allow_api removed
This commit is contained in:
parent
98b68b47f0
commit
42bd7918ad
3 changed files with 3 additions and 44 deletions
|
@ -73,27 +73,6 @@ define('API_LOG_PREFIX', 'API {action} - ');
|
||||||
$API = [];
|
$API = [];
|
||||||
$called_api = [];
|
$called_api = [];
|
||||||
|
|
||||||
/**
|
|
||||||
* Auth API user
|
|
||||||
*
|
|
||||||
* It is not sufficient to use local_user() to check whether someone is allowed to use the API,
|
|
||||||
* because this will open CSRF holes (just embed an image with src=friendicasite.com/api/statuses/update?status=CSRF
|
|
||||||
* into a page, and visitors will post something without noticing it).
|
|
||||||
*/
|
|
||||||
function api_user()
|
|
||||||
{
|
|
||||||
$user = OAuth::getCurrentUserID();
|
|
||||||
if (!empty($user)) {
|
|
||||||
return $user;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!empty($_SESSION['allow_api'])) {
|
|
||||||
return local_user();
|
|
||||||
}
|
|
||||||
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get source name from API client
|
* Get source name from API client
|
||||||
*
|
*
|
||||||
|
|
|
@ -123,7 +123,6 @@ class BasicAuth
|
||||||
private static function getUserIdByAuth(bool $do_login = true):int
|
private static function getUserIdByAuth(bool $do_login = true):int
|
||||||
{
|
{
|
||||||
$a = DI::app();
|
$a = DI::app();
|
||||||
Session::set('allow_api', false);
|
|
||||||
self::$current_user_id = 0;
|
self::$current_user_id = 0;
|
||||||
|
|
||||||
// workaround for HTTP-auth in CGI mode
|
// workaround for HTTP-auth in CGI mode
|
||||||
|
@ -187,15 +186,10 @@ class BasicAuth
|
||||||
|
|
||||||
DI::auth()->setForUser($a, $record, false, false, $login_refresh);
|
DI::auth()->setForUser($a, $record, false, false, $login_refresh);
|
||||||
|
|
||||||
Session::set('allow_api', true);
|
|
||||||
|
|
||||||
Hook::callAll('logged_in', $record);
|
Hook::callAll('logged_in', $record);
|
||||||
|
|
||||||
if (Session::get('allow_api')) {
|
self::$current_user_id = local_user();
|
||||||
self::$current_user_id = local_user();
|
|
||||||
} else {
|
|
||||||
self::$current_user_id = 0;
|
|
||||||
}
|
|
||||||
return self::$current_user_id;
|
return self::$current_user_id;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -110,7 +110,6 @@ class ApiTest extends FixtureTest
|
||||||
|
|
||||||
// Most API require login so we force the session
|
// Most API require login so we force the session
|
||||||
$_SESSION = [
|
$_SESSION = [
|
||||||
'allow_api' => true,
|
|
||||||
'authenticated' => true,
|
'authenticated' => true,
|
||||||
'uid' => $this->selfUser['id']
|
'uid' => $this->selfUser['id']
|
||||||
];
|
];
|
||||||
|
@ -234,8 +233,7 @@ class ApiTest extends FixtureTest
|
||||||
*/
|
*/
|
||||||
public function testApiUserWithUnallowedUser()
|
public function testApiUserWithUnallowedUser()
|
||||||
{
|
{
|
||||||
$_SESSION = ['allow_api' => false];
|
// self::assertEquals(false, api_user());
|
||||||
self::assertEquals(false, api_user());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -715,7 +713,6 @@ class ApiTest extends FixtureTest
|
||||||
/*
|
/*
|
||||||
$_SERVER['PHP_AUTH_USER'] = 'Test user';
|
$_SERVER['PHP_AUTH_USER'] = 'Test user';
|
||||||
$_SERVER['PHP_AUTH_PW'] = 'password';
|
$_SERVER['PHP_AUTH_PW'] = 'password';
|
||||||
$_SESSION['allow_api'] = false;
|
|
||||||
BasicAuth::setCurrentUserID();
|
BasicAuth::setCurrentUserID();
|
||||||
self::assertFalse(api_get_user());
|
self::assertFalse(api_get_user());
|
||||||
*/
|
*/
|
||||||
|
@ -1432,7 +1429,6 @@ class ApiTest extends FixtureTest
|
||||||
public function testApiSearchWithUnallowedUser()
|
public function testApiSearchWithUnallowedUser()
|
||||||
{
|
{
|
||||||
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
||||||
$_SESSION['allow_api'] = false;
|
|
||||||
$_GET['screen_name'] = $this->selfUser['nick'];
|
$_GET['screen_name'] = $this->selfUser['nick'];
|
||||||
BasicAuth::setCurrentUserID();
|
BasicAuth::setCurrentUserID();
|
||||||
api_search('json');
|
api_search('json');
|
||||||
|
@ -1489,7 +1485,6 @@ class ApiTest extends FixtureTest
|
||||||
public function testApiStatusesHomeTimelineWithUnallowedUser()
|
public function testApiStatusesHomeTimelineWithUnallowedUser()
|
||||||
{
|
{
|
||||||
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
||||||
$_SESSION['allow_api'] = false;
|
|
||||||
$_GET['screen_name'] = $this->selfUser['nick'];
|
$_GET['screen_name'] = $this->selfUser['nick'];
|
||||||
BasicAuth::setCurrentUserID();
|
BasicAuth::setCurrentUserID();
|
||||||
api_statuses_home_timeline('json');
|
api_statuses_home_timeline('json');
|
||||||
|
@ -1561,7 +1556,6 @@ class ApiTest extends FixtureTest
|
||||||
public function testApiStatusesPublicTimelineWithUnallowedUser()
|
public function testApiStatusesPublicTimelineWithUnallowedUser()
|
||||||
{
|
{
|
||||||
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
||||||
$_SESSION['allow_api'] = false;
|
|
||||||
$_GET['screen_name'] = $this->selfUser['nick'];
|
$_GET['screen_name'] = $this->selfUser['nick'];
|
||||||
BasicAuth::setCurrentUserID();
|
BasicAuth::setCurrentUserID();
|
||||||
api_statuses_public_timeline('json');
|
api_statuses_public_timeline('json');
|
||||||
|
@ -1616,7 +1610,6 @@ class ApiTest extends FixtureTest
|
||||||
public function testApiStatusesNetworkpublicTimelineWithUnallowedUser()
|
public function testApiStatusesNetworkpublicTimelineWithUnallowedUser()
|
||||||
{
|
{
|
||||||
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
||||||
$_SESSION['allow_api'] = false;
|
|
||||||
$_GET['screen_name'] = $this->selfUser['nick'];
|
$_GET['screen_name'] = $this->selfUser['nick'];
|
||||||
BasicAuth::setCurrentUserID();
|
BasicAuth::setCurrentUserID();
|
||||||
api_statuses_networkpublic_timeline('json');
|
api_statuses_networkpublic_timeline('json');
|
||||||
|
@ -1680,7 +1673,6 @@ class ApiTest extends FixtureTest
|
||||||
public function testApiStatusesShowWithUnallowedUser()
|
public function testApiStatusesShowWithUnallowedUser()
|
||||||
{
|
{
|
||||||
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
||||||
$_SESSION['allow_api'] = false;
|
|
||||||
$_GET['screen_name'] = $this->selfUser['nick'];
|
$_GET['screen_name'] = $this->selfUser['nick'];
|
||||||
BasicAuth::setCurrentUserID();
|
BasicAuth::setCurrentUserID();
|
||||||
api_statuses_show('json');
|
api_statuses_show('json');
|
||||||
|
@ -1722,7 +1714,6 @@ class ApiTest extends FixtureTest
|
||||||
public function testApiConversationShowWithUnallowedUser()
|
public function testApiConversationShowWithUnallowedUser()
