diff options
author | Zach Copley <zach@status.net> | 2010-01-14 02:16:03 +0000 |
---|---|---|
committer | Zach Copley <zach@status.net> | 2010-01-24 16:36:06 -0800 |
commit | 1f8ddf716d0b54cc40aa89e595fe2232a10e7a2a (patch) | |
tree | e4634fe418ddde6d790e18a41c9e01f28bb75930 | |
parent | c2c930a8556cca866dfa0eba2fe1a8242eef71f2 (diff) |
Check for read vs. read-write access on OAuth authenticated API mehtods.
-rw-r--r-- | lib/api.php | 5 | ||||
-rw-r--r-- | lib/apiauth.php | 20 |
2 files changed, 25 insertions, 0 deletions
diff --git a/lib/api.php b/lib/api.php index 707e4ac21..794b14050 100644 --- a/lib/api.php +++ b/lib/api.php @@ -53,6 +53,9 @@ if (!defined('STATUSNET')) { class ApiAction extends Action { + const READ_ONLY = 1; + const READ_WRITE = 2; + var $format = null; var $user = null; var $auth_user = null; @@ -62,6 +65,8 @@ class ApiAction extends Action var $since_id = null; var $since = null; + var $access = self::READ_ONLY; // read (default) or read-write + /** * Initialization. * diff --git a/lib/apiauth.php b/lib/apiauth.php index 431f3ac4f..8374c24a7 100644 --- a/lib/apiauth.php +++ b/lib/apiauth.php @@ -78,12 +78,27 @@ class ApiAuthAction extends ApiAction $this->checkOAuthRequest(); } else { $this->checkBasicAuthUser(); + // By default, all basic auth users have read and write access + + $this->access = self::READ_WRITE; } } return true; } + function handle($args) + { + parent::handle($args); + + if ($this->isReadOnly($args) == false) { + if ($this->access == self::READ_ONLY) { + $this->clientError(_('API method requires write access.'), 401); + exit(); + } + } + } + function checkOAuthRequest() { common_debug("We have an OAuth request."); @@ -130,6 +145,10 @@ class ApiAuthAction extends ApiAction if ($this->oauth_access_type != 0) { + // Set the read or read-write access for the api call + $this->access = ($appUser->access_type & Oauth_application::$writeAccess) + ? self::READ_WRITE : self::READ_ONLY; + $this->auth_user = User::staticGet('id', $appUser->profile_id); $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " . @@ -220,6 +239,7 @@ class ApiAuthAction extends ApiAction exit; } } + return true; } |