XSS vulnerability when remote-subscribing

[quix0rs-gnu-social.git] / actions / apistatusesdestroy.php

diff --git a/actions/apistatusesdestroy.php b/actions/apistatusesdestroy.php
index 0dfeb48122df5e8efa43992e5408f26d411aa59e..2d32124c42d48bcd984f0423848f1b374cb05322 100644 (file)
--- a/actions/apistatusesdestroy.php
+++ b/actions/apistatusesdestroy.php
@@ -38,8 +38,6 @@ if (!defined('STATUSNET')) {
     exit(1);
 }
 
-require_once INSTALLDIR . '/lib/apiauth.php';
-
 /**
  * Deletes one of the authenticating user's statuses (notices).
  *
@@ -55,7 +53,6 @@ require_once INSTALLDIR . '/lib/apiauth.php';
  * @license  http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
  * @link     http://status.net/
  */
-
 class ApiStatusesDestroyAction extends ApiAuthAction
 {
     var $status = null;
@@ -66,9 +63,7 @@ class ApiStatusesDestroyAction extends ApiAuthAction
      * @param array $args $_REQUEST args
      *
      * @return boolean success flag
-     *
      */
-
     function prepare($args)
     {
         parent::prepare($args);
@@ -80,7 +75,7 @@ class ApiStatusesDestroyAction extends ApiAuthAction
             $this->notice_id = (int)$this->arg('id');
         }
 
-        $this->notice = Notice::staticGet((int)$this->notice_id);
+        $this->notice = Notice::getKV((int)$this->notice_id);
 
         return true;
      }
@@ -94,13 +89,13 @@ class ApiStatusesDestroyAction extends ApiAuthAction
      *
      * @return void
      */
-
     function handle($args)
     {
         parent::handle($args);
 
         if (!in_array($this->format, array('xml', 'json'))) {
             $this->clientError(
+                // TRANS: Client error displayed when coming across a non-supported API method.
                 _('API method not found.'),
                 404
             );
@@ -109,6 +104,8 @@ class ApiStatusesDestroyAction extends ApiAuthAction
 
         if (!in_array($_SERVER['REQUEST_METHOD'], array('POST', 'DELETE'))) {
             $this->clientError(
+                // TRANS: Client error displayed trying to delete a status not using POST or DELETE.
+                // TRANS: POST and DELETE should not be translated.
                 _('This method requires a POST or DELETE.'),
                 400,
                 $this->format
@@ -118,6 +115,7 @@ class ApiStatusesDestroyAction extends ApiAuthAction
 
         if (empty($this->notice)) {
             $this->clientError(
+                // TRANS: Client error displayed trying to delete a status with an invalid ID.
                 _('No status found with that ID.'),
                 404, $this->format
             );
@@ -125,13 +123,14 @@ class ApiStatusesDestroyAction extends ApiAuthAction
         }
 
         if ($this->user->id == $this->notice->profile_id) {
-            $replies = new Reply;
-            $replies->get('notice_id', $this->notice_id);
-            $replies->delete();
-            $this->notice->delete();
+            if (Event::handle('StartDeleteOwnNotice', array($this->user, $this->notice))) {
+                $this->notice->deleteAs($this->scoped);
+                Event::handle('EndDeleteOwnNotice', array($this->user, $this->notice));
+            }
                $this->showNotice();
         } else {
             $this->clientError(
+                // TRANS: Client error displayed trying to delete a status of another user.
                 _('You may not delete another user\'s status.'),
                 403,
                 $this->format
@@ -144,7 +143,6 @@ class ApiStatusesDestroyAction extends ApiAuthAction
      *
      * @return void
      */
-
     function showNotice()
     {
         if (!empty($this->notice)) {
@@ -155,5 +153,4 @@ class ApiStatusesDestroyAction extends ApiAuthAction
             }
         }
     }
-
 }