|
||||||
{
|
{
|
||||||
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
||||||
$_SESSION['allow_api'] = false;
|
|
||||||
$_GET['screen_name'] = $this->selfUser['nick'];
|
$_GET['screen_name'] = $this->selfUser['nick'];
|
||||||
BasicAuth::setCurrentUserID();
|
BasicAuth::setCurrentUserID();
|
||||||
api_conversation_show('json');
|
api_conversation_show('json');
|
||||||
|
@ -1839,7 +1830,6 @@ class ApiTest extends FixtureTest
|
||||||
public function testApiStatusesMentionsWithUnallowedUser()
|
public function testApiStatusesMentionsWithUnallowedUser()
|
||||||
{
|
{
|
||||||
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
||||||
$_SESSION['allow_api'] = false;
|
|
||||||
$_GET['screen_name'] = $this->selfUser['nick'];
|
$_GET['screen_name'] = $this->selfUser['nick'];
|
||||||
BasicAuth::setCurrentUserID();
|
BasicAuth::setCurrentUserID();
|
||||||
api_statuses_mentions('json');
|
api_statuses_mentions('json');
|
||||||
|
@ -1907,7 +1897,6 @@ class ApiTest extends FixtureTest
|
||||||
public function testApiStatusesUserTimelineWithUnallowedUser()
|
public function testApiStatusesUserTimelineWithUnallowedUser()
|
||||||
{
|
{
|
||||||
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
||||||
$_SESSION['allow_api'] = false;
|
|
||||||
$_GET['screen_name'] = $this->selfUser['nick'];
|
$_GET['screen_name'] = $this->selfUser['nick'];
|
||||||
BasicAuth::setCurrentUserID();
|
BasicAuth::setCurrentUserID();
|
||||||
api_statuses_user_timeline('json');
|
api_statuses_user_timeline('json');
|
||||||
|
@ -2037,7 +2026,6 @@ class ApiTest extends FixtureTest
|
||||||
public function testApiFavoritesWithUnallowedUser()
|
public function testApiFavoritesWithUnallowedUser()
|
||||||
{
|
{
|
||||||
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
||||||
$_SESSION['allow_api'] = false;
|
|
||||||
$_GET['screen_name'] = $this->selfUser['nick'];
|
$_GET['screen_name'] = $this->selfUser['nick'];
|
||||||
BasicAuth::setCurrentUserID();
|
BasicAuth::setCurrentUserID();
|
||||||
api_favorites('json');
|
api_favorites('json');
|
||||||
|
@ -2464,7 +2452,6 @@ class ApiTest extends FixtureTest
|
||||||
public function testApiListsStatusesWithUnallowedUser()
|
public function testApiListsStatusesWithUnallowedUser()
|
||||||
{
|
{
|
||||||
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
||||||
$_SESSION['allow_api'] = false;
|
|
||||||
$_GET['screen_name'] = $this->selfUser['nick'];
|
$_GET['screen_name'] = $this->selfUser['nick'];
|
||||||
BasicAuth::setCurrentUserID();
|
BasicAuth::setCurrentUserID();
|
||||||
api_lists_statuses('json');
|
api_lists_statuses('json');
|
||||||
|
@ -2893,7 +2880,6 @@ class ApiTest extends FixtureTest
|
||||||
public function testApiDirectMessagesBoxWithUnallowedUser()
|
public function testApiDirectMessagesBoxWithUnallowedUser()
|
||||||
{
|
{
|
||||||
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
|
||||||
$_SESSION['allow_api'] = false;
|
|
||||||
$_GET['screen_name'] = $this->selfUser['nick'];
|
$_GET['screen_name'] = $this->selfUser['nick'];
|
||||||
BasicAuth::setCurrentUserID();
|
BasicAuth::setCurrentUserID();
|
||||||
api_direct_messages_box('json', 'sentbox', 'false');
|
api_direct_messages_box('json', 'sentbox', 'false');
|
||||||
|
|
Loading…
Reference in a new issue