diff options
Diffstat (limited to 'actions/apioauthauthorize.php')
| -rw-r--r-- | actions/apioauthauthorize.php | 388 |
1 files changed, 287 insertions, 101 deletions
diff --git a/actions/apioauthauthorize.php b/actions/apioauthauthorize.php index eb1000e25..2b8ea84c7 100644 --- a/actions/apioauthauthorize.php +++ b/actions/apioauthauthorize.php @@ -35,7 +35,7 @@ require_once INSTALLDIR . '/lib/apioauth.php'; require_once INSTALLDIR . '/lib/info.php'; /** - * Authorize an OAuth request token + * Authorize an Oputh request token * * @category API * @package StatusNet @@ -43,7 +43,6 @@ require_once INSTALLDIR . '/lib/info.php'; * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @link http://status.net/ */ - class ApiOauthAuthorizeAction extends Action { var $oauthTokenParam; @@ -69,11 +68,11 @@ class ApiOauthAuthorizeAction extends Action { parent::prepare($args); - $this->nickname = $this->trimmed('nickname'); - $this->password = $this->arg('password'); - $this->oauthTokenParam = $this->arg('oauth_token'); - $this->callback = $this->arg('oauth_callback'); - $this->store = new ApiStatusNetOAuthDataStore(); + $this->nickname = $this->trimmed('nickname'); + $this->password = $this->arg('password'); + $this->oauthTokenParam = $this->arg('oauth_token'); + $this->mode = $this->arg('mode'); + $this->store = new ApiStatusNetOAuthDataStore(); try { $this->app = $this->store->getAppByRequestToken($this->oauthTokenParam); @@ -93,7 +92,6 @@ class ApiOauthAuthorizeAction extends Action * * @return void */ - function handle($args) { parent::handle($args); @@ -106,6 +104,7 @@ class ApiOauthAuthorizeAction extends Action // Make sure a oauth_token parameter was provided if (empty($this->oauthTokenParam)) { + // TRANS: Client error given when no oauth_token was passed to the OAuth API. $this->clientError(_('No oauth_token parameter provided.')); } else { @@ -113,18 +112,21 @@ class ApiOauthAuthorizeAction extends Action $this->reqToken = $this->store->getTokenByKey($this->oauthTokenParam); if (empty($this->reqToken)) { + // TRANS: Client error given when an invalid request token was passed to the OAuth API. $this->clientError(_('Invalid request token.')); } else { // Check to make sure we haven't already authorized the token if ($this->reqToken->state != 0) { - $this->clientError(_("Invalid request token.")); + // TRANS: Client error given when an invalid request token was passed to the OAuth API. + $this->clientError(_('Request token already authorized.')); } } } // make sure there's an app associated with this token if (empty($this->app)) { + // TRANS: Client error given when an invalid request token was passed to the OAuth API. $this->clientError(_('Invalid request token.')); } @@ -154,10 +156,15 @@ class ApiOauthAuthorizeAction extends Action // XXX Force credentials check? - // XXX OpenID + // @fixme this should probably use a unified login form handler + $user = null; + if (Event::handle('StartOAuthLoginCheck', array($this, &$user))) { + $user = common_check_user($this->nickname, $this->password); + } + Event::handle('EndOAuthLoginCheck', array($this, &$user)); - $user = common_check_user($this->nickname, $this->password); if (empty($user)) { + // TRANS: Form validation error given when an invalid username and/or password was passed to the OAuth API. $this->showForm(_("Invalid nickname / password!")); return; } @@ -165,10 +172,11 @@ class ApiOauthAuthorizeAction extends Action $user = common_current_user(); } - if ($this->arg('allow')) { + // fetch the token + $this->reqToken = $this->store->getTokenByKey($this->oauthTokenParam); + assert(!empty($this->reqToken)); - // fetch the token - $this->reqToken = $this->store->getTokenByKey($this->oauthTokenParam); + if ($this->arg('allow')) { // mark the req token as authorized try { @@ -177,69 +185,56 @@ class ApiOauthAuthorizeAction extends Action $this->serverError($e->getMessage()); } - // Check to see if there was a previous token associated - // with this user/app and kill it. If the user is doing this she - // probably doesn't want any old tokens anyway. - - $appUser = Oauth_application_user::getByKeys($user, $this->app); - - if (!empty($appUser)) { - $result = $appUser->delete(); - - if (!