Api/Mastodon/Accounts/Unfollow.php
@@ -33,7 +33,7 @@ class Unfollow extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_FOLLOW);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Accounts/Unmute.php b/src/Module/Api/Mastodon/Accounts/Unmute.php
index 15892cff42afacf3bfd2fca4177256a7cea66caf..4b8111956ed4d1dca2ecceea98306407ceb307a3 100644 (file)
--- a/src/Module/Api/Mastodon/Accounts/Unmute.php
+++ b/src/Module/Api/Mastodon/Accounts/Unmute.php
@@ -33,7 +33,7 @@ class Unmute extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_FOLLOW);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Accounts/UpdateCredentials.php b/src/Module/Api/Mastodon/Accounts/UpdateCredentials.php
index 30b190a33b443f71f6192ea0e5830b07f8695f70..d3f4c15fe016bf8a6c8627d1ab7328718949ac13 100644 (file)
--- a/src/Module/Api/Mastodon/Accounts/UpdateCredentials.php
+++ b/src/Module/Api/Mastodon/Accounts/UpdateCredentials.php
@@ -31,7 +31,7 @@ class UpdateCredentials extends BaseApi
 {
        public static function patch(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_WRITE);
                $uid = self::getCurrentUserID();
 
                $data = Network::postdata();

diff --git a/src/Module/Api/Mastodon/Accounts/VerifyCredentials.php b/src/Module/Api/Mastodon/Accounts/VerifyCredentials.php
index facae725930a68e91c366560296a74796b021dfc..84945e1e2f0bd5fcfe26bd9c59bcac1b6a01f8a4 100644 (file)
--- a/src/Module/Api/Mastodon/Accounts/VerifyCredentials.php
+++ b/src/Module/Api/Mastodon/Accounts/VerifyCredentials.php
@@ -38,7 +38,7 @@ class VerifyCredentials extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                $self = User::getOwnerDataById($uid);

diff --git a/src/Module/Api/Mastodon/Announcements.php b/src/Module/Api/Mastodon/Announcements.php
index 80b25bf5c21daafb0802314cb38bb6edf2716ec2..e9445c12761581f40eba8a2ebeccff5489d61f79 100644 (file)
--- a/src/Module/Api/Mastodon/Announcements.php
+++ b/src/Module/Api/Mastodon/Announcements.php
@@ -35,7 +35,7 @@ class Announcements extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
 
                // @todo Possibly use the message from the pageheader addon for this
                System::jsonExit([]);

diff --git a/src/Module/Api/Mastodon/Apps.php b/src/Module/Api/Mastodon/Apps.php
index 8205691dca47c9c0d133249e6237d0d19a3ab5f1..c22225160c8e7e45ee8dd3f6417d22bd65213c7f 100644 (file)
--- a/src/Module/Api/Mastodon/Apps.php
+++ b/src/Module/Api/Mastodon/Apps.php
@@ -67,9 +67,10 @@ class Apps extends BaseApi
                        $fields['scopes'] = $scopes;
                }
 
-               $fields['read']   = (stripos($scopes, 'read') !== false);
-               $fields['write']  = (stripos($scopes, 'write') !== false);
-               $fields['follow'] = (stripos($scopes, 'follow') !== false);
+               $fields['read']   = (stripos($scopes, self::SCOPE_READ) !== false);
+               $fields['write']  = (stripos($scopes, self::SCOPE_WRITE) !== false);
+               $fields['follow'] = (stripos($scopes, self::SCOPE_FOLLOW) !== false);
+               $fields['push'] = (stripos($scopes, self::SCOPE_PUSH) !== false);
 
                if (!empty($website)) {
                        $fields['website'] = $website;

diff --git a/src/Module/Api/Mastodon/Blocks.php b/src/Module/Api/Mastodon/Blocks.php
index e93743ac29405cda1e47e94040c9b49e396c8ac2..b05cb313e8f0c016641f9d1f8ab78aabea1c73a9 100644 (file)
--- a/src/Module/Api/Mastodon/Blocks.php
+++ b/src/Module/Api/Mastodon/Blocks.php
@@ -37,7 +37,7 @@ class Blocks extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Bookmarks.php b/src/Module/Api/Mastodon/Bookmarks.php
index 8b03c40ebdfed4f93dcd77bb4bc132ab22464d82..88de40d69bc535837113eefa5f0fa745f63a6061 100644 (file)
--- a/src/Module/Api/Mastodon/Bookmarks.php
+++ b/src/Module/Api/Mastodon/Bookmarks.php
@@ -39,7 +39,7 @@ class Bookmarks extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                // Maximum number of results to return. Defaults to 20.

