Merge branch '0.8.x' of git@gitorious.org:laconica/dev into 0.8.x

5 files changed, 63 insertions, 60 deletions

diff --git a/actions/api.php b/actions/api.php
index 08f5fadad..18c3b68d4 100644
--- a/actions/api.php
+++ b/actions/api.php
@@ -75,14 +75,14 @@ class ApiAction extends Action
             }
         } else {
 
-			# Caller might give us a username even if not required
-			if (isset($_SERVER['PHP_AUTH_USER'])) {
-				$user = User::staticGet('nickname', $_SERVER['PHP_AUTH_USER']);
-				if ($user) {
-					$this->user = $user;
-				}
-				# Twitter doesn't throw an error if the user isn't found
-			}
+            // Caller might give us a username even if not required
+            if (isset($_SERVER['PHP_AUTH_USER'])) {
+                $user = User::staticGet('nickname', $_SERVER['PHP_AUTH_USER']);
+                if ($user) {
+                    $this->user = $user;
+                }
+                # Twitter doesn't throw an error if the user isn't found
+            }
 
             $this->process_command();
         }
@@ -117,7 +117,7 @@ class ApiAction extends Action
         }
     }
 
-    # Whitelist of API methods that don't need authentication
+    // Whitelist of API methods that don't need authentication
     function requires_auth()
     {
         static $noauth = array( 'statuses/public_timeline',
@@ -135,28 +135,61 @@ class ApiAction extends Action
                                  'statuses/replies',
                                  'statuses/mentions',
                                  'statuses/followers',
-                                 'favorites/favorites');
+                                 'favorites/favorites',
+                                 'friendships/show');
 
         $fullname = "$this->api_action/$this->api_method";
 
         // If the site is "private", all API methods except laconica/config
         // need authentication
+
         if (common_config('site', 'private')) {
             return $fullname != 'laconica/config' || false;
         }
 
+        // bareauth: only needs auth if without an argument or query param specifying user
+
         if (in_array($fullname, $bareauth)) {
-            # bareauth: only needs auth if without an argument or query param specifying user
-            if ($this->api_arg || $this->arg('id') || is_numeric($this->arg('user_id')) || $this->arg('screen_name')) {
+
+            // Special case: friendships/show only needs auth if source_id or
+            // source_screen_name is not specified as a param
+
+            if ($fullname == 'friendships/show') {
+
+                $source_id          = $this->arg('source_id');
+                $source_screen_name = $this->arg('source_screen_name');
+
+                if (empty($source_id) && empty($source_screen_name)) {
+                    return true;
+                }
+
                 return false;
-            } else {
+            }
+
+            // if all of these are empty, auth is required
+
+            $id          = $this->arg('id');
+            $user_id     = $this->arg('user_id');
+            $screen_name = $this->arg('screen_name');
+
+            if (empty($this->api_arg) &&
+                empty($id)            &&
+                empty($user_id)       &&
+                empty($screen_name)) {
                 return true;
+            } else {
+                return false;
             }
+
         } else if (in_array($fullname, $noauth)) {
-            # noauth: never needs auth
+
+            // noauth: never needs auth
+
             return false;
         } else {
-            # everybody else needs auth
+
+            // everybody else needs auth
+
             return true;
         }
     }
diff --git a/actions/groupdesignsettings.php b/actions/groupdesignsettings.php
index 6c1c052cb..bb01243c6 100644
--- a/actions/groupdesignsettings.php
+++ b/actions/groupdesignsettings.php
@@ -312,36 +312,4 @@ class GroupDesignSettingsAction extends DesignSettingsAction
         $this->showForm(_('Design preferences saved.'), true);
     }
 
-    /**
-     * Handle input and output a page (overrided)
-     *
-     * @param array $args $_REQUEST arguments
-     *
-     * @return void
-     */
-
-    function handle($args)
-    {
-        parent::handle($args);
-        if (!common_logged_in()) {
-            $this->clientError(_('Not logged in.'));
-            return;
-        } else if (!common_is_real_login()) {
-            // Cookie theft means that automatic logins can't
-            // change important settings or see private info, and
-            // _all_ our settings are important
-            common_set_returnto($this->selfUrl());
-            $user = common_current_user();
-            if ($user->hasOpenID()) {
-                common_redirect(common_local_url('openidlogin'), 303);
-            } else {
-                common_redirect(common_local_url('login'), 303);
-            }
-        } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
-            $this->handlePost();
-        } else {
-            $this->showForm();
-        }
-    }
-
 }
diff --git a/actions/twitapistatuses.php b/actions/twitapistatuses.php
index 555c746cb..c9943698d 100644
--- a/actions/twitapistatuses.php
+++ b/actions/twitapistatuses.php
@@ -373,9 +373,19 @@ class TwitapistatusesAction extends TwitterapiAction
             return;
         }
 
+        // 'id' is an undocumented parameter in Twitter's API. Several
+        // clients make use of it, so we support it too.
+
+        // show.json?id=12345 takes precedence over /show/12345.json
+
         $this->auth_user = $apidata['user'];
-        $notice_id       = $apidata['api_arg'];
-        $notice          = Notice::staticGet($notice_id);
+        $notice_id       = $this->trimmed('id');
+
+        if (empty($notice_id)) {
+            $notice_id   = $apidata['api_arg'];
+        }
+
+        $notice          = Notice::staticGet((int)$notice_id);
 
         if ($notice) {
             if ($apidata['content-type'] == 'xml') {
@@ -389,7 +399,6 @@ class TwitapistatusesAction extends TwitterapiAction
             $this->clientError(_('No status with that ID found.'),
                 404, $apidata['content-type']);
         }
-
     }
 
     function destroy($args, $apidata)
diff --git a/actions/twitapiusers.php b/actions/twitapiusers.php
index 4057b63e7..e9fcccbde 100644
--- a/actions/twitapiusers.php
+++ b/actions/twitapiusers.php
@@ -37,24 +37,17 @@ class TwitapiusersAction extends TwitterapiAction
 
         $user = null;
         $email = $this->arg('email');
-        $user_id = $this->arg('user_id');
 
         // XXX: email field deprecated in Twitter's API
 
-        // XXX: Also: need to add screen_name param
-
         if ($email) {
             $user = User::staticGet('email', $email);
-        } elseif ($user_id) {
-            $user = $this->get_user($user_id);
-        } elseif (isset($apidata['api_arg'])) {
+        } else {
             $user = $this->get_user($apidata['api_arg']);
-        } elseif (isset($apidata['user'])) {
-            $user = $apidata['user'];
         }
 
         if (empty($user)) {
-            $this->client_error(_('Not found.'), 404, $apidata['content-type']);
+            $this->clientError(_('Not found.'), 404, $apidata['content-type']);
             return;
         }
 
diff --git a/lib/router.php b/lib/router.php
index 50b733453..75e72f932 100644
--- a/lib/router.php
+++ b/lib/router.php
@@ -261,7 +261,7 @@ class Router
         $m->connect('api/statuses/:method',
                     array('action' => 'api',
                           'apiaction' => 'statuses'),
-                    array('method' => '(public_timeline|friends_timeline|user_timeline|update|replies|mentions|friends|followers|featured)(\.(atom|rss|xml|json))?'));
+                    array('method' => '(public_timeline|friends_timeline|user_timeline|update|replies|mentions|show|friends|followers|featured)(\.(atom|rss|xml|json))?'));
 
         $m->connect('api/statuses/:method/:argument',
                     array('action' => 'api',