From ce0d81c19010a7eb25a721ad8662d82327139561 Mon Sep 17 00:00:00 2001 From: Zach Copley Date: Thu, 21 Oct 2010 17:11:59 -0700 Subject: OAuth - inform consumer when user refused to authorize a request token http://status.net/open-source/issues/2848 --- actions/apioauthauthorize.php | 54 +++++++++++++++++++++++++++++++++---------- 1 file changed, 42 insertions(+), 12 deletions(-) diff --git a/actions/apioauthauthorize.php b/actions/apioauthauthorize.php index a95c8268d..30fe77ec8 100644 --- a/actions/apioauthauthorize.php +++ b/actions/apioauthauthorize.php @@ -172,11 +172,11 @@ class ApiOauthAuthorizeAction extends Action $user = common_current_user(); } - if ($this->arg('allow')) { + // fetch the token + $this->reqToken = $this->store->getTokenByKey($this->oauthTokenParam); + assert(!empty($this->reqToken)); - common_debug("allow"); - // fetch the token - $this->reqToken = $this->store->getTokenByKey($this->oauthTokenParam); + if ($this->arg('allow')) { // mark the req token as authorized try { @@ -188,8 +188,10 @@ class ApiOauthAuthorizeAction extends Action common_log( LOG_INFO, sprintf( - "The request token '%s' for OAuth application %s (%s) has been authorized.", - $this->oauthTokenParam, + "API OAuth - User %d (%s) has authorized request token %s for OAuth application %d (%s).", + $user->id, + $user->nickname, + $this->reqToken->tok, $this->app->id, $this->app->name ) @@ -227,10 +229,7 @@ class ApiOauthAuthorizeAction extends Action ) ); - common_log( - LOG_INFO, - "API OAuth - Request token authorized; doing callback to $targetUrl" - ); + common_log(LOG_INFO, "Redirecting to callback: $targetUrl"); // Redirect the user to the provided OAuth callback common_redirect($targetUrl, 303); @@ -254,13 +253,45 @@ class ApiOauthAuthorizeAction extends Action } else if ($this->arg('cancel')) { + common_log( + LOG_INFO, + sprintf( + "API OAuth - User %d (%s) refused to authorize request token %s for OAuth application %d (%s).", + $user->id, + $user->nickname, + $this->reqToken->tok, + $this->app->id, + $this->app->name + ) + ); + try { $this->store->revoke_token($this->oauthTokenParam, 0); - $this->showCanceled(); } catch (Exception $e) { $this->ServerError($e->getMessage()); } + $callback = $this->getCallback(); + + // If there's a callback available, inform the consumer the user + // has refused authorization + if (!empty($callback) && $this->reqToken->verified_callback != 'oob') { + $targetUrl = $this->buildCallbackUrl( + $callback, + array( + 'oauth_problem' => 'user_refused', + ) + ); + + common_log(LOG_INFO, "Redirecting to callback: $targetUrl"); + + // Redirect the user to the provided OAuth callback + common_redirect($targetUrl, 303); + } + + // otherwise inform the user that authorization for the rt was declined + $this->showCanceled(); + } else { // TRANS: Client error given on when invalid data was passed through a form in the OAuth API. $this->clientError(_('Unexpected form submission.')); @@ -291,7 +322,6 @@ class ApiOauthAuthorizeAction extends Action $schema->ensureTable('oauth_token_association', $reqTokenCols); } - /** * Override to add some special (more compact) styling when the page is * being displayed in desktop mode. -- cgit v1.2.3