diff --git a/src/Module/Api/Mastodon/Favourited.php b/src/Module/Api/Mastodon/Favourited.php
index 53bd82aab6d1c6bfd15c0b34c9f854bcc2bde066..1c0cf0a3473300ecc825789158e73b10061d6e02 100644 (file)
--- a/src/Module/Api/Mastodon/Favourited.php
+++ b/src/Module/Api/Mastodon/Favourited.php
@@ -40,7 +40,7 @@ class Favourited extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                // Maximum number of results to return. Defaults to 20.

diff --git a/src/Module/Api/Mastodon/FollowRequests.php b/src/Module/Api/Mastodon/FollowRequests.php
index 8a59120d312ebf120640cd7640329f266ffcf64c..3c66b4e6c7f0006a826ef5d9fc88b8c8c5bef99b 100644 (file)
--- a/src/Module/Api/Mastodon/FollowRequests.php
+++ b/src/Module/Api/Mastodon/FollowRequests.php
@@ -45,7 +45,7 @@ class FollowRequests extends BaseApi
         */
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_FOLLOW);
                $uid = self::getCurrentUserID();
 
                $introduction = DI::intro()->selectFirst(['id' => $parameters['id'], 'uid' => $uid]);
@@ -83,7 +83,7 @@ class FollowRequests extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                $min_id = $_GET['min_id'] ?? null;

diff --git a/src/Module/Api/Mastodon/Lists.php b/src/Module/Api/Mastodon/Lists.php
index e655edcb26d1c3dd3cfb79fbf465759211b7d357..496550d4a7f16ef0e4dc5b951f42a0ef7a15aee6 100644 (file)
--- a/src/Module/Api/Mastodon/Lists.php
+++ b/src/Module/Api/Mastodon/Lists.php
@@ -33,7 +33,7 @@ class Lists extends BaseApi
 {
        public static function delete(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_WRITE);
 
                $uid = self::getCurrentUserID();
 
@@ -54,7 +54,7 @@ class Lists extends BaseApi
 
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_WRITE);
 
                $uid   = self::getCurrentUserID();
                $title = $_REQUEST['title'] ?? '';
@@ -90,7 +90,7 @@ class Lists extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Lists/Accounts.php b/src/Module/Api/Mastodon/Lists/Accounts.php
index cb2bd208f30f9ce1db610dcd314e032378afb4e0..1ca2c8359d3990fefabc5cc3f4d1a22d825d070e 100644 (file)
--- a/src/Module/Api/Mastodon/Lists/Accounts.php
+++ b/src/Module/Api/Mastodon/Lists/Accounts.php
@@ -49,7 +49,7 @@ class Accounts extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Markers.php b/src/Module/Api/Mastodon/Markers.php
index 45ad3927d1e74a0b8eaa7b130c74888ad1f13d01..dc294901758944ed6944465a34ed206c26687ca9 100644 (file)
--- a/src/Module/Api/Mastodon/Markers.php
+++ b/src/Module/Api/Mastodon/Markers.php
@@ -31,6 +31,8 @@ class Markers extends BaseApi
 {
        public static function post(array $parameters = [])
        {
+               self::login(self::SCOPE_WRITE);
+
                self::unsupported('post');
        }
 
@@ -40,7 +42,7 @@ class Markers extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
 
