diff options
-rw-r--r-- | actions/api.php | 63 | ||||
-rw-r--r-- | actions/groupdesignsettings.php | 32 | ||||
-rw-r--r-- | actions/twitapistatuses.php | 15 | ||||
-rw-r--r-- | actions/twitapiusers.php | 11 | ||||
-rw-r--r-- | lib/router.php | 2 |
5 files changed, 63 insertions, 60 deletions
diff --git a/actions/api.php b/actions/api.php index 08f5fadad..18c3b68d4 100644 --- a/actions/api.php +++ b/actions/api.php @@ -75,14 +75,14 @@ class ApiAction extends Action } } else { - # Caller might give us a username even if not required - if (isset($_SERVER['PHP_AUTH_USER'])) { - $user = User::staticGet('nickname', $_SERVER['PHP_AUTH_USER']); - if ($user) { - $this->user = $user; - } - # Twitter doesn't throw an error if the user isn't found - } + // Caller might give us a username even if not required + if (isset($_SERVER['PHP_AUTH_USER'])) { + $user = User::staticGet('nickname', $_SERVER['PHP_AUTH_USER']); + if ($user) { + $this->user = $user; + } + # Twitter doesn't throw an error if the user isn't found + } $this->process_command(); } @@ -117,7 +117,7 @@ class ApiAction extends Action } } - # Whitelist of API methods that don't need authentication + // Whitelist of API methods that don't need authentication function requires_auth() { static $noauth = array( 'statuses/public_timeline', @@ -135,28 +135,61 @@ class ApiAction extends Action 'statuses/replies', 'statuses/mentions', 'statuses/followers', - 'favorites/favorites'); + 'favorites/favorites', + 'friendships/show'); $fullname = "$this->api_action/$this->api_method"; // If the site is "private", all API methods except laconica/config // need authentication + if (common_config('site', 'private')) { return $fullname != 'laconica/config' || false; } + // bareauth: only needs auth if without an argument or query param specifying user + if (in_array($fullname, $bareauth)) { - # bareauth: only needs auth if without an argument or query param specifying user - if ($this->api_arg || $this->arg('id') || is_numeric($this->arg('user_id')) || $this->arg('screen_name')) { + + // Special case: friendships/show only needs auth if source_id or + // source_screen_name is not specified as a param + + if ($fullname == 'friendships/show') { + + $source_id = $this->arg('source_id'); + $source_screen_name = $this->arg('source_screen_name'); + + if (empty($source_id) && empty($source_screen_name)) { + return true; + } + return false; - } else { + } + + // if all of these are empty, auth is required + + $id = $this->arg('id'); + $user_id = $this->arg('user_id'); + $screen_name = $this->arg('screen_name'); + + if (empty($this->api_arg) && + empty($id) && + empty($user_id) && + empty($screen_name)) { return true; + } else { + return false; } + } else if (in_array($fullname, $noauth)) { - # noauth: never needs auth + + // noauth: never needs auth + return false; } else { - # everybody else needs auth + + // everybody else needs auth + return true; } } diff --git a/actions/groupdesignsettings.php b/actions/groupdesignsettings.php index 6c1c052cb..bb01243c6 100644 --- a/actions/groupdesignsettings.php +++ b/actions/groupdesignsettings.php @@ -312,36 +312,4 @@ class GroupDesignSettingsAction extends DesignSettingsAction $this->showForm(_('Design preferences saved.'), true); } - /** - * Handle input and output a page (overrided) - * - * @param array $args $_REQUEST arguments - * - * @return void - */ - - function handle($args) - { - parent::handle($args); - if (!common_logged_in()) { - $this->clientError(_('Not logged in.')); - return; - } else if (!common_is_real_login()) { - // Cookie theft means that automatic logins can't - // change important settings or see private info, and - // _all_ our settings are important - common_set_returnto($this->selfUrl()); - $user = common_current_user(); - if ($user->hasOpenID()) { - common_redirect(common_local_url('openidlogin'), 303); - } else { - common_redirect(common_local_url('login'), 303); - } - } else if ($_SERVER['REQUEST_METHOD'] == 'POST') { - $this->handlePost(); - } else { - $this->showForm(); - } - } - } diff --git a/actions/twitapistatuses.php b/actions/twitapistatuses.php index 555c746cb..c9943698d 100644 --- a/actions/twitapistatuses.php +++ b/actions/twitapistatuses.php @@ -373,9 +373,19 @@ class TwitapistatusesAction extends TwitterapiAction return; } + // 'id' is an undocumented parameter in Twitter's API. Several + // clients make use of it, so we support it too. + + // show.json?id=12345 takes precedence over /show/12345.json + $this->auth_user = $apidata['user']; - $notice_id = $apidata['api_arg']; - $notice = Notice::staticGet($notice_id); + $notice_id = $this->trimmed('id'); + + if (empty($notice_id)) { + $notice_id = $apidata['api_arg']; + } + + $notice = Notice::staticGet((int)$notice_id); if ($notice) { if ($apidata['content-type'] == 'xml') { @@ -389,7 +399,6 @@ class TwitapistatusesAction extends TwitterapiAction $this->clientError(_('No status with that ID found.'), 404, $apidata['content-type']); } - } function destroy($args, $apidata) diff --git a/actions/twitapiusers.php b/actions/twitapiusers.php index 4057b63e7..e9fcccbde 100644 --- a/actions/twitapiusers.php +++ b/actions/twitapiusers.php @@ -37,24 +37,17 @@ class TwitapiusersAction extends TwitterapiAction $user = null; $email = $this->arg('email'); - $user_id = $this->arg('user_id'); // XXX: email field deprecated in Twitter's API - // XXX: Also: need to add screen_name param - if ($email) { $user = User::staticGet('email', $email); - } elseif ($user_id) { - $user = $this->get_user($user_id); - } elseif (isset($apidata['api_arg'])) { + } else { $user = $this->get_user($apidata['api_arg']); - } elseif (isset($apidata['user'])) { - $user = $apidata['user']; } if (empty($user)) { - $this->client_error(_('Not found.'), 404, $apidata['content-type']); + $this->clientError(_('Not found.'), 404, $apidata['content-type']); return; } diff --git a/lib/router.php b/lib/router.php index 50b733453..75e72f932 100644 --- a/lib/router.php +++ b/lib/router.php @@ -261,7 +261,7 @@ class Router $m->connect('api/statuses/:method', array('action' => 'api', 'apiaction' => 'statuses'), - array('method' => '(public_timeline|friends_timeline|user_timeline|update|replies|mentions|friends|followers|featured)(\.(atom|rss|xml|json))?')); + array('method' => '(public_timeline|friends_timeline|user_timeline|update|replies|mentions|show|friends|followers|featured)(\.(atom|rss|xml|json))?')); $m->connect('api/statuses/:method/:argument', array('action' => 'api', |