]> git.mxchange.org Git - quix0rs-gnu-social.git/commitdiff
Check for read vs. read-write access on OAuth authenticated API mehtods.
authorZach Copley <zach@status.net>
Thu, 14 Jan 2010 02:16:03 +0000 (02:16 +0000)
committerZach Copley <zach@status.net>
Thu, 14 Jan 2010 02:41:10 +0000 (02:41 +0000)
lib/api.php
lib/apiauth.php

index 707e4ac21a421ee75260fc4bb950e43c7727c8af..794b14050709dddb7d9503a3cad05b829a783cce 100644 (file)
@@ -53,6 +53,9 @@ if (!defined('STATUSNET')) {
 
 class ApiAction extends Action
 {
+    const READ_ONLY  = 1;
+    const READ_WRITE = 2;
+
     var $format    = null;
     var $user      = null;
     var $auth_user = null;
@@ -62,6 +65,8 @@ class ApiAction extends Action
     var $since_id  = null;
     var $since     = null;
 
+    var $access    = self::READ_ONLY;  // read (default) or read-write
+
     /**
      * Initialization.
      *
index 431f3ac4fdbe9bcc32545ed653ef7660aa9a04f7..8374c24a7fdfcf5d53a70a85d853e88becc73df5 100644 (file)
@@ -78,12 +78,27 @@ class ApiAuthAction extends ApiAction
                 $this->checkOAuthRequest();
             } else {
                 $this->checkBasicAuthUser();
+                // By default, all basic auth users have read and write access
+
+                $this->access = self::READ_WRITE;
             }
         }
 
         return true;
     }
 
+    function handle($args)
+    {
+        parent::handle($args);
+
+        if ($this->isReadOnly($args) == false) {
+            if ($this->access == self::READ_ONLY) {
+                $this->clientError(_('API method requires write access.'), 401);
+                exit();
+            }
+        }
+    }
+
     function checkOAuthRequest()
     {
         common_debug("We have an OAuth request.");
@@ -130,6 +145,10 @@ class ApiAuthAction extends ApiAction
 
                 if ($this->oauth_access_type != 0) {
 
+                    // Set the read or read-write access for the api call
+                    $this->access = ($appUser->access_type & Oauth_application::$writeAccess)
+                      ? self::READ_WRITE : self::READ_ONLY;
+
                     $this->auth_user = User::staticGet('id', $appUser->profile_id);
 
                     $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
@@ -220,6 +239,7 @@ class ApiAuthAction extends ApiAction
                 exit;
             }
         }
+
         return true;
     }