                System::jsonExit([]);
        }

diff --git a/src/Module/Api/Mastodon/Media.php b/src/Module/Api/Mastodon/Media.php
index 82844a6ff16fdb899027561609e4755557a67241..55b8438c29b436cff73ef37a55380836a97fc6e3 100644 (file)
--- a/src/Module/Api/Mastodon/Media.php
+++ b/src/Module/Api/Mastodon/Media.php
@@ -33,6 +33,9 @@ class Media extends BaseApi
 {
        public static function put(array $parameters = [])
        {
+               self::login(self::SCOPE_WRITE);
+               $uid = self::getCurrentUserID();
+
                $data = self::getPutData();
                self::unsupported('put');
        }
@@ -43,7 +46,7 @@ class Media extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Mutes.php b/src/Module/Api/Mastodon/Mutes.php
index d49bdad68e90e48d4025006a1d06ee6682030ee0..9e53da504c1d032bda1be4857f58a85d07c9028a 100644 (file)
--- a/src/Module/Api/Mastodon/Mutes.php
+++ b/src/Module/Api/Mastodon/Mutes.php
@@ -37,7 +37,7 @@ class Mutes extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Notifications.php b/src/Module/Api/Mastodon/Notifications.php
index e01951722dd633aa9e438e0740dec0e5a83a1a12..30e1060d820a38a83dad39c8dbb7b136360d7129 100644 (file)
--- a/src/Module/Api/Mastodon/Notifications.php
+++ b/src/Module/Api/Mastodon/Notifications.php
@@ -39,7 +39,7 @@ class Notifications extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                if (!empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Notifications/Clear.php b/src/Module/Api/Mastodon/Notifications/Clear.php
index 5e0c53da0d5c96dad1b0d45603c264d320f6b6be..c809ad2af99bcf2eabfbea57f8339cf1083cd7d5 100644 (file)
--- a/src/Module/Api/Mastodon/Notifications/Clear.php
+++ b/src/Module/Api/Mastodon/Notifications/Clear.php
@@ -32,7 +32,7 @@ class Clear extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_WRITE);
                $uid = self::getCurrentUserID();
 
                DBA::update('notify', ['seen' => true], ['uid' => $uid]);

diff --git a/src/Module/Api/Mastodon/Notifications/Dismiss.php b/src/Module/Api/Mastodon/Notifications/Dismiss.php
index e8faa3096eb381b23a40d09e60dfd4c7f10451ce..a0f57a40589cc029d13852bddf5aefb49cb8c162 100644 (file)
--- a/src/Module/Api/Mastodon/Notifications/Dismiss.php
+++ b/src/Module/Api/Mastodon/Notifications/Dismiss.php
@@ -33,7 +33,7 @@ class Dismiss extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_WRITE);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Preferences.php b/src/Module/Api/Mastodon/Preferences.php
index 035357f07da8fb68a870d751edd6d6965504d7f3..f6eef4c79a3e39c7bc16b264b4c1b91176631138 100644 (file)
--- a/src/Module/Api/Mastodon/Preferences.php
+++ b/src/Module/Api/Mastodon/Preferences.php
@@ -37,7 +37,7 @@ class Preferences extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                $user = User::getById($uid, ['language', 'allow_cid', 'allow_gid', 'deny_cid', 'deny_gid']);

diff --git a/src/Module/Api/Mastodon/Statuses.php b/src/Module/Api/Mastodon/Statuses.php
index cb873b83dcb78bb147db2e297f395ee49ef56b20..e40709fe5b5c032203c483b1607cf30d4ebd7faa 100644 (file)
--- a/src/Module/Api/Mastodon/Statuses.php
+++ b/src/Module/Api/Mastodon/Statuses.php
@@ -42,7 +42,7 @@ class Statuses extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_WRITE);
                $uid = self::getCurrentUserID();
 
                $data = self::getJsonPostData();
@@ -190,7 +190,7 @@ class Statuses extends BaseApi
 
