summaryrefslogtreecommitdiff
path: root/lib/apiauth.php
diff options
context:
space:
mode:
authorZach Copley <zach@status.net>2010-01-27 14:27:22 -0800
committerZach Copley <zach@status.net>2010-01-27 14:27:22 -0800
commit78079f34e273357d03ceee13269f9a388e66c4e3 (patch)
tree8f29f6fb7de5b6b6627a7eba3e16b86fa9b2ae1f /lib/apiauth.php
parent656d95418c6d7f8b884c4c8af14ad6952032ace6 (diff)
parent2494d3fa25a44b3cacf85c594683675ae9e6d0cb (diff)
Merge branch 'testing' into -1.9.x
* testing: (130 commits) HTTP auth provided is evaluated even if it's not required Rename rc3to09.sql to rc3torc4.sql to avoid confusion if we add a last-minute change after this! Add new oauth tables and modifications to 'consumer' table for rc4 Centred leaderboard ad camelcase the uap param names move leaderboard to after the header Moved rectangle ad into aside and leaderboard to the right in header. Aligning wide skyscraper to the right instead of left CSS ids and classes fixed in UAPPlugin wrong height for rectangle in BlankAd Add the moved BlankAdPlugin make BlankAd dir and change to use a 1x1 image move BlankAdPlugin to its own dir Add BlankAdPlugin to test ad layout in different themes make uapplugin an abstract class move UAP plugin to core Lowercased switch cases in UAP Plugin Plugin for Universal Ad Package. Outputs four most widely used ad types. Add persistent:true property to Stomp messages so ActiveMQ doesn't decide to discard them even though persistence is enabled on the broker. :) (Thanks Aric!) quick fix: use common_path() on realtime update JS so it works with the new JS path code (will pull from main server for now) ... Conflicts: actions/apioauthaccesstoken.php actions/apioauthauthorize.php actions/apioauthrequesttoken.php actions/editapplication.php actions/newapplication.php lib/apiauth.php lib/queuemanager.php lib/router.php
Diffstat (limited to 'lib/apiauth.php')
-rw-r--r--lib/apiauth.php128
1 files changed, 67 insertions, 61 deletions
diff --git a/lib/apiauth.php b/lib/apiauth.php
index 927dcad6a..ac5e997c7 100644
--- a/lib/apiauth.php
+++ b/lib/apiauth.php
@@ -29,7 +29,7 @@
* @author mEDI <medi@milaro.net>
* @author Sarven Capadisli <csarven@status.net>
* @author Zach Copley <zach@status.net>
- * @copyright 2009 StatusNet, Inc.
+ * @copyright 2009-2010 StatusNet, Inc.
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
* @link http://status.net/
*/
@@ -53,9 +53,11 @@ require_once INSTALLDIR . '/lib/apioauth.php';
class ApiAuthAction extends ApiAction
{
- var $access_token;
- var $oauth_access_type;
- var $oauth_source;
+ var $auth_user_nickname = null;
+ var $auth_user_password = null;
+ var $access_token = null;
+ var $oauth_source = null;
+ var $auth_user = null;
/**
* Take arguments for running, and output basic auth header if needed
@@ -70,11 +72,13 @@ class ApiAuthAction extends ApiAction
{
parent::prepare($args);
- if ($this->requiresAuth()) {
+ $this->consumer_key = $this->arg('oauth_consumer_key');
+ $this->access_token = $this->arg('oauth_token');
- $this->consumer_key = $this->arg('oauth_consumer_key');
- $this->access_token = $this->arg('oauth_token');
+ // NOTE: $this->auth_user has to get set in prepare(), not handle(),
+ // because subclasses do stuff with it in their prepares.
+ if ($this->requiresAuth()) {
if (!empty($this->access_token)) {
$this->checkOAuthRequest();
} else {
@@ -88,6 +92,17 @@ class ApiAuthAction extends ApiAction
$this->checkBasicAuthUser(false);
}
+ // Reject API calls with the wrong access level
+
+ if ($this->isReadOnly($args) == false) {
+ if ($this->access != self::READ_WRITE) {
+ $msg = 'API resource requires read-write access, ' .
+ 'but you only have read access.';
+ $this->clientError($msg, 401, $this->format);
+ exit;
+ }
+ }
+
return true;
}
@@ -98,8 +113,6 @@ class ApiAuthAction extends ApiAction
function checkOAuthRequest()
{
- common_debug("We have an OAuth request.");
-
$datastore = new ApiStatusNetOAuthDataStore();
$server = new OAuthServer($datastore);
$hmac_method = new OAuthSignatureMethod_HMAC_SHA1();
@@ -117,9 +130,10 @@ class ApiAuthAction extends ApiAction
if (empty($app)) {
- // this should really not happen
- common_log(LOG_WARN,
- "Couldn't find the OAuth app for consumer key: $this->consumer_key");
+ // this should probably not happen
+ common_log(LOG_WARNING,
+ 'Couldn\'t find the OAuth app for consumer key: ' .
