1 files changed, 74 insertions, 20 deletions

diff --git a/actions/api.php b/actions/api.php
index 93e33085f..9b5f54807 100644
--- a/actions/api.php
+++ b/actions/api.php
@@ -1,5 +1,5 @@
 <?php
-/*
+/**
  * StatusNet - the distributed open-source microblogging tool
  * Copyright (C) 2008, 2009, StatusNet, Inc.
  *
@@ -15,9 +15,30 @@
  *
  * You should have received a copy of the GNU Affero General Public License
  * along with this program.     If not, see <http://www.gnu.org/licenses/>.
+ * 
+ * @category Actions
+ * @package  Actions
+ * @author   Evan Prodromou <evan@controlyourself.ca>
+ * @author   Evan Prodromou <evan@prodromou.name>
+ * @author   Brenda Wallace <shiny@cpan.org>
+ * @author   Jeffery To <jeffery.to@gmail.com>
+ * @author   Robin Millette <millette@controlyourself.ca>
+ * @author   Tom Adams <tom@holizz.com>
+ * @author   Christopher Vollick <psycotica0@gmail.com>
+ * @author   CiaranG <ciaran@ciarang.com>
+ * @author   Craig Andrews <candrews@integralblue.com>
+ * @author   Evan Prodromou <evan@controlezvous.ca>
+ * @author   Evan Prodromou <evan@status.net>
+ * @author   Gina Haeussge <osd@foosel.net>
+ * @author   Mike Cochrane <mikec@mikenz.geek.nz>
+ * @author   Sarven Capadisli <csarven@controlyourself.ca>
+ * @license  GNU Affero General Public License http://www.gnu.org/licenses/
+ * @link     http://status.net
  */
 
-if (!defined('STATUSNET') && !defined('LACONICA')) { exit(1); }
+if (!defined('STATUSNET') && !defined('LACONICA')) { 
+    exit(1); 
+}
 
 class ApiAction extends Action
 {
@@ -27,6 +48,8 @@ class ApiAction extends Action
     var $api_arg;
     var $api_method;
     var $api_action;
+    var $auth_user;
+    var $auth_pw;
 
     function handle($args)
     {
@@ -35,6 +58,7 @@ class ApiAction extends Action
         $this->api_action = $this->arg('apiaction');
         $method = $this->arg('method');
         $argument = $this->arg('argument');
+        $this->basic_auth_process_header();
 
         if (isset($argument)) {
             $cmdext = explode('.', $argument);
@@ -43,30 +67,30 @@ class ApiAction extends Action
             $this->content_type = strtolower($cmdext[1]);
         } else {
 
-            # Requested format / content-type will be an extension on the method
+            //Requested format / content-type will be an extension on the method
             $cmdext = explode('.', $method);
             $this->api_method = $cmdext[0];
             $this->content_type = strtolower($cmdext[1]);
         }
 
         if ($this->requires_auth()) {
-            if (!isset($_SERVER['PHP_AUTH_USER'])) {
+            if (!isset($this->auth_user)) {
 
-                # This header makes basic auth go
+                //This header makes basic auth go
                 header('WWW-Authenticate: Basic realm="StatusNet API"');
 
-                # If the user hits cancel -- bam!
+                //If the user hits cancel -- bam!
                 $this->show_basic_auth_error();
             } else {
-                $nickname = $_SERVER['PHP_AUTH_USER'];
-                $password = $_SERVER['PHP_AUTH_PW'];
+                $nickname = $this->auth_user;
+                $password = $this->auth_pw;
                 $user = common_check_user($nickname, $password);
 
                 if ($user) {
                     $this->user = $user;
                     $this->process_command();
                 } else {
-                    # basic authentication failed
+                    //basic authentication failed
                     list($proxy, $ip) = common_client_ip();
 
                     common_log(LOG_WARNING, "Failed API auth attempt, nickname = $nickname, proxy = $proxy, ip = $ip.");
@@ -76,12 +100,12 @@ class ApiAction extends Action
         } else {
 