$result) { - common_log_db_error($appUser, 'DELETE', __FILE__); - $this->serverError(_('Database error deleting OAuth application user.')); - } - } - - // associated the authorized req token with the user and the app - - $appUser = new Oauth_application_user(); + common_log( + LOG_INFO, + sprintf( + "API OAuth - User %d (%s) has authorized request token %s for OAuth application %d (%s).", + $user->id, + $user->nickname, + $this->reqToken->tok, + $this->app->id, + $this->app->name + ) + ); - $appUser->profile_id = $user->id; - $appUser->application_id = $this->app->id; + // XXX: Make sure we have a oauth_token_association table. The table + // is now in the main schema, but because it is being added with + // a point release, it's unlikely to be there. This code can be + // removed as of 1.0. + $this->ensureOauthTokenAssociationTable(); - // Note: do not copy the access type from the application. - // The access type should always be 0 when the OAuth app - // user record has a request token associated with it. - // Access type gets assigned once an access token has been - // granted. The OAuth app user record then gets updated - // with the new access token and access type. + $tokenAssoc = new Oauth_token_association(); - $appUser->token = $this->oauthTokenParam; - $appUser->created = common_sql_now(); + $tokenAssoc->profile_id = $user->id; + $tokenAssoc->application_id = $this->app->id; + $tokenAssoc->token = $this->oauthTokenParam; + $tokenAssoc->created = common_sql_now(); - $result = $appUser->insert(); + $result = $tokenAssoc->insert(); if (!$result) { - common_log_db_error($appUser, 'INSERT', __FILE__); - $this->serverError(_('Database error inserting OAuth application user.')); - } - - // If we have a callback redirect and provide the token - - // Note: A callback specified in the app setup overrides whatever - // is passed in with the request. - - if (!empty($this->app->callback_url)) { - $this->callback = $this->app->callback_url; + common_log_db_error($tokenAssoc, 'INSERT', __FILE__); + // TRANS: Server error displayed when a database action fails. + $this->serverError(_('Database error inserting oauth_token_association.')); } - if (!empty($this->callback)) { + $callback = $this->getCallback(); - $targetUrl = $this->getCallback( - $this->callback, + if (!empty($callback) && $this->reqToken->verified_callback != 'oob') { + $targetUrl = $this->buildCallbackUrl( + $callback, array( 'oauth_token' => $this->oauthTokenParam, 'oauth_verifier' => $this->reqToken->verifier // 1.0a ) ); + common_log(LOG_INFO, "Redirecting to callback: $targetUrl"); + // Redirect the user to the provided OAuth callback common_redirect($targetUrl, 303); } elseif ($this->app->type == 2) { - // Strangely, a web application seems to want to do the OOB // workflow. Because no callback was specified anywhere. common_log( @@ -253,33 +248,123 @@ class ApiOauthAuthorizeAction extends Action ); } + // Otherwise, inform the user that the rt was authorized + $this->showAuthorized(); + + } else if ($this->arg('cancel')) { + common_log( LOG_INFO, sprintf( - "The request token '%s' for OAuth application %s (%s) has been authorized.", - $this->oauthTokenParam, + "API OAuth - User %d (%s) refused to authorize request token %s for OAuth application %d (%s).", + $user->id, + $user->nickname, + $this->reqToken->tok, $this->app->id, $this->app->name ) ); - // Otherwise, inform the user that the rt was authorized - $this->showAuthorized(); - - } else if ($this->arg('cancel')) { - try { $this->store->revoke_token($this->oauthTokenParam, 0); - $this->showCanceled(); } catch (Exception $e) { $this->ServerError($e->getMessage()); } + $callback = $this->getCallback(); + + // If there's a callback available, inform the consumer the user + // has refused authorization + if (!empty($callback) && $this->reqToken->verified_callback != 'oob') { + $targetUrl = $this->buildCallbackUrl( + $callback, + array( + 'oauth_problem' => 'user_refused', + ) + ); + + common_log(LOG_INFO, "Redirecting to callback: $targetUrl"); + + // Redirect the user to the provided OAuth callback + common_redirect($targetUrl, 303); + } + + // otherwise inform the user that authorization for the rt was declined + $this->showCanceled(); + } else { + // TRANS: Client error given on when invalid data was passed through a form in the OAuth API. $this->clientError(_('Unexpected form submission.')); } } + // XXX Remove this function when we hit 1.0 + function ensureOauthTokenAssociationTable() + { + $schema = Schema::get(); + + $reqTokenCols = array( + new ColumnDef('profile_id', 'integer', null, true, 'PRI'), + new ColumnDef('application_id', 'integer', null, true, 'PRI'), + new ColumnDef('token', 'varchar', 255, true, 'PRI'), + new ColumnDef('created', 'datetime', null, false), + new ColumnDef( + 'modified', + 'timestamp', + null, + false, + null, + 'CURRENT_TIMESTAMP', + 'on update CURRENT_TIMESTAMP' + ) + ); + + $schema->ensureTable('oauth_token_association', $reqTokenCols); + } + + /** + * Show body - override to add a special CSS class for the authorize + * page's "desktop mode" (minimal display) + * + * Calls template methods + * + * @return nothing + */ + function