add some extra checks to avoid remote subscriptions to local users

darcs-hash:20081118180644-84dde-ab152249ac0844a482029b7e0f8db2780a0f15d6.gz

1 files changed, 14 insertions, 0 deletions

diff --git a/actions/userauthorization.php b/actions/userauthorization.php
index 680f55094..11e2d7135 100644
--- a/actions/userauthorization.php
+++ b/actions/userauthorization.php
@@ -415,6 +415,12 @@ class UserauthorizationAction extends Action {
 		if (strlen($listenee) > 255) {
 			throw new OAuthException("Listenee URI '$listenee' too long");
 		}
+		
+		$other = User::staticGet('uri', $listenee);
+		if ($other) {
+			throw new OAuthException("Listenee URI '$listenee' is local user");
+		}
+		
 		$remote = Remote_profile::staticGet('uri', $listenee);
 		if ($remote) {
 			$sub = new Subscription();
@@ -434,6 +440,11 @@ class UserauthorizationAction extends Action {
 		if (!common_valid_http_url($profile)) {
 			throw new OAuthException("Invalid profile URL '$profile'.");
 		}
+		
+		if ($profile == common_local_url('showstream', array('nickname' => $nickname))) {
+			throw new OAuthException("Profile URL '$profile' is for a local user.");
+		}
+		
 		$license = $req->get_parameter('omb_listenee_license');
 		if (!common_valid_http_url($license)) {
 			throw new OAuthException("Invalid license URL '$license'.");
@@ -476,6 +487,9 @@ class UserauthorizationAction extends Action {
 		if ($callback && !common_valid_http_url($callback)) {
 			throw new OAuthException("Invalid callback URL '$callback'");
 		}
+		if ($callback && $callback == common_local_url('finishremotesubscribe')) {
+			throw new OAuthException("Callback URL '$callback' is for local site.");
+		}
 	}
 
 	# Snagged from OAuthServer