             // Caller might give us a username even if not required
-            if (isset($_SERVER['PHP_AUTH_USER'])) {
-                $user = User::staticGet('nickname', $_SERVER['PHP_AUTH_USER']);
+            if (isset($this->auth_user)) {
+                $user = User::staticGet('nickname', $this->auth_user);
                 if ($user) {
                     $this->user = $user;
                 }
-                # Twitter doesn't throw an error if the user isn't found
+                //Twitter doesn't throw an error if the user isn't found
             }
 
             $this->process_command();
@@ -94,7 +118,7 @@ class ApiAction extends Action
         $actionfile = INSTALLDIR."/actions/$action.php";
 
         if (file_exists($actionfile)) {
-            require_once($actionfile);
+            include_once $actionfile;
             $action_class = ucfirst($action)."Action";
             $action_obj = new $action_class();
 
@@ -110,10 +134,10 @@ class ApiAction extends Action
 
                 call_user_func(array($action_obj, $this->api_method), $_REQUEST, $apidata);
             } else {
-                $this->clientError("API method not found!", $code=404);
+                $this->clientError("API method not found!", $code = 404);
             }
         } else {
-            $this->clientError("API method not found!", $code=404);
+            $this->clientError("API method not found!", $code = 404);
         }
     }
 
@@ -133,6 +157,8 @@ class ApiAction extends Action
                                 'groups/show',
                                 'groups/timeline',
                                 'groups/list_all',
+                                'groups/membership',
+                                'groups/is_member',
                                 'groups/timeline');
 
         static $bareauth = array('statuses/user_timeline',
@@ -179,10 +205,11 @@ class ApiAction extends Action
             $user_id     = $this->arg('user_id');
             $screen_name = $this->arg('screen_name');
 
-            if (empty($this->api_arg) &&
-                empty($id)            &&
-                empty($user_id)       &&
-                empty($screen_name)) {
+            if (empty($this->api_arg) 
+                && empty($id)            
+                && empty($user_id)       
+                && empty($screen_name)
+            ) {
                 return true;
             } else {
                 return false;
@@ -201,6 +228,33 @@ class ApiAction extends Action
         }
     }
 
+    function basic_auth_process_header()
+    {
+        if (isset($_SERVER['AUTHORIZATION']) || isset($_SERVER['HTTP_AUTHORIZATION'])) {
+            $authorization_header = isset($_SERVER['HTTP_AUTHORIZATION'])? $_SERVER['HTTP_AUTHORIZATION'] : $_SERVER['AUTHORIZATION'];
+        }
+
+        if (isset($_SERVER['PHP_AUTH_USER'])) {
+            $this->auth_user = $_SERVER['PHP_AUTH_USER'];
+            $this->auth_pw = $_SERVER['PHP_AUTH_PW'];
+        } elseif (isset($authorization_header) && strstr(substr($authorization_header, 0, 5), 'Basic')) {
+            // decode the HTTP_AUTHORIZATION header on php-cgi server self
+            // on fcgid server the header name is AUTHORIZATION
+
+            $auth_hash = base64_decode(substr($authorization_header, 6));
+            list($this->auth_user, $this->auth_pw) = explode(':', $auth_hash);
+
+            // set all to null on a empty basic auth request
+            if ($this->auth_user == "") {
+                $this->auth_user = null;
+                $this->auth_pw = null;
+            }
+        } else {
+            $this->auth_user = null;
+            $this->auth_pw = null;
+        }
+    }
+
     function show_basic_auth_error()
     {
         header('HTTP/1.1 401 Unauthorized');
@@ -214,7 +268,7 @@ class ApiAction extends Action
             $this->element('request', null, $_SERVER['REQUEST_URI']);
             $this->elementEnd('hash');
             $this->endXML();
-        } else if ($this->content_type == 'json')  {
+        } else if ($this->content_type == 'json') {
             header('Content-Type: application/json; charset=utf-8');
             $error_array = array('error' => $msg, 'request' => $_SERVER['REQUEST_URI']);
             print(json_encode($error_array));