        public static function delete(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Statuses/Bookmark.php b/src/Module/Api/Mastodon/Statuses/Bookmark.php
index acdf207a3247324296aac66b7f40c2704dde4bd5..cd59337c38b69071fc82e67bf45ad7c22133f403 100644 (file)
--- a/src/Module/Api/Mastodon/Statuses/Bookmark.php
+++ b/src/Module/Api/Mastodon/Statuses/Bookmark.php
@@ -35,7 +35,7 @@ class Bookmark extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_WRITE);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Statuses/Favourite.php b/src/Module/Api/Mastodon/Statuses/Favourite.php
index 74892d96032446b11bf0f12c7f2b9060f92d7302..006e066170f4ae130eea9f9b4bc775164a6db897 100644 (file)
--- a/src/Module/Api/Mastodon/Statuses/Favourite.php
+++ b/src/Module/Api/Mastodon/Statuses/Favourite.php
@@ -35,7 +35,7 @@ class Favourite extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_WRITE);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Statuses/Mute.php b/src/Module/Api/Mastodon/Statuses/Mute.php
index 6a5d16d14b8f62ad005352b0215dc1ee06037ccb..ff724ed53e659f085b6f5a188fa5ac8a45ec9d9e 100644 (file)
--- a/src/Module/Api/Mastodon/Statuses/Mute.php
+++ b/src/Module/Api/Mastodon/Statuses/Mute.php
@@ -34,7 +34,7 @@ class Mute extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_WRITE);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Statuses/Pin.php b/src/Module/Api/Mastodon/Statuses/Pin.php
index 2637807362716e0e6c270b32125c44a137532b94..43cc0e0cd4bf545c762a98e07beeba6790c54e3d 100644 (file)
--- a/src/Module/Api/Mastodon/Statuses/Pin.php
+++ b/src/Module/Api/Mastodon/Statuses/Pin.php
@@ -34,7 +34,7 @@ class Pin extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_WRITE);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Statuses/Reblog.php b/src/Module/Api/Mastodon/Statuses/Reblog.php
index cdd788dcf6bae33e69e0f212d406dd4f0f9496d7..d0194a3127d7b5559f4cb482591b1c2037e2c851 100644 (file)
--- a/src/Module/Api/Mastodon/Statuses/Reblog.php
+++ b/src/Module/Api/Mastodon/Statuses/Reblog.php
@@ -37,7 +37,7 @@ class Reblog extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_WRITE);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Statuses/Unbookmark.php b/src/Module/Api/Mastodon/Statuses/Unbookmark.php
index dd78d8833a1fa7fad86644434e547fd87093db22..bf8a3c6e25695c408cc063b78053e023aec6192f 100644 (file)
--- a/src/Module/Api/Mastodon/Statuses/Unbookmark.php
+++ b/src/Module/Api/Mastodon/Statuses/Unbookmark.php
@@ -35,7 +35,7 @@ class Unbookmark extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_WRITE);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Statuses/Unfavourite.php b/src/Module/Api/Mastodon/Statuses/Unfavourite.php
index 528ef692e6296238af46e8e69d636de0fd9ce628..72efdc0a748d4b1e1ae4c28e005d6ea85dd4dd90 100644 (file)
--- a/src/Module/Api/Mastodon/Statuses/Unfavourite.php
+++ b/src/Module/Api/Mastodon/Statuses/Unfavourite.php
@@ -35,7 +35,7 @@ class Unfavourite extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_WRITE);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Statuses/Unmute.php b/src/Module/Api/Mastodon/Statuses/Unmute.php
index 26843be6c02166615fd2896e3764797bafba5f1f..531fe6235d6088aee67fa424c7c66a2f873341cf 100644 (file)
--- a/src/Module/Api/Mastodon/Statuses/Unmute.php
+++ b/src/Module/Api/Mastodon/Statuses/Unmute.php
@@ -34,7 +34,7 @@ class Unmute extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_WRITE);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Statuses/Unpin.php b/src/Module/Api/Mastodon/Statuses/Unpin.php
index d16bfc33ef43989691ae6cb7b3176c8053a71162..874be0cc37d10f5c0b8a50fa11572f9f02ec0fc2 100644 (file)
--- a/src/Module/Api/Mastodon/Statuses/Unpin.php
+++ b/src/Module/Api/Mastodon/Statuses/Unpin.php
@@ -34,7 +34,7 @@ class Unpin extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_WRITE);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Statuses/Unreblog.php b/src/Module/Api/Mastodon/Statuses/Unreblog.php
index 1296b72250f299d3dc612a1dacf94a17e3684362..259ecfd2fc7738166bdbede46304939c1cc13dff 100644 (file)
--- a/src/Module/Api/Mastodon/Statuses/Unreblog.php
+++ b/src/Module/Api/Mastodon/Statuses/Unreblog.php
@@ -37,7 +37,7 @@ class Unreblog extends BaseApi
 {
        public static function post(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_WRITE);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Suggestions.php b/src/Module/Api/Mastodon/Suggestions.php
index 97cfa11d3ece8d75289c3401a3b4d7d1aa02c44f..df434d2dc5953c06e3b70df832b638dc36a74b29 100644 (file)
--- a/src/Module/Api/Mastodon/Suggestions.php
+++ b/src/Module/Api/Mastodon/Suggestions.php
@@ -37,7 +37,7 @@ class Suggestions extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                // Maximum number of results to return. Defaults to 40.

