case Right::EMAILONFAVE:
$result = !$this->isSandboxed();
break;
+ case Right::WEBLOGIN:
+ $result = !$this->isSilenced();
+ break;
+ case Right::API:
+ $result = !$this->isSilenced();
+ break;
case Right::BACKUPACCOUNT:
$result = common_config('profile', 'backup');
break;
// Set the auth user
if (Event::handle('StartSetApiUser', array(&$user))) {
- $this->auth_user = User::staticGet('id', $appUser->profile_id);
+ $user = User::staticGet('id', $appUser->profile_id);
+ if (!empty($user)) {
+ if (!$user->hasRight(Right::API)) {
+ throw new AuthorizationException(_('Not allowed to use API.'));
+ }
+ }
+ $this->auth_user = $user;
Event::handle('EndSetApiUser', array($user));
}
if (Event::handle('StartSetApiUser', array(&$user))) {
if (!empty($user)) {
+ if (!$user->hasRight(Right::API)) {
+ throw new AuthorizationException(_('Not allowed to use API.'));
+ }
$this->auth_user = $user;
}
--- /dev/null
+<?php
+/**
+ * StatusNet - the distributed open-source microblogging tool
+ * Copyright (C) 2011, StatusNet, Inc.
+ *
+ * An exception for authorization errors
+ *
+ * PHP version 5
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * @category Exception
+ * @package StatusNet
+ * @author Evan Prodromou <evan@status.net>
+ * @copyright 2011 StatusNet, Inc.
+ * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
+ * @link http://status.net/
+ */
+
+if (!defined('STATUSNET')) {
+ // This check helps protect against security problems;
+ // your code file can't be executed directly from the web.
+ exit(1);
+}
+
+/**
+ * An exception for authorization issues
+ *
+ * @category Exception
+ * @package StatusNet
+ * @author Evan Prodromou <evan@status.net>
+ * @copyright 2011 StatusNet, Inc.
+ * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
+ * @link http://status.net/
+ */
+
+class AuthorizationException extends ClientException
+{
+ /**
+ * Constructor
+ *
+ * @param string $message Message for the exception
+ */
+ public function __construct($message=null)
+ {
+ parent::__construct($message, 403);
+ }
+}
const DELETEACCOUNT = 'deleteaccount';
const MOVEACCOUNT = 'moveaccount';
const CREATEGROUP = 'creategroup';
+ const WEBLOGIN = 'weblogin';
+ const API = 'api';
}
if ($user) {
if (Event::handle('StartSetUser', array(&$user))) {
- if($user){
+ if (!empty($user)) {
+ if (!$user->hasRight(Right::WEBLOGIN)) {
+ throw new AuthorizationException(_('Not allowed to log in.'));
+ }
common_ensure_session();
$_SESSION['userid'] = $user->id;
$_cur = $user;
* @package StatusNet
* @author Craig Andrews <candrews@integralblue.com>
* @author Brion Vibber <brion@status.net>
+ * @author Evan Prodromou <evan@status.net>
+ * @copyright 2011 StatusNet Inc. http://status.net/
* @copyright 2009 Free Software Foundation, Inc http://www.fsf.org
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
* @link http://status.net/
public $trustedOpenIDs = array();
+ /**
+ * Whether or not to disallow login for unvalidated users.
+ */
+
+ public $disallowLogin = false;
+
/**
* Event handler for notice saves; rejects the notice
* if user's address isn't validated.
*/
function onUserRightsCheck(Profile $profile, $right, &$result)
{
- if ($right == Right::CREATEGROUP) {
+ if ($right == Right::CREATEGROUP ||
+ ($this->disallowLogin && ($right == Right::WEBLOGIN || $right == Right::API))) {
$user = User::staticGet('id', $profile->id);
if ($user && !$this->validated($user)) {
$result = false;