From: Mikael Nordfeldth Date: Sat, 31 Jan 2015 15:27:21 +0000 (+0100) Subject: API notice access was not access restricted X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=eff3256f5937204f883207781c50399e9b6fd9b2;p=quix0rs-gnu-social.git API notice access was not access restricted --- diff --git a/actions/apistatusesshow.php b/actions/apistatusesshow.php index 3a60b87637..2a7702ee3c 100644 --- a/actions/apistatusesshow.php +++ b/actions/apistatusesshow.php @@ -34,9 +34,7 @@ * @link http://status.net/ */ -if (!defined('STATUSNET')) { - exit(1); -} +if (!defined('GNUSOCIAL')) { exit(1); } /** * Returns the notice specified by id as a Twitter-style status and inline user @@ -65,7 +63,7 @@ class ApiStatusesShowAction extends ApiPrivateAuthAction * * @return boolean success flag */ - function prepare($args) + protected function prepare(array $args=array()) { parent::prepare($args); @@ -76,12 +74,12 @@ class ApiStatusesShowAction extends ApiPrivateAuthAction $this->notice_id = (int)$this->trimmed('id'); - if (empty($notice_id)) { - $this->notice_id = (int)$this->arg('id'); + $this->notice = Notice::getKV($this->notice_id); + if (!$this->notice->inScope($this->scoped)) { + // TRANS: Client exception thrown when trying a view a notice the user has no access to. + throw new ClientException(_('Access restricted.'), 403); } - $this->notice = Notice::getKV((int)$this->notice_id); - return true; } @@ -90,13 +88,11 @@ class ApiStatusesShowAction extends ApiPrivateAuthAction * * Check the format and show the notice * - * @param array $args $_REQUEST data (unused) - * * @return void */ - function handle($args) + protected function handle() { - parent::handle($args); + parent::handle(); if (!in_array($this->format, array('xml', 'json', 'atom'))) { // TRANS: Client error displayed when coming across a non-supported API method. diff --git a/actions/shownotice.php b/actions/shownotice.php index 1d01244cc1..2576bcc111 100644 --- a/actions/shownotice.php +++ b/actions/shownotice.php @@ -77,7 +77,7 @@ class ShownoticeAction extends ManagedAction if (!$this->notice->inScope($this->scoped)) { // TRANS: Client exception thrown when trying a view a notice the user has no access to. - throw new ClientException(_('Not available.'), 403); + throw new ClientException(_('Access restricted.'), 403); } $this->profile = $this->notice->getProfile();