diff --git a/src/Module/Api/Mastodon/Timelines/Home.php b/src/Module/Api/Mastodon/Timelines/Home.php
index c46c485fa62769fc34f7b41d68bd6242ac9ec9ed..9c8cb7a0b83ef97a9e4bfe2291a35bf1b0df3938 100644 (file)
--- a/src/Module/Api/Mastodon/Timelines/Home.php
+++ b/src/Module/Api/Mastodon/Timelines/Home.php
@@ -39,7 +39,7 @@ class Home extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                // Return results older than id

diff --git a/src/Module/Api/Mastodon/Timelines/ListTimeline.php b/src/Module/Api/Mastodon/Timelines/ListTimeline.php
index 7da16d137542b97d4ff2882f532d06880690e9b1..f046cab7881f97d0d101dd05d6cf5d37fed010c2 100644 (file)
--- a/src/Module/Api/Mastodon/Timelines/ListTimeline.php
+++ b/src/Module/Api/Mastodon/Timelines/ListTimeline.php
@@ -39,7 +39,7 @@ class ListTimeline extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['id'])) {

diff --git a/src/Module/Api/Mastodon/Timelines/Tag.php b/src/Module/Api/Mastodon/Timelines/Tag.php
index 924b76307408ab4defbe2eb2b20d6b39848e3d40..b5d0d2140151fbe517c35fc32344888b191db748 100644 (file)
--- a/src/Module/Api/Mastodon/Timelines/Tag.php
+++ b/src/Module/Api/Mastodon/Timelines/Tag.php
@@ -40,7 +40,7 @@ class Tag extends BaseApi
         */
        public static function rawContent(array $parameters = [])
        {
-               self::login();
+               self::login(self::SCOPE_READ);
                $uid = self::getCurrentUserID();
 
                if (empty($parameters['hashtag'])) {

diff --git a/src/Module/Api/Twitter/ContactEndpoint.php b/src/Module/Api/Twitter/ContactEndpoint.php
index 0e386bf93d9cb437da4a6a3f6c2a89ee7f33fb61..3231d8b132103f9ed7b3e54c8cd8e3c40187b573 100644 (file)
--- a/src/Module/Api/Twitter/ContactEndpoint.php
+++ b/src/Module/Api/Twitter/ContactEndpoint.php
@@ -39,7 +39,7 @@ abstract class ContactEndpoint extends BaseApi
        {
                parent::init($parameters);
 
-               if (!self::login()) {
+               if (!self::login(self::SCOPE_READ)) {
                        throw new HTTPException\UnauthorizedException();
                }
        }

diff --git a/src/Module/BaseApi.php b/src/Module/BaseApi.php
index 6d70c1e6fecc6b44ee55c7bdd9c4c05afb599d58..db4531d91c1351f0d139d232d6bd9c92d8fb12d5 100644 (file)
--- a/src/Module/BaseApi.php
+++ b/src/Module/BaseApi.php
@@ -35,6 +35,11 @@ require_once __DIR__ . '/../../include/api.php';
 
 class BaseApi extends BaseModule
 {
+       const SCOPE_READ   = 'read';
+       const SCOPE_WRITE  = 'write';
+       const SCOPE_FOLLOW = 'follow';
+       const SCOPE_PUSH   = 'push';
+
        /**
         * @var string json|xml|rss|atom
         */
@@ -175,6 +180,8 @@ class BaseApi extends BaseModule
         *
         * Simple Auth allow username in form of <pre>user@server</pre>, ignoring server part
         *
+        * @param string $scope the requested scope (read, write, follow)
+        *
         * @return bool Was a user authenticated?
         * @throws HTTPException\ForbiddenException
         * @throws HTTPException\UnauthorizedException
@@ -186,7 +193,7 @@ class BaseApi extends BaseModule
         *               'authenticated' => return status,
         *               'user_record' => return authenticated user record
         */
-       protected static function login()
+       protected static function login(string $scope)
        {
                if (empty(self::$current_user_id)) {
                        self::$current_token = self::getTokenByBearer();
@@ -197,6 +204,13 @@ class BaseApi extends BaseModule
                        }
                }
 
+               if (!empty($scope) && !empty(self::$current_token)) {
+                       if (empty(self::$current_token[$scope])) {
+                               Logger::warning('The requested scope is not allowed', ['scope' => $scope, 'application' => self::$current_token]);
+                               DI::mstdnError()->Forbidden();
+                       }
+               }
+
                if (empty(self::$current_user_id)) {
                        // The execution stops here if no one is logged in
                        api_login(DI::app());
@@ -259,7 +273,7 @@ class BaseApi extends BaseModule
 
