diff options
author | Evan Prodromou <evan@prodromou.name> | 2008-11-18 13:06:44 -0500 |
---|---|---|
committer | Evan Prodromou <evan@prodromou.name> | 2008-11-18 13:06:44 -0500 |
commit | a179a816b589d8fc097c7fff068dbe5b053e9e27 (patch) | |
tree | 7c96f7214d06f5ae0225dedabadc1fec176d1860 /actions | |
parent | 67340ce11c773287a4807ddc4567add775a3fcd7 (diff) |
add some extra checks to avoid remote subscriptions to local users
darcs-hash:20081118180644-84dde-ab152249ac0844a482029b7e0f8db2780a0f15d6.gz
Diffstat (limited to 'actions')
-rw-r--r-- | actions/finishremotesubscribe.php | 12 | ||||
-rw-r--r-- | actions/remotesubscribe.php | 7 | ||||
-rw-r--r-- | actions/userauthorization.php | 14 |
3 files changed, 33 insertions, 0 deletions
diff --git a/actions/finishremotesubscribe.php b/actions/finishremotesubscribe.php index ae62fe4b3..cacf545b5 100644 --- a/actions/finishremotesubscribe.php +++ b/actions/finishremotesubscribe.php @@ -80,6 +80,11 @@ class FinishremotesubscribeAction extends Action { return; } + if ($profile_url == common_local_url('showstream', array('nickname' => $nickname))) { + common_user_error(_('You can use the local subscription!')); + return; + } + common_debug('listenee: "'.$omb['listenee'].'"', __FILE__); $user = User::staticGet('nickname', $omb['listenee']); @@ -89,6 +94,13 @@ class FinishremotesubscribeAction extends Action { return; } + $other = User::staticGet('uri', $omb['listener']); + + if ($other) { + common_user_error(_('You can use the local subscription!')); + return; + } + $fullname = $req->get_parameter('omb_listener_fullname'); $homepage = $req->get_parameter('omb_listener_homepage'); $bio = $req->get_parameter('omb_listener_bio'); diff --git a/actions/remotesubscribe.php b/actions/remotesubscribe.php index 7137b42a2..2c932178f 100644 --- a/actions/remotesubscribe.php +++ b/actions/remotesubscribe.php @@ -130,6 +130,13 @@ class RemotesubscribeAction extends Action { return; } + if (omb_service_uri($omb[OAUTH_ENDPOINT_REQUEST]) == + common_local_url('requesttoken')) + { + $this->show_form(_('That\'s a local profile! Login to subscribe.')); + return; + } + list($token, $secret) = $this->request_token($omb); if (!$token || !$secret) { diff --git a/actions/userauthorization.php b/actions/userauthorization.php index 680f55094..11e2d7135 100644 --- a/actions/userauthorization.php +++ b/actions/userauthorization.php @@ -415,6 +415,12 @@ class UserauthorizationAction extends Action { if (strlen($listenee) > 255) { throw new OAuthException("Listenee URI '$listenee' too long"); } + + $other = User::staticGet('uri', $listenee); + if ($other) { + throw new OAuthException("Listenee URI '$listenee' is local user"); + } + $remote = Remote_profile::staticGet('uri', $listenee); if ($remote) { $sub = new Subscription(); @@ -434,6 +440,11 @@ class UserauthorizationAction extends Action { if (!common_valid_http_url($profile)) { throw new OAuthException("Invalid profile URL '$profile'."); } + + if ($profile == common_local_url('showstream', array('nickname' => $nickname))) { + throw new OAuthException("Profile URL '$profile' is for a local user."); + } + $license = $req->get_parameter('omb_listenee_license'); if (!common_valid_http_url($license)) { throw new OAuthException("Invalid license URL '$license'."); @@ -476,6 +487,9 @@ class UserauthorizationAction extends Action { if ($callback && !common_valid_http_url($callback)) { throw new OAuthException("Invalid callback URL '$callback'"); } + if ($callback && $callback == common_local_url('finishremotesubscribe')) { + throw new OAuthException("Callback URL '$callback' is for local site."); + } } # Snagged from OAuthServer |