From 42bd7918ad7172cdd3d2134d9be1478cd88a694d Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Thu, 18 Nov 2021 07:14:23 +0000
Subject: [PATCH] allow_api removed

---
 include/api.php            | 21 ---------------------
 src/Security/BasicAuth.php | 10 ++--------
 tests/legacy/ApiTest.php   | 16 +---------------
 3 files changed, 3 insertions(+), 44 deletions(-)

diff --git a/include/api.php b/include/api.php
index 5f89b7ecf8..20d77b7548 100644
--- a/include/api.php
+++ b/include/api.php
@@ -73,27 +73,6 @@ define('API_LOG_PREFIX', 'API {action} - ');
 $API = [];
 $called_api = [];
 
-/**
- * Auth API user
- *
- * It is not sufficient to use local_user() to check whether someone is allowed to use the API,
- * because this will open CSRF holes (just embed an image with src=friendicasite.com/api/statuses/update?status=CSRF
- * into a page, and visitors will post something without noticing it).
- */
-function api_user()
-{
-	$user = OAuth::getCurrentUserID();
-	if (!empty($user)) {
-		return $user;
-	}
-
-	if (!empty($_SESSION['allow_api'])) {
-		return local_user();
-	}
-
-	return false;
-}
-
 /**
  * Get source name from API client
  *
diff --git a/src/Security/BasicAuth.php b/src/Security/BasicAuth.php
index d4c8bc6dcb..52657057e9 100644
--- a/src/Security/BasicAuth.php
+++ b/src/Security/BasicAuth.php
@@ -123,7 +123,6 @@ class BasicAuth
 	private static function getUserIdByAuth(bool $do_login = true):int
 	{
 		$a = DI::app();
-		Session::set('allow_api', false);
 		self::$current_user_id = 0;
 
 		// workaround for HTTP-auth in CGI mode
@@ -187,15 +186,10 @@ class BasicAuth
 
 		DI::auth()->setForUser($a, $record, false, false, $login_refresh);
 
-		Session::set('allow_api', true);
-
 		Hook::callAll('logged_in', $record);
 
-		if (Session::get('allow_api')) {
-			self::$current_user_id = local_user();
-		} else {
-			self::$current_user_id = 0;
-		}
+		self::$current_user_id = local_user();
+
 		return self::$current_user_id;
 	}
 }
diff --git a/tests/legacy/ApiTest.php b/tests/legacy/ApiTest.php
index 34f3f6659b..f4dda4c6b0 100644
--- a/tests/legacy/ApiTest.php
+++ b/tests/legacy/ApiTest.php
@@ -110,7 +110,6 @@ class ApiTest extends FixtureTest
 
 		// Most API require login so we force the session
 		$_SESSION = [
-			'allow_api'     => true,
 			'authenticated' => true,
 			'uid'           => $this->selfUser['id']
 		];
@@ -234,8 +233,7 @@ class ApiTest extends FixtureTest
 	 */
 	public function testApiUserWithUnallowedUser()
 	{
-		$_SESSION = ['allow_api' => false];
-		self::assertEquals(false, api_user());
+		// self::assertEquals(false, api_user());
 	}
 
 	/**
@@ -715,7 +713,6 @@ class ApiTest extends FixtureTest
 		/*
 		$_SERVER['PHP_AUTH_USER'] = 'Test user';
 		$_SERVER['PHP_AUTH_PW']   = 'password';
-		$_SESSION['allow_api']    = false;
 		BasicAuth::setCurrentUserID();
 		self::assertFalse(api_get_user());
 		*/
@@ -1432,7 +1429,6 @@ class ApiTest extends FixtureTest
 	public function testApiSearchWithUnallowedUser()
 	{
 		$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-		$_SESSION['allow_api'] = false;
 		$_GET['screen_name']   = $this->selfUser['nick'];
 		BasicAuth::setCurrentUserID();
 		api_search('json');
@@ -1489,7 +1485,6 @@ class ApiTest extends FixtureTest
 	public function testApiStatusesHomeTimelineWithUnallowedUser()
 	{
 		$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-		$_SESSION['allow_api'] = false;
 		$_GET['screen_name']   = $this->selfUser['nick'];
 		BasicAuth::setCurrentUserID();
 		api_statuses_home_timeline('json');
@@ -1561,7 +1556,6 @@ class ApiTest extends FixtureTest
 	public function testApiStatusesPublicTimelineWithUnallowedUser()
 	{
 		$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-		$_SESSION['allow_api'] = false;
 		$_GET['screen_name']   = $this->selfUser['nick'];
 		BasicAuth::setCurrentUserID();
 		api_statuses_public_timeline('json');
@@ -1616,7 +1610,6 @@ class ApiTest extends FixtureTest
 	public function testApiStatusesNetworkpublicTimelineWithUnallowedUser()
 	{
 		$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-		$_SESSION['allow_api'] = false;
 		$_GET['screen_name']   = $this->selfUser['nick'];
 		BasicAuth::setCurrentUserID();
 		api_statuses_networkpublic_timeline('json');
@@ -1680,7 +1673,6 @@ class ApiTest extends FixtureTest
 	public function testApiStatusesShowWithUnallowedUser()
 	{
 		$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-		$_SESSION['allow_api'] = false;
 		$_GET['screen_name']   = $this->selfUser['nick'];
 		BasicAuth::setCurrentUserID();
 		api_statuses_show('json');
@@