                $bearer = trim(substr($authorization, 7));
                $condition = ['access_token' => $bearer];
-               $token = DBA::selectFirst('application-view', ['uid', 'id', 'name', 'website', 'created_at', 'read', 'write', 'follow'], $condition);
+               $token = DBA::selectFirst('application-view', ['uid', 'id', 'name', 'website', 'created_at', 'read', 'write', 'follow', 'push'], $condition);
                if (!DBA::isResult($token)) {
                        Logger::warning('Token not found', $condition);
                        return [];
@@ -332,8 +346,18 @@ class BaseApi extends BaseModule
                $access_token = bin2hex(random_bytes(32));
 
                $fields = ['application-id' => $application['id'], 'uid' => $uid, 'code' => $code, 'access_token' => $access_token, 'scopes' => $scope,
-                       'read' => (stripos($scope, 'read') !== false), 'write' => (stripos($scope, 'write') !== false),
-                       'follow' => (stripos($scope, 'follow') !== false), 'created_at' => DateTimeFormat::utcNow(DateTimeFormat::MYSQL)];
+                       'read' => (stripos($scope, self::SCOPE_READ) !== false),
+                       'write' => (stripos($scope, self::SCOPE_WRITE) !== false),
+                       'follow' => (stripos($scope, self::SCOPE_FOLLOW) !== false),
+                       'push' => (stripos($scope, self::SCOPE_PUSH) !== false),
+                        'created_at' => DateTimeFormat::utcNow(DateTimeFormat::MYSQL)];
+
+               foreach ([self::SCOPE_READ, self::SCOPE_WRITE, self::SCOPE_WRITE, self::SCOPE_PUSH] as $scope) {
+                       if ($fields[$scope] && !$application[$scope]) {
+                               Logger::warning('Requested token scope is not allowed for the application', ['token' => $fields, 'application' => $application]);
+                       }
+               }
+       
                if (!DBA::insert('application-token', $fields, Database::INSERT_UPDATE)) {
                        return [];
                }

diff --git a/static/dbstructure.config.php b/static/dbstructure.config.php
index a074ef0b82cf35ebc0a6fbe94a979fae40409282..835cb3ff37b5d784c3726efc7fd808dea6b1277e 100644 (file)
--- a/static/dbstructure.config.php
+++ b/static/dbstructure.config.php
@@ -55,7 +55,7 @@
 use Friendica\Database\DBA;
 
 if (!defined('DB_UPDATE_VERSION')) {
-       define('DB_UPDATE_VERSION', 1417);
+       define('DB_UPDATE_VERSION', 1418);
 }
 
 return [
@@ -439,6 +439,7 @@ return [
                        "read" => ["type" => "boolean", "comment" => "Read scope"],
                        "write" => ["type" => "boolean", "comment" => "Write scope"],
                        "follow" => ["type" => "boolean", "comment" => "Follow scope"],
+                       "push" => ["type" => "boolean", "comment" => "Push scope"],
                ],
                "indexes" => [
                        "PRIMARY" => ["id"],
@@ -457,6 +458,7 @@ return [
                        "read" => ["type" => "boolean", "comment" => "Read scope"],
                        "write" => ["type" => "boolean", "comment" => "Write scope"],
                        "follow" => ["type" => "boolean", "comment" => "Follow scope"],
+                       "push" => ["type" => "boolean", "comment" => "Push scope"],
                ],
                "indexes" => [
                        "PRIMARY" => ["application-id", "uid"],

diff --git a/static/dbview.config.php b/static/dbview.config.php
index 324f7f92675c6ac6512f60cd6b70011dc3a2b18b..488cbceaa2662e3c07ff92ddd4c8c6f5ea3048b5 100644 (file)
--- a/static/dbview.config.php
+++ b/static/dbview.config.php
@@ -53,6 +53,7 @@
                        "read" => ["application-token", "read"],
                        "write" => ["application-token", "write"],
                        "follow" => ["application-token", "follow"],
+                       "push" => ["application-token", "push"],
                ],
                "query" => "FROM `application-token`
                        INNER JOIN `application` ON `application-token`.`application-id` = `application`.`id`"