+ $this->consumer_key);
throw new OAuthException('No application for that consumer key.');
}
@@ -131,20 +145,18 @@ class ApiAuthAction extends ApiAction
$appUser = Oauth_application_user::staticGet('token',
$this->access_token);
- // XXX: check that app->id and appUser->application_id and consumer all
+ // XXX: Check that app->id and appUser->application_id and consumer all
// match?
if (!empty($appUser)) {
- // read or read-write
- $this->oauth_access_type = $appUser->access_type;
-
// If access_type == 0 we have either a request token
// or a bad / revoked access token
- if ($this->oauth_access_type != 0) {
+ if ($appUser->access_type != 0) {
+
+ // Set the access level for the api call
- // Set the read or read-write access for the api call
$this->access = ($appUser->access_type & Oauth_application::$writeAccess)
? self::READ_WRITE : self::READ_ONLY;
@@ -154,38 +166,34 @@ class ApiAuthAction extends ApiAction
}
$msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
- "application '%s' (id: %d).";
+ "application '%s' (id: %d) with %s access.";
common_log(LOG_INFO, sprintf($msg,
$this->auth_user->nickname,
$this->auth_user->id,
$app->name,
- $app->id));
+ $app->id,
+ ($this->access = self::READ_WRITE) ?
+ 'read-write' : 'read-only'
+ ));
return true;
} else {
throw new OAuthException('Bad access token.');
}
} else {
- // also should not happen
+ // Also should not happen
+
throw new OAuthException('No user for that token.');
- }
+ }
} catch (OAuthException $e) {
- common_log(LOG_WARN, 'API OAuthException - ' . $e->getMessage());
- common_debug(var_export($req, true));
- $this->showOAuthError($e->getMessage());
- exit();
+ common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage());
+ $this->showAuthError();
+ exit;
}
}
- function showOAuthError($msg)
- {
- header('HTTP/1.1 401 Unauthorized');
- header('Content-Type: text/html; charset=utf-8');
- print $msg . "\n";
- }
-
/**
* Does this API resource require authentication?
*
@@ -210,43 +218,43 @@ class ApiAuthAction extends ApiAction
$realm = common_config('site', 'name') . ' API';
- if (!isset($this->auth_user) && $required) {
+ if (!isset($this->auth_user_nickname) && $required) {
header('WWW-Authenticate: Basic realm="' . $realm . '"');
// show error if the user clicks 'cancel'
- $this->showBasicAuthError();
+ $this->showAuthError();
exit;
- } else if (isset($this->auth_user)) {
- $nickname = $this->auth_user;
- $password = $this->auth_pw;
- $user = common_check_user($nickname, $password);
- if (Event::handle('StartSetApiUser', array(&$user))) {
- $this->auth_user = $user;
+ } else {
- // By default, all basic auth users have read and write access
- $this->access = self::READ_WRITE;
+ if (Event::handle('StartSetApiUser', array(&$user))) {
+ $this->auth_user = common_check_user($this->auth_user_nickname,
+ $this->auth_user_password);
Event::handle('EndSetApiUser', array($user));
}
+ // By default, basic auth users have rw access
+
+ $this->access = self::READ_WRITE;
+
if (empty($this->auth_user)) {
// basic authentication failed
list($proxy, $ip) = common_client_ip();
+
common_log(
LOG_WARNING,
'Failed API auth attempt, nickname = ' .
"$nickname, proxy = $proxy, ip = $ip."
);
- $this->showBasicAuthError();
+
+ $this->showAuthError();
exit;
}
}
-
- return true;
}
/**
@@ -260,32 +268,30 @@ class ApiAuthAction extends ApiAction
{
if (isset($_SERVER['AUTHORIZATION'])
|| isset($_SERVER['HTTP_AUTHORIZATION'])
- ) {
- $authorization_header = isset($_SERVER['HTTP_AUTHORIZATION'])
- ? $_SERVER['HTTP_AUTHORIZATION'] : $_SERVER['AUTHORIZATION'];
+ ) {
+ $authorization_header = isset($_SERVER['HTTP_AUTHORIZATION'])
+ ? $_SERVER['HTTP_AUTHORIZATION'] : $_SERVER['AUTHORIZATION'];
}
if (isset($_SERVER['PHP_AUTH_USER'])) {
- $this->auth_user = $_SERVER['PHP_AUTH_USER'];
- $this->auth_pw = $_SERVER['PHP_AUTH_PW'];
+ $this->auth_user_nickname = $_SERVER['PHP_AUTH_USER'];
+ $this->auth_user_password = $_SERVER['PHP_AUTH_PW'];
} elseif (isset($authorization_header)
&& strstr(substr($authorization_header, 0, 5), 'Basic')) {
- // decode the HTTP_AUTHORIZATION header on php-cgi server self
+ // Decode the HTTP_AUTHORIZATION header on php-cgi server self
// on fcgid server the header name is AUTHORIZATION
$auth_hash = base64_decode(substr($authorization_header, 6));
- list($this->auth_user, $this->auth_pw) = explode(':', $auth_hash);
+ list($this->auth_user_nickname,
+ $this->auth_user_password) = explode(':', $auth_hash);
- // set all to null on a empty basic auth request
+ // Set all to null on a empty basic auth request
- if ($this->auth_user == "") {
- $this->auth_user = null;
- $this->auth_pw = null;
+ if (empty($this->auth_user_nickname)) {
+ $this->auth_user_nickname = null;
+ $this->auth_password = null;
}
- } else {
- $this->auth_user = null;
- $this->auth_pw = null;
}
}
@@ -296,7 +302,7 @@ class ApiAuthAction extends ApiAction
* @return void
*/
- function showBasicAuthError()
+ function showAuthError()
{
header('HTTP/1.1 401 Unauthorized');
$msg = 'Could not authenticate you.';