From f8808b076108bbc80e2e23e795c34bcdf817a183 Mon Sep 17 00:00:00 2001 From: Zach Copley Date: Thu, 7 Oct 2010 14:17:56 -0700 Subject: Added a comment about an open question: Should we allow pin-based workflow for clients registered as web applications? --- actions/apioauthauthorize.php | 5 ++++- actions/apioauthrequesttoken.php | 7 ++++++- 2 files changed, 10 insertions(+), 2 deletions(-) (limited to 'actions') diff --git a/actions/apioauthauthorize.php b/actions/apioauthauthorize.php index d0b621140..ea5c30c2a 100644 --- a/actions/apioauthauthorize.php +++ b/actions/apioauthauthorize.php @@ -464,7 +464,10 @@ class ApiOauthAuthorizeAction extends Action $pin->showPage(); } else { - // NOTE: This should probably never happen; trhow an error instead? + // NOTE: This would only happen if an application registered as + // a web application but sent in 'oob' for the oauth_callback + // parameter. Usually web apps will send in a callback and + // not use the pin-based workflow. $info = new InfoAction( $title, diff --git a/actions/apioauthrequesttoken.php b/actions/apioauthrequesttoken.php index 4f4c2c8fb..825460f93 100644 --- a/actions/apioauthrequesttoken.php +++ b/actions/apioauthrequesttoken.php @@ -87,7 +87,7 @@ class ApiOauthRequestTokenAction extends ApiOauthAction try { - $req = OAuthRequest::from_request(); + $req = OAuthRequest::from_request(); // verify callback if (!$this->verifyCallback($req->get_parameter('oauth_callback'))) { @@ -137,6 +137,11 @@ class ApiOauthRequestTokenAction extends ApiOauthAction { if ($callback == "oob") { common_debug("OAuth request token requested for out of bounds client."); + + // XXX: Should we throw an error if a client is registered as a + // web application but requests the pin based workflow? For now I'm + // allowing the workflow to proceed and issuing a pin. --Zach + return true; } else { return Validate::uri( -- cgit v1.2.3-54-g00ecf