summaryrefslogtreecommitdiff
path: root/actions
diff options
context:
space:
mode:
authorEvan Prodromou <evan@prodromou.name>2008-11-18 13:06:44 -0500
committerEvan Prodromou <evan@prodromou.name>2008-11-18 13:06:44 -0500
commita179a816b589d8fc097c7fff068dbe5b053e9e27 (patch)
tree7c96f7214d06f5ae0225dedabadc1fec176d1860 /actions
parent67340ce11c773287a4807ddc4567add775a3fcd7 (diff)
add some extra checks to avoid remote subscriptions to local users
darcs-hash:20081118180644-84dde-ab152249ac0844a482029b7e0f8db2780a0f15d6.gz
Diffstat (limited to 'actions')
-rw-r--r--actions/finishremotesubscribe.php12
-rw-r--r--actions/remotesubscribe.php7
-rw-r--r--actions/userauthorization.php14
3 files changed, 33 insertions, 0 deletions
diff --git a/actions/finishremotesubscribe.php b/actions/finishremotesubscribe.php
index ae62fe4b3..cacf545b5 100644
--- a/actions/finishremotesubscribe.php
+++ b/actions/finishremotesubscribe.php
@@ -80,6 +80,11 @@ class FinishremotesubscribeAction extends Action {
return;
}
+ if ($profile_url == common_local_url('showstream', array('nickname' => $nickname))) {
+ common_user_error(_('You can use the local subscription!'));
+ return;
+ }
+
common_debug('listenee: "'.$omb['listenee'].'"', __FILE__);
$user = User::staticGet('nickname', $omb['listenee']);
@@ -89,6 +94,13 @@ class FinishremotesubscribeAction extends Action {
return;
}
+ $other = User::staticGet('uri', $omb['listener']);
+
+ if ($other) {
+ common_user_error(_('You can use the local subscription!'));
+ return;
+ }
+
$fullname = $req->get_parameter('omb_listener_fullname');
$homepage = $req->get_parameter('omb_listener_homepage');
$bio = $req->get_parameter('omb_listener_bio');
diff --git a/actions/remotesubscribe.php b/actions/remotesubscribe.php
index 7137b42a2..2c932178f 100644
--- a/actions/remotesubscribe.php
+++ b/actions/remotesubscribe.php
@@ -130,6 +130,13 @@ class RemotesubscribeAction extends Action {
return;
}
+ if (omb_service_uri($omb[OAUTH_ENDPOINT_REQUEST]) ==
+ common_local_url('requesttoken'))
+ {
+ $this->show_form(_('That\'s a local profile! Login to subscribe.'));
+ return;
+ }
+
list($token, $secret) = $this->request_token($omb);
if (!$token || !$secret) {
diff --git a/actions/userauthorization.php b/actions/userauthorization.php
index 680f55094..11e2d7135 100644
--- a/actions/userauthorization.php
+++ b/actions/userauthorization.php
@@ -415,6 +415,12 @@ class UserauthorizationAction extends Action {
if (strlen($listenee) > 255) {
throw new OAuthException("Listenee URI '$listenee' too long");
}
+
+ $other = User::staticGet('uri', $listenee);
+ if ($other) {
+ throw new OAuthException("Listenee URI '$listenee' is local user");
+ }
+
$remote = Remote_profile::staticGet('uri', $listenee);
if ($remote) {
$sub = new Subscription();
@@ -434,6 +440,11 @@ class UserauthorizationAction extends Action {
if (!common_valid_http_url($profile)) {
throw new OAuthException("Invalid profile URL '$profile'.");
}
+
+ if ($profile == common_local_url('showstream', array('nickname' => $nickname))) {
+ throw new OAuthException("Profile URL '$profile' is for a local user.");
+ }
+
$license = $req->get_parameter('omb_listenee_license');
if (!common_valid_http_url($license)) {
throw new OAuthException("Invalid license URL '$license'.");
@@ -476,6 +487,9 @@ class UserauthorizationAction extends Action {
if ($callback && !common_valid_http_url($callback)) {
throw new OAuthException("Invalid callback URL '$callback'");
}
+ if ($callback && $callback == common_local_url('finishremotesubscribe')) {
+ throw new OAuthException("Callback URL '$callback' is for local site.");
+ }
}
# Snagged from OAuthServer