1 files changed, 39 insertions, 30 deletions

diff --git a/lib/apioauthstore.php b/lib/apioauthstore.php
index 290ce8973..c39ddbb0f 100644
--- a/lib/apioauthstore.php
+++ b/lib/apioauthstore.php
@@ -40,44 +40,44 @@ class ApiStatusNetOAuthDataStore extends StatusNetOAuthDataStore
     {
         common_debug('new_access_token("'.$token->key.'","'.$consumer->key.'")', __FILE__);
 
-	$rt = new Token();
+        $rt = new Token();
         $rt->consumer_key = $consumer->key;
         $rt->tok = $token->key;
         $rt->type = 0; // request
 
         $app = Oauth_application::getByConsumerKey($consumer->key);
 
-	if (empty($app)) {
-	    common_debug("empty app!");
-	}
+        if (empty($app)) {
+            common_debug("empty app!");
+        }
 
-	if ($rt->find(true) && $rt->state == 1) { // authorized
+        if ($rt->find(true) && $rt->state == 1) { // authorized
             common_debug('request token found.', __FILE__);
 
-	    // find the associated user of the app
+            // find the associated user of the app
 
-	    $appUser = new Oauth_application_user();
-	    $appUser->application_id = $app->id;
-	    $appUser->token = $rt->tok;
-	    $result = $appUser->find(true);
+            $appUser = new Oauth_application_user();
+            $appUser->application_id = $app->id;
+            $appUser->token = $rt->tok;
+            $result = $appUser->find(true);
 
-	    if (!empty($result)) {
-		common_debug("Oath app user found.");
-	    } else {
-		common_debug("Oauth app user not found.");
-		return null;
-	    }
+            if (!empty($result)) {
+                common_debug("Oath app user found.");
+            } else {
+                common_debug("Oauth app user not found.");
+                return null;
+            }
 
-	    // go ahead and make the access token
+            // go ahead and make the access token
 
-	    $at = new Token();
+            $at = new Token();
             $at->consumer_key = $consumer->key;
             $at->tok = common_good_rand(16);
             $at->secret = common_good_rand(16);
             $at->type = 1; // access
             $at->created = DB_DataObject_Cast::dateTime();
 
-	    if (!$at->insert()) {
+            if (!$at->insert()) {
                 $e = $at->_lastError;
                 common_debug('access token "'.$at->tok.'" not inserted: "'.$e->message.'"', __FILE__);
                 return null;
@@ -91,21 +91,30 @@ class ApiStatusNetOAuthDataStore extends StatusNetOAuthDataStore
                 }
                 common_debug('request token "'.$rt->tok.'" updated', __FILE__);
 
-		// update the token from req to access for the user
+                // update the token from req to access for the user
+
+                $orig = clone($appUser);
+                $appUser->token = $at->tok;
 
-	        $orig = clone($appUser);
-		$appUser->token = $at->tok;
-		$result = $appUser->update($orig);
+                // It's at this point that we change the access type
+                // to whatever the application's access is.  Request
+                // tokens should always have an access type of 0, and
+                // therefore be unuseable for making requests for
+                // protected resources.
 
-		if (empty($result)) {
-		    common_debug('couldn\'t update OAuth app user.');
-		    return null;
-		}
+                $appUser->access_type = $app->access_type;
+
+                $result = $appUser->update($orig);
+
+                if (empty($result)) {
+                    common_debug('couldn\'t update OAuth app user.');
+                    return null;
+                }
 
-		// Okay, good
+                // Okay, good
 
-		return new OAuthToken($at->tok, $at->secret);
-	    }
+                return new OAuthToken($at->tok, $at->secret);
+            }
 
         } else {
             return null;