From 387374fd7bd189eacefeca672ae35181fab2162c Mon Sep 17 00:00:00 2001
From: Zach Copley <zach@status.net>
Date: Tue, 2 Feb 2010 23:16:44 +0000
Subject: Always check for an OAuth request. This allows OAuth clients to set
 an auth user, similar to how they can set one via http basic auth, even if
 one is not required.  I think I finally got this right.

---
 lib/apiauth.php | 22 ++++++++--------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/lib/apiauth.php b/lib/apiauth.php
index 262f4b966..25e2196cf 100644
--- a/lib/apiauth.php
+++ b/lib/apiauth.php
@@ -55,6 +55,7 @@ class ApiAuthAction extends ApiAction
 {
     var $auth_user_nickname = null;
     var $auth_user_password = null;
+    var $oauth_source       = null;
 
     /**
      * Take arguments for running, looks for an OAuth request,
@@ -73,28 +74,23 @@ class ApiAuthAction extends ApiAction
         // NOTE: $this->auth_user has to get set in prepare(), not handle(),
         // because subclasses do stuff with it in their prepares.
 
-        if ($this->requiresAuth()) {
+        $oauthReq = $this->getOAuthRequest();
 
-            $oauthReq = $this->getOAuthRequest();
-
-            if (!$oauthReq) {
+        if (!$oauthReq) {
+            if ($this->requiresAuth()) {
                 $this->checkBasicAuthUser(true);
             } else {
-                $this->checkOAuthRequest($oauthReq);
+                // Check to see if a basic auth user is there even
+                // if one's not required
+                $this->checkBasicAuthUser(false);
             }
         } else {
-
-            // Check to see if a basic auth user is there even
-            // if one's not required
-            $this->checkBasicAuthUser(false);
+            $this->checkOAuthRequest($oauthReq);
         }
 
         // Reject API calls with the wrong access level
 
         if ($this->isReadOnly($args) == false) {
-
-            common_debug(get_class($this) . ' is not read-only!');
-
             if ($this->access != self::READ_WRITE) {
                 $msg = _('API resource requires read-write access, ' .
                          'but you only have read access.');
@@ -111,7 +107,6 @@ class ApiAuthAction extends ApiAction
      * This is to avoid doign any unnecessary DB lookups.
      *
      * @return mixed the OAuthRequest or false
-     *
      */
 
     function getOAuthRequest()
@@ -140,7 +135,6 @@ class ApiAuthAction extends ApiAction
      * @param OAuthRequest $request the OAuth Request
      *
      * @return nothing
-     *
      */
 
     function checkOAuthRequest($request)
-- 
cgit v1.2.3-54-g00ecf