From 4cbbfdab84c3cd58880902dbc560b14b4c66a0e8 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@pobox.com>
Date: Thu, 2 Sep 2010 10:40:41 -0700
Subject: Fix for #2635: use ssl-sometimes settings for Twitter settings & auth
 pages

---
 plugins/TwitterBridge/TwitterBridgePlugin.php | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

(limited to 'plugins')

diff --git a/plugins/TwitterBridge/TwitterBridgePlugin.php b/plugins/TwitterBridge/TwitterBridgePlugin.php
index 0505a328f..8e3eba318 100644
--- a/plugins/TwitterBridge/TwitterBridgePlugin.php
+++ b/plugins/TwitterBridge/TwitterBridgePlugin.php
@@ -335,5 +335,30 @@ class TwitterBridgePlugin extends Plugin
         return (bool)$this->adminImportControl;
     }
 
+    /**
+     * When the site is set to ssl=sometimes mode, we should make sure our
+     * various auth-related pages are on SSL to keep things looking happy.
+     * Although we're not submitting passwords directly, we do link out to
+     * an authentication source and it's a lot happier if we've got some
+     * protection against MitM.
+     *
+     * @param string $action name
+     * @param boolean $ssl outval to force SSL
+     * @return mixed hook return value
+     */
+    function onSensitiveAction($action, &$ssl)
+    {
+        $sensitive = array('twitteradminpanel',
+                           'twittersettings',
+                           'twitterauthorization',
+                           'twitterlogin');
+        if (in_array($action, $sensitive)) {
+            $ssl = true;
+            return false;
+        } else {
+            return true;
+        }
+    }
+
 }
 
-- 
cgit v1.2.3-54-g00ecf