summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZach Copley <zach@status.net>2010-01-14 02:16:03 +0000
committerZach Copley <zach@status.net>2010-01-24 16:36:06 -0800
commit1f8ddf716d0b54cc40aa89e595fe2232a10e7a2a (patch)
treee4634fe418ddde6d790e18a41c9e01f28bb75930
parentc2c930a8556cca866dfa0eba2fe1a8242eef71f2 (diff)
Check for read vs. read-write access on OAuth authenticated API mehtods.
-rw-r--r--lib/api.php5
-rw-r--r--lib/apiauth.php20
2 files changed, 25 insertions, 0 deletions
diff --git a/lib/api.php b/lib/api.php
index 707e4ac21..794b14050 100644
--- a/lib/api.php
+++ b/lib/api.php
@@ -53,6 +53,9 @@ if (!defined('STATUSNET')) {
class ApiAction extends Action
{
+ const READ_ONLY = 1;
+ const READ_WRITE = 2;
+
var $format = null;
var $user = null;
var $auth_user = null;
@@ -62,6 +65,8 @@ class ApiAction extends Action
var $since_id = null;
var $since = null;
+ var $access = self::READ_ONLY; // read (default) or read-write
+
/**
* Initialization.
*
diff --git a/lib/apiauth.php b/lib/apiauth.php
index 431f3ac4f..8374c24a7 100644
--- a/lib/apiauth.php
+++ b/lib/apiauth.php
@@ -78,12 +78,27 @@ class ApiAuthAction extends ApiAction
$this->checkOAuthRequest();
} else {
$this->checkBasicAuthUser();
+ // By default, all basic auth users have read and write access
+
+ $this->access = self::READ_WRITE;
}
}
return true;
}
+ function handle($args)
+ {
+ parent::handle($args);
+
+ if ($this->isReadOnly($args) == false) {
+ if ($this->access == self::READ_ONLY) {
+ $this->clientError(_('API method requires write access.'), 401);
+ exit();
+ }
+ }
+ }
+
function checkOAuthRequest()
{
common_debug("We have an OAuth request.");
@@ -130,6 +145,10 @@ class ApiAuthAction extends ApiAction
if ($this->oauth_access_type != 0) {
+ // Set the read or read-write access for the api call
+ $this->access = ($appUser->access_type & Oauth_application::$writeAccess)
+ ? self::READ_WRITE : self::READ_ONLY;
+
$this->auth_user = User::staticGet('id', $appUser->profile_id);
$msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
@@ -220,6 +239,7 @@ class ApiAuthAction extends ApiAction
exit;
}
}
+
return true;
}