showBody() + { + $bodyClasses = array(); + + if ($this->desktopMode()) { + $bodyClasses[] = 'oauth-desktop-mode'; + } + + if (common_current_user()) { + $bodyClasses[] = 'user_in'; + } + + $attrs = array('id' => strtolower($this->trimmed('action'))); + + if (!empty($bodyClasses)) { + $attrs['class'] = implode(' ', $bodyClasses); + } + + $this->elementStart('body', $attrs); + + $this->elementStart('div', array('id' => 'wrap')); + if (Event::handle('StartShowHeader', array($this))) { + $this->showHeader(); + Event::handle('EndShowHeader', array($this)); + } + $this->showCore(); + if (Event::handle('StartShowFooter', array($this))) { + $this->showFooter(); + Event::handle('EndShowFooter', array($this)); + } + $this->elementEnd('div'); + $this->showScripts(); + $this->elementEnd('body'); + } + function showForm($error=null) { $this->error = $error; @@ -299,9 +384,9 @@ class ApiOauthAuthorizeAction extends Action * * @return string title of the page */ - function title() { + // TRANS: Title for a page where a user can confirm/deny account access by an external application. return _('An application would like to connect to your account'); } @@ -310,7 +395,6 @@ class ApiOauthAuthorizeAction extends Action * * @return void */ - function showContent() { $this->elementStart('form', array('method' => 'post', @@ -319,27 +403,40 @@ class ApiOauthAuthorizeAction extends Action 'action' => common_local_url('ApiOauthAuthorize'))); $this->elementStart('fieldset'); $this->element('legend', array('id' => 'apioauthauthorize_allowdeny'), + // TRANS: Fieldset legend. _('Allow or deny access')); $this->hidden('token', common_session_token()); + $this->hidden('mode', $this->mode); $this->hidden('oauth_token', $this->oauthTokenParam); $this->hidden('oauth_callback', $this->callback); $this->elementStart('ul', 'form_data'); $this->elementStart('li'); $this->elementStart('p'); - if (!empty($this->app->icon)) { + if (!empty($this->app->icon) && $this->app->name != 'anonymous') { $this->element('img', array('src' => $this->app->icon)); } $access = ($this->app->access_type & Oauth_application::$writeAccess) ? 'access and update' : 'access'; - $msg = _('The application <strong>%1$s</strong> by ' . - '<strong>%2$s</strong> would like the ability ' . + // TRANS: User notification of external application requesting account access. + // TRANS: %1$s is the application name requesting access, %2$s is the organisation behind the application, + // TRANS: %3$s is the access type requested, %4$s is the StatusNet sitename. + if ($this->app->name == 'anonymous') { + // Special message for the anonymous app and consumer + $msg = _('An application would like the ability ' . 'to <strong>%3$s</strong> your %4$s account data. ' . 'You should only give access to your %4$s account ' . 'to third parties you trust.'); + } else { + $msg = _('The application <strong>%1$s</strong> by ' . + '<strong>%2$s</strong> would like the ability ' . + 'to <strong>%3$s</strong> your %4$s account data. ' . + 'You should only give access to your %4$s account ' . + 'to third parties you trust.'); + } $this->raw(sprintf($msg, $this->app->name, @@ -350,34 +447,43 @@ class ApiOauthAuthorizeAction extends Action $this->elementEnd('li'); $this->elementEnd('ul'); + // quickie hack + $button = false; if (!common_logged_in()) { - - $this->elementStart('fieldset'); - $this->element('legend', null, _('Account')); - $this->elementStart('ul', 'form_data'); - $this->elementStart('li'); - $this->input('nickname', _('Nickname')); - $this->elementEnd('li'); - $this->elementStart('li'); - $this->password('password', _('Password')); - $this->elementEnd('li'); - $this->elementEnd('ul'); - - $this->elementEnd('fieldset'); - + if (Event::handle('StartOAuthLoginForm', array($this, &$button))) { + $this->elementStart('fieldset'); + // TRANS: Fieldset legend. + $this->element('legend', null, _m('LEGEND','Account')); + $this->elementStart('ul', 'form_data'); + $this->elementStart('li'); + // TRANS: Field label on OAuth API authorisation form. + $this->input('nickname', _('Nickname')); + $this->elementEnd('li'); + $this->elementStart('li'); + // TRANS: Field label on OAuth API authorisation form. + $this->password('password', _('Password')); + $this->elementEnd('li'); + $this->elementEnd('ul'); + + $this->elementEnd('fieldset'); + } + Event::handle('EndOAuthLoginForm', array($this, &$button)); } $this->element('input', array('id' => 'cancel_submit', 'class' => 'submit submit form_action-primary', 'name' => 'cancel', 'type' => 'submit', - 'value' => _('Cancel'))); + // TRANS: Button text that when clicked will cancel the process of allowing access to an account + // TRANS: by an external application. + 'value' => _m('BUTTON','Cancel'))); $this->element('input', array('id' => 'allow_submit', 'class' => 'submit submit form_action-secondary', 'name' => 'allow', 'type' => 'submit', - 'value' => _('Allow'))); + // TRANS: Button text that when clicked will allow access to an account by an external application. + 'value' => $button ? $button : _m('BUTTON','Allow'))); $this->elementEnd('fieldset'); $this->elementEnd('form'); @@ -391,9 +497,9 @@ class ApiOauthAuthorizeAction extends Action * * @return void */ - function getInstructions() { + // TRANS: Form instructions. return _('Authorize access to your account information.'); } @@ -404,18 +510,61 @@ class ApiOauthAuthorizeAction extends Action * * @return void */ - function showLocalNav() { // NOP } + /* + * Checks to see if a the "mode" parameter is present in the request + * and set to "desktop". If it is, the page is meant to be displayed in + * a small frame of another application, and we should suppress the + * header, aside, and footer. + */ + function desktopMode() + { + if (isset($this->mode) && $this->mode == 'desktop') { + return true; + } else { + return false; + } + } + + /* + * Override - suppress output in "desktop" mode + */ + function showHeader() + { + if ($this->desktopMode() == false) { + parent::showHeader(); + } + } + + /* + * Override - suppress output in "desktop" mode + */ + function showAside() + { + if ($this->desktopMode() == false) { + parent::showAside(); + } + } + + /* + * Override - suppress output in "desktop" mode + */ + function showFooter() + { + if ($this->desktopMode() == false) { + parent::showFooter(); + } + } + /** * Show site notice. * * @return nothing */ - function showSiteNotice() { // NOP @@ -428,7 +577,6 @@ class ApiOauthAuthorizeAction extends Action * * @return nothing */ - function showNoticeForm() { // NOP @@ -440,14 +588,16 @@ class ApiOauthAuthorizeAction extends Action * * @return nothing */ - function showCanceled() { $info = new InfoAction( + // TRANS: Header for user notification after revoking OAuth access to an application. _('Authorization canceled.'), sprintf( + // TRANS: User notification after revoking OAuth access to an application. + // TRANS: %s is an OAuth token. _('The request token %s has been revoked.'), - $this->oauthTokenParm + $this->oauthTokenParam ) ); @@ -460,21 +610,29 @@ class ApiOauthAuthorizeAction extends Action * * @return nothing */ - function showAuthorized() { $title = sprintf( - _("You have successfully authorized %s."), - $this->app->name + // TRANS: Header of user notification after authorising an application access to a profile. + // TRANS: %s is the authorised application name. + _('You have successfully authorized %s.'), + ($this->app->name == 'anonymous') ? 'the application' : $this->app->name ); $msg = sprintf( + // TRANS: Uer notification after authorising an application access to a profile. + // TRANS: %s is the authorised application name. _('Please return to %s and enter the following security code to complete the process.'), - $this->app->name + ($this->app->name == 'anonymous') ? 'the application' : $this->app->name ); if ($this->reqToken->verified_callback == 'oob') { - $pin = new ApiOauthPinAction($title, $msg, $this->reqToken->verifier); + $pin = new ApiOauthPinAction( + $title, + $msg, + $this->reqToken->verifier, + $this->desktopMode() + ); $pin->showPage(); } else { @@ -495,6 +653,36 @@ class ApiOauthAuthorizeAction extends Action } /* + * Figure out what the callback should be + */ + function getCallback() + { + $callback = null; + + // Return the verified callback if we have one + if ($this->reqToken->verified_callback != 'oob') { + + $callback = $this->reqToken->verified_callback; + + // Otherwise return the callback that was provided when + // registering the app + if (empty($callback)) { + + common_debug( + "No verified callback found for request token, using application callback: " + . $this->app->callback_url, + __FILE__ + ); + + $callback = $this->app->callback_url; + } + + } + + return $callback; + } + + /* * Properly format the callback URL and parameters so it's * suitable for a redirect in the OAuth dance * @@ -503,8 +691,7 @@ class ApiOauthAuthorizeAction extends Action * * @return string $url a URL to use for redirecting to */ - - function getCallback($url, $params) + function buildCallbackUrl($url, $params) { foreach ($params as $k => $v) { $url = $this->appendQueryVar( @@ -527,7 +714,6 @@ class ApiOauthAuthorizeAction extends Action * * @return string $url the new URL with added parameter */ - function appendQueryVar($url, $k, $v) { $url = preg_replace('/(.*)(\?|&)' . $k . '=[^&]+?(&)(.*)/i', '$1$2$4', $url . '&'); $url = substr($url, 0, -1); |