Check for read vs. read-write access on OAuth authenticated API mehtods.

diff --git a/lib/api.php b/lib/api.php
index 707e4ac21a421ee75260fc4bb950e43c7727c8af..794b14050709dddb7d9503a3cad05b829a783cce 100644 (file)
--- a/lib/api.php
+++ b/lib/api.php
@@ -53,6 +53,9 @@ if (!defined('STATUSNET')) {
 
 class ApiAction extends Action
 {
+    const READ_ONLY  = 1;
+    const READ_WRITE = 2;
+
     var $format    = null;
     var $user      = null;
     var $auth_user = null;
@@ -62,6 +65,8 @@ class ApiAction extends Action
     var $since_id  = null;
     var $since     = null;
 
+    var $access    = self::READ_ONLY;  // read (default) or read-write
+
     /**
      * Initialization.
      *

diff --git a/lib/apiauth.php b/lib/apiauth.php
index 431f3ac4fdbe9bcc32545ed653ef7660aa9a04f7..8374c24a7fdfcf5d53a70a85d853e88becc73df5 100644 (file)
--- a/lib/apiauth.php
+++ b/lib/apiauth.php
@@ -78,12 +78,27 @@ class ApiAuthAction extends ApiAction
                 $this->checkOAuthRequest();
             } else {
                 $this->checkBasicAuthUser();
+                // By default, all basic auth users have read and write access
+
+                $this->access = self::READ_WRITE;
             }
         }
 
         return true;
     }
 
+    function handle($args)
+    {
+        parent::handle($args);
+
+        if ($this->isReadOnly($args) == false) {
+            if ($this->access == self::READ_ONLY) {
+                $this->clientError(_('API method requires write access.'), 401);
+                exit();
+            }
+        }
+    }
+
     function checkOAuthRequest()
     {
         common_debug("We have an OAuth request.");
@@ -130,6 +145,10 @@ class ApiAuthAction extends ApiAction
 
                 if ($this->oauth_access_type != 0) {
 
+                    // Set the read or read-write access for the api call
+                    $this->access = ($appUser->access_type & Oauth_application::$writeAccess)
+                      ? self::READ_WRITE : self::READ_ONLY;
+
                     $this->auth_user = User::staticGet('id', $appUser->profile_id);
 
                     $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
@@ -220,6 +239,7 @@ class ApiAuthAction extends ApiAction
                 exit;
             }
         }
+
         return true;
     }