Commit 1f8ddf71 authored by Zach Copley's avatar Zach Copley

Check for read vs. read-write access on OAuth authenticated API mehtods.

parent c2c930a8
......@@ -53,6 +53,9 @@ if (!defined('STATUSNET')) {
class ApiAction extends Action
{
const READ_ONLY = 1;
const READ_WRITE = 2;
var $format = null;
var $user = null;
var $auth_user = null;
......@@ -62,6 +65,8 @@ class ApiAction extends Action
var $since_id = null;
var $since = null;
var $access = self::READ_ONLY; // read (default) or read-write
/**
* Initialization.
*
......
......@@ -78,12 +78,27 @@ class ApiAuthAction extends ApiAction
$this->checkOAuthRequest();
} else {
$this->checkBasicAuthUser();
// By default, all basic auth users have read and write access
$this->access = self::READ_WRITE;
}
}
return true;
}
function handle($args)
{
parent::handle($args);
if ($this->isReadOnly($args) == false) {
if ($this->access == self::READ_ONLY) {
$this->clientError(_('API method requires write access.'), 401);
exit();
}
}
}
function checkOAuthRequest()
{
common_debug("We have an OAuth request.");
......@@ -130,6 +145,10 @@ class ApiAuthAction extends ApiAction
if ($this->oauth_access_type != 0) {
// Set the read or read-write access for the api call
$this->access = ($appUser->access_type & Oauth_application::$writeAccess)
? self::READ_WRITE : self::READ_ONLY;
$this->auth_user = User::staticGet('id', $appUser->profile_id);
$msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
......@@ -220,6 +239,7 @@ class ApiAuthAction extends ApiAction
exit;
}
}
return true;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment