Commit 70235d7f authored by Adrian Lang's avatar Adrian Lang

Update libomb, fix some omb handling stuff, improve error handling.

parent b0bb1fff
......@@ -76,11 +76,10 @@ class FinishremotesubscribeAction extends Action
/* Create user objects for both users. Do it early for request
validation. */
$listenee = $service->getListeneeURI();
$user = User::staticGet('uri', $listenee);
$user = User::staticGet('uri', $service->getListeneeURI());
if (!$user) {
$this->clientError(_('User being listened to doesn\'t exist.'));
$this->clientError(_('User being listened to does not exist.'));
return;
}
......@@ -91,21 +90,31 @@ class FinishremotesubscribeAction extends Action
return;
}
$remote = Remote_profile::staticGet('uri', $service->getListenerURI());
$profile = Profile::staticGet($remote->id);
if ($user->hasBlocked($profile)) {
$this->clientError(_('That user has blocked you from subscribing.'));
return;
}
/* Perform the handling itself via libomb. */
try {
$service->finishAuthorization($listenee);
$service->finishAuthorization();
} catch (OAuthException $e) {
if ($e->getMessage() == 'The authorized token does not equal the ' .
'submitted token.') {
$this->clientError(_('Not authorized.'));
$this->clientError(_('You are not authorized.'));
return;
} else {
$this->clientError(_('Couldn\'t convert request token to ' .
$this->clientError(_('Could not convert request token to ' .
'access token.'));
return;
}
} catch (OMB_RemoteServiceException $e) {
$this->clientError(_('Unknown version of OMB protocol.'));
$this->clientError(_('Remote service uses unknown version of ' .
'OMB protocol.'));
return;
} catch (Exception $e) {
common_debug('Got exception ' . print_r($e, true), __FILE__);
......@@ -115,8 +124,6 @@ class FinishremotesubscribeAction extends Action
/* The service URLs are not accessible from datastore, so setting them
after insertion of the profile. */
$remote = Remote_profile::staticGet('uri', $service->getListenerURI());
$orig_remote = clone($remote);
$remote->postnoticeurl =
......
......@@ -47,12 +47,28 @@ require_once INSTALLDIR.'/extlib/libomb/service_provider.php';
*/
class PostnoticeAction extends Action
{
/**
* For initializing members of the class.
*
* @param array $argarray misc. arguments
*
* @return boolean true
*/
function prepare($argarray)
{
parent::prepare($argarray);
try {
$this->checkNotice();
} catch (Exception $e) {
$this->clientError($e->getMessage());
return false;
}
return true;
}
function handle($args)
{
parent::handle($args);
if (!$this->checkNotice()) {
return;
}
try {
$srv = new OMB_Service_Provider(null, omb_oauth_datastore(),
omb_oauth_server());
......@@ -67,10 +83,15 @@ class PostnoticeAction extends Action
{
$content = common_shorten_links($_POST['omb_notice_content']);
if (mb_strlen($content) > 140) {
$this->clientError(_('Invalid notice content'), 400);
return false;
throw new Exception(_('The notice content is too long.'));
}
$license = $_POST['omb_notice_license'];
$site_license = common_config('license', 'url');
if ($license && !common_compatible_license($license, $site_license)) {
throw new Exception(sprintf(_('Notice license ‘%s’ is not ' .
'compatible with site license ‘%s’.'),
$license, $site_license));
}
return true;
}
}
?>
......@@ -153,12 +153,11 @@ class RemotesubscribeAction extends Action
$this->profile_url = $this->trimmed('profile_url');
if (!$this->profile_url) {
$this->showForm(_('No such user.'));
$this->showForm(_('No such user'));
return;
}
if (!Validate::uri($this->profile_url,
array('allowed_schemes' => array('http', 'https')))) {
if (!common_valid_http_url($this->profile_url)) {
$this->showForm(_('Invalid profile URL (bad format)'));
return;
}
......@@ -176,14 +175,14 @@ class RemotesubscribeAction extends Action
if ($service->getServiceURI(OAUTH_ENDPOINT_REQUEST) ==
common_local_url('requesttoken') ||
User::staticGet('uri', $service->getRemoteUserURI())) {
$this->showForm(_('That\'s a local profile! Login to subscribe.'));
$this->showForm(_('Thats a local profile! Login to subscribe.'));
return;
}
try {
$service->requestToken();
} catch (OMB_RemoteServiceException $e) {
$this->showForm(_('Couldn\'t get a request token.'));
$this->showForm(_('Couldnt get a request token.'));
return;
}
......
......@@ -48,9 +48,31 @@ require_once INSTALLDIR.'/extlib/libomb/service_provider.php';
class UpdateprofileAction extends Action
{
/**
* For initializing members of the class.
*
* @param array $argarray misc. arguments
*
* @return boolean true
*/
function prepare($argarray)
{
parent::prepare($argarray);
$license = $_POST['omb_listenee_license'];
$site_license = common_config('license', 'url');
if (!common_compatible_license($license, $site_license)) {
$this->clientError(sprintf(_('Listenee stream license ‘%s’ is not '.
'compatible with site license ‘%s’.'),
$license, $site_license);
return false;
}
return true;
}
function handle($args)
{
parent::handle($args);
try {
$srv = new OMB_Service_Provider(null, omb_oauth_datastore(),
omb_oauth_server());
......
......@@ -80,7 +80,7 @@ class UserauthorizationAction extends Action
try {
$this->validateOmb();
$srv = new OMB_Service_Provider(
profile_to_omb_profile($_GET['omb_listener'], $profile),
profile_to_omb_profile($user->uri, $profile),
omb_oauth_datastore());
$remote_user = $srv->handleUserAuth();
......@@ -111,8 +111,8 @@ class UserauthorizationAction extends Action
{
$this->element('p', null, _('Please check these details to make sure '.
'that you want to subscribe to this ' .
'user\'s notices. If you didn\'t just ask ' .
'to subscribe to someone\'s notices, '.
'user’s notices. If you didn’t just ask ' .
'to subscribe to someones notices, '.
'click “Reject”.'));
}
......@@ -249,7 +249,7 @@ class UserauthorizationAction extends Action
common_show_header(_('Subscription authorized'));
$this->element('p', null,
_('The subscription has been authorized, but no '.
'callback URL was passed. Check with the site\'s ' .
'callback URL was passed. Check with the sites ' .
'instructions for details on how to authorize the ' .
'subscription. Your subscription token is:'));
$this->element('blockquote', 'token', $tok);
......@@ -261,7 +261,7 @@ class UserauthorizationAction extends Action
common_show_header(_('Subscription rejected'));
$this->element('p', null,
_('The subscription has been rejected, but no '.
'callback URL was passed. Check with the site\'s ' .
'callback URL was passed. Check with the sites ' .
'instructions for details on how to fully reject ' .
'the subscription.'));
common_show_footer();
......@@ -295,16 +295,19 @@ class UserauthorizationAction extends Action
$user = User::staticGet('uri', $listener);
if (!$user) {
throw new Exception("Listener URI '$listener' not found here");
throw new Exception(sprintf(_('Listener URI ‘%s’ not found here'),
$listener));
}
$cur = common_current_user();
if ($cur->id != $user->id) {
throw new Exception('Can\'t subscribe for another user!');
if (strlen($listenee) > 255) {
throw new Exception(sprintf(_('Listenee URI ‘%s’ is too long.'),
$listenee));
}
$other = User::staticGet('uri', $listenee);
if ($other) {
throw new Exception("Listenee URI '$listenee' is local user");
throw new Exception(sprintf(_('Listenee URI ‘%s’ is a local user.'),
$listenee));
}
$remote = Remote_profile::staticGet('uri', $listenee);
......@@ -318,27 +321,34 @@ class UserauthorizationAction extends Action
}
if ($profile == common_profile_url($nickname)) {
throw new Exception("Profile URL '$profile' is for a local user.");
throw new Exception(sprintf(_('Profile URL ‘%s’ is for a local user.'),
$profile));
}
$license = $_GET['omb_listenee_license'];
$site_license = common_config('license', 'url');
if (!common_compatible_license($license, $site_license)) {
throw new Exception("Listenee stream license '$license' is not " .
"compatible with site license '$site_license'.");
throw new Exception(sprintf(_('Listenee stream license ‘%s’ is not ' .
'compatible with site license ‘%s’.'),
$license, $site_license));
}
$avatar = $_GET['omb_listenee_avatar'];
if ($avatar) {
if (!common_valid_http_url($avatar) || strlen($avatar) > 255) {
throw new Exception("Invalid avatar URL '$avatar'");
throw new Exception(sprintf(_('Avatar URL ‘%s’ is not valid.'),
$avatar));
}
$size = @getimagesize($avatar);
if (!$size) {
throw new Exception("Can't read avatar URL '$avatar'.");
throw new Exception(sprintf(_('Can’t read avatar URL ‘%s’.'),
$avatar));
}
if (!in_array($size[2], array(IMAGETYPE_GIF, IMAGETYPE_JPEG,
IMAGETYPE_PNG))) {
throw new Exception("Wrong image type for '$avatar'");
throw new Exception(sprintf(_('Wrong image type for avatar URL '.
'‘%s’.'), $avatar));
}
}
}
......
......@@ -5,26 +5,28 @@ require_once 'OAuth.php';
/**
* Data access interface
*
* This interface specifies data access methods libomb needs. It
* should be implemented by libomb users.
* OMB_Datastore is libomb’s main interface to the application’s data.
* This interface specifies data access methods libomb needs. It should be
* implemented by libomb users. OMB_Datastore is libomb’s main interface to the
* application’s data. Objects corresponding to this interface are used in
* OMB_Service_Provider and OMB_Service_Consumer.
*
* Note that it’s implemented as a class since OAuthDataStore is as well a
* class, though only declaring methods.
*
* OMB_Datastore extends OAuthDataStore with two OAuth-related methods for token
* revoking and authorizing and all OMB-related methods.
* Refer to OAuth.php for a complete specification of OAuth-related methods.
*
* It is the user’s duty to signal and handle errors. libomb does not check
* return values nor handle exceptions. It is suggested to use exceptions.
* Note that lookup_token and getProfile return null if the requested object
* is not available. This is NOT an error and should not raise an exception.
* Same applies for lookup_nonce which returns a boolean value. These methods
* may nevertheless throw an exception, for example in case of a storage error.
* may nevertheless throw an exception, for example in case of a storage errors.
*
* Objects corresponding to this interface are used in OMB_Service_Provider and
* OMB_Service_Consumer.
*
* OMB_Datastore extends OAuthDataStore with two OAuth-related methods for token
* revoking and authorizing and all OMB-related methods.
* Refer to OAuth.php for a complete specification of OAuth-related methods.
*
* Note that it’s implemented as a class since OAuthDataStore is as well a
* class, though only declaring methods.
* Most of the parameters passed to these methods are unescaped and unverified
* user input. Therefore they should be handled with extra care to avoid
* security problems like SQL injections.
*
* PHP version 5
*
......@@ -59,7 +61,7 @@ class OMB_Datastore extends OAuthDataStore {
* Revokes the authorization token specified by $token_key.
* Throws exceptions in case of error.
*
* @param string $token_key The token to be revoked
* @param string $token_key The key of the token to be revoked
*
* @access public
**/
......@@ -73,7 +75,7 @@ class OMB_Datastore extends OAuthDataStore {
* Authorizes the authorization token specified by $token_key.
* Throws exceptions in case of error.
*
* @param string $token_key The token to be authorized
* @param string $token_key The key of the token to be authorized
*
* @access public
**/
......
......@@ -111,6 +111,12 @@ class OMB_Service_Provider {
* Throws exceptions on failures. Returns an OMB_Profile object representing
* the remote user.
*
* The OMB_Profile passed to the constructor of OMB_Service_Provider should
* not represent the user specified in the authorization request, but the one
* currently logged in to the service. This condition being satisfied,
* handleUserAuth will check whether the listener specified in the request is
* identical to the logged in user.
*
* @access public
*
* @return OMB_Profile The profile of the soon-to-be subscribed, i. e. remote
......@@ -150,6 +156,10 @@ class OMB_Service_Provider {
/* Store given callback for later use. */
if (isset($_GET['oauth_callback']) && $_GET['oauth_callback'] !== '') {
$this->callback = $_GET['oauth_callback'];
if (!OMB_Helper::validateURL($this->callback)) {
throw OMB_RemoteServiceException::forRequest(OAUTH_ENDPOINT_AUTHORIZE,
'Invalid callback URL specified');
}
}
$this->remote_user = OMB_Profile::fromParameters($_GET, 'omb_listenee');
......@@ -205,13 +215,16 @@ class OMB_Service_Provider {
/**
* Echo an access token
*
* Outputs an access token for the query found in $_GET or $_POST.
* Outputs an access token for the query found in $_POST. OMB 0.1 specifies
* that the access token request has to be a POST even if OAuth allows GET as
* well.
*
* @access public
**/
public function writeAccessToken() {
OMB_Helper::removeMagicQuotesFromRequest();
echo $this->getOAuthServer()->fetch_access_token(OAuthRequest::from_request());
echo $this->getOAuthServer()->fetch_access_token(
OAuthRequest::from_request('POST'));
}
/**
......@@ -235,7 +248,8 @@ class OMB_Service_Provider {
/**
* Handle a postnotice request
*
* Handles a postnotice request posted to this service.
* Handles a postnotice request posted to this service. Saves the notice
* through the OMB_Datastore.
*
* @access public
*
......@@ -264,7 +278,7 @@ class OMB_Service_Provider {
protected function handleOMBRequest($uri) {
OMB_Helper::removeMagicQuotesFromRequest();
$req = OAuthRequest::from_request();
$req = OAuthRequest::from_request('POST');
$listenee = $req->get_parameter('omb_listenee');
try {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment