From bbde4d42cc550adfeeeb73e8c411b627c0d025aa Mon Sep 17 00:00:00 2001
From: Zach Copley <zach@status.net>
Date: Thu, 14 Jan 2010 02:16:03 +0000
Subject: Check for read vs. read-write access on OAuth authenticated API
 mehtods.

---
 lib/apiauth.php | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'lib/apiauth.php')

diff --git a/lib/apiauth.php b/lib/apiauth.php
index 431f3ac4f..8374c24a7 100644
--- a/lib/apiauth.php
+++ b/lib/apiauth.php
@@ -78,12 +78,27 @@ class ApiAuthAction extends ApiAction
                 $this->checkOAuthRequest();
             } else {
                 $this->checkBasicAuthUser();
+                // By default, all basic auth users have read and write access
+
+                $this->access = self::READ_WRITE;
             }
         }
 
         return true;
     }
 
+    function handle($args)
+    {
+        parent::handle($args);
+
+        if ($this->isReadOnly($args) == false) {
+            if ($this->access == self::READ_ONLY) {
+                $this->clientError(_('API method requires write access.'), 401);
+                exit();
+            }
+        }
+    }
+
     function checkOAuthRequest()
     {
         common_debug("We have an OAuth request.");
@@ -130,6 +145,10 @@ class ApiAuthAction extends ApiAction
 
                 if ($this->oauth_access_type != 0) {
 
+                    // Set the read or read-write access for the api call
+                    $this->access = ($appUser->access_type & Oauth_application::$writeAccess)
+                      ? self::READ_WRITE : self::READ_ONLY;
+
                     $this->auth_user = User::staticGet('id', $appUser->profile_id);
 
                     $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
@@ -220,6 +239,7 @@ class ApiAuthAction extends ApiAction
                 exit;
             }
         }
+
         return true;
     }
 
-- 
cgit v1.2.3-54-g00ecf