summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--actions/api.php63
-rw-r--r--actions/groupdesignsettings.php32
-rw-r--r--actions/twitapistatuses.php15
-rw-r--r--actions/twitapiusers.php11
-rw-r--r--lib/router.php2
5 files changed, 63 insertions, 60 deletions
diff --git a/actions/api.php b/actions/api.php
index 08f5fadad..18c3b68d4 100644
--- a/actions/api.php
+++ b/actions/api.php
@@ -75,14 +75,14 @@ class ApiAction extends Action
}
} else {
- # Caller might give us a username even if not required
- if (isset($_SERVER['PHP_AUTH_USER'])) {
- $user = User::staticGet('nickname', $_SERVER['PHP_AUTH_USER']);
- if ($user) {
- $this->user = $user;
- }
- # Twitter doesn't throw an error if the user isn't found
- }
+ // Caller might give us a username even if not required
+ if (isset($_SERVER['PHP_AUTH_USER'])) {
+ $user = User::staticGet('nickname', $_SERVER['PHP_AUTH_USER']);
+ if ($user) {
+ $this->user = $user;
+ }
+ # Twitter doesn't throw an error if the user isn't found
+ }
$this->process_command();
}
@@ -117,7 +117,7 @@ class ApiAction extends Action
}
}
- # Whitelist of API methods that don't need authentication
+ // Whitelist of API methods that don't need authentication
function requires_auth()
{
static $noauth = array( 'statuses/public_timeline',
@@ -135,28 +135,61 @@ class ApiAction extends Action
'statuses/replies',
'statuses/mentions',
'statuses/followers',
- 'favorites/favorites');
+ 'favorites/favorites',
+ 'friendships/show');
$fullname = "$this->api_action/$this->api_method";
// If the site is "private", all API methods except laconica/config
// need authentication
+
if (common_config('site', 'private')) {
return $fullname != 'laconica/config' || false;
}
+ // bareauth: only needs auth if without an argument or query param specifying user
+
if (in_array($fullname, $bareauth)) {
- # bareauth: only needs auth if without an argument or query param specifying user
- if ($this->api_arg || $this->arg('id') || is_numeric($this->arg('user_id')) || $this->arg('screen_name')) {
+
+ // Special case: friendships/show only needs auth if source_id or
+ // source_screen_name is not specified as a param
+
+ if ($fullname == 'friendships/show') {
+
+ $source_id = $this->arg('source_id');
+ $source_screen_name = $this->arg('source_screen_name');
+
+ if (empty($source_id) && empty($source_screen_name)) {
+ return true;
+ }
+
return false;
- } else {
+ }
+
+ // if all of these are empty, auth is required
+
+ $id = $this->arg('id');
+ $user_id = $this->arg('user_id');
+ $screen_name = $this->arg('screen_name');
+
+ if (empty($this->api_arg) &&
+ empty($id) &&
+ empty($user_id) &&
+ empty($screen_name)) {
return true;
+ } else {
+ return false;
}
+
} else if (in_array($fullname, $noauth)) {
- # noauth: never needs auth
+
+ // noauth: never needs auth
+
return false;
} else {
- # everybody else needs auth
+
+ // everybody else needs auth
+
return true;
}
}
diff --git a/actions/groupdesignsettings.php b/actions/groupdesignsettings.php
index 6c1c052cb..bb01243c6 100644
--- a/actions/groupdesignsettings.php
+++ b/actions/groupdesignsettings.php
@@ -312,36 +312,4 @@ class GroupDesignSettingsAction extends DesignSettingsAction
$this->showForm(_('Design preferences saved.'), true);
}
- /**
- * Handle input and output a page (overrided)
- *
- * @param array $args $_REQUEST arguments
- *
- * @return void
- */
-
- function handle($args)
- {
- parent::handle($args);
- if (!common_logged_in()) {
- $this->clientError(_('Not logged in.'));
- return;
- } else if (!common_is_real_login()) {
- // Cookie theft means that automatic logins can't
- // change important settings or see private info, and
- // _all_ our settings are important
- common_set_returnto($this->selfUrl());
- $user = common_current_user();
- if ($user->hasOpenID()) {
- common_redirect(common_local_url('openidlogin'), 303);
- } else {
- common_redirect(common_local_url('login'), 303);
- }
- } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
- $this->handlePost();
- } else {
- $this->showForm();
- }
- }
-
}
diff --git a/actions/twitapistatuses.php b/actions/twitapistatuses.php
index 555c746cb..c9943698d 100644
--- a/actions/twitapistatuses.php
+++ b/actions/twitapistatuses.php
@@ -373,9 +373,19 @@ class TwitapistatusesAction extends TwitterapiAction
return;
}
+ // 'id' is an undocumented parameter in Twitter's API. Several
+ // clients make use of it, so we support it too.
+
+ // show.json?id=12345 takes precedence over /show/12345.json
+
$this->auth_user = $apidata['user'];
- $notice_id = $apidata['api_arg'];
- $notice = Notice::staticGet($notice_id);
+ $notice_id = $this->trimmed('id');
+
+ if (empty($notice_id)) {
+ $notice_id = $apidata['api_arg'];
+ }
+
+ $notice = Notice::staticGet((int)$notice_id);
if ($notice) {
if ($apidata['content-type'] == 'xml') {
@@ -389,7 +399,6 @@ class TwitapistatusesAction extends TwitterapiAction
$this->clientError(_('No status with that ID found.'),
404, $apidata['content-type']);
}
-
}
function destroy($args, $apidata)
diff --git a/actions/twitapiusers.php b/actions/twitapiusers.php
index 4057b63e7..e9fcccbde 100644
--- a/actions/twitapiusers.php
+++ b/actions/twitapiusers.php
@@ -37,24 +37,17 @@ class TwitapiusersAction extends TwitterapiAction
$user = null;
$email = $this->arg('email');
- $user_id = $this->arg('user_id');
// XXX: email field deprecated in Twitter's API
- // XXX: Also: need to add screen_name param
-
if ($email) {
$user = User::staticGet('email', $email);
- } elseif ($user_id) {
- $user = $this->get_user($user_id);
- } elseif (isset($apidata['api_arg'])) {
+ } else {
$user = $this->get_user($apidata['api_arg']);
- } elseif (isset($apidata['user'])) {
- $user = $apidata['user'];
}
if (empty($user)) {
- $this->client_error(_('Not found.'), 404, $apidata['content-type']);
+ $this->clientError(_('Not found.'), 404, $apidata['content-type']);
return;
}
diff --git a/lib/router.php b/lib/router.php
index 50b733453..75e72f932 100644
--- a/lib/router.php
+++ b/lib/router.php
@@ -261,7 +261,7 @@ class Router
$m->connect('api/statuses/:method',
array('action' => 'api',
'apiaction' => 'statuses'),
- array('method' => '(public_timeline|friends_timeline|user_timeline|update|replies|mentions|friends|followers|featured)(\.(atom|rss|xml|json))?'));
+ array('method' => '(public_timeline|friends_timeline|user_timeline|update|replies|mentions|show|friends|followers|featured)(\.(atom|rss|xml|json))?'));
$m->connect('api/statuses/:method/:argument',
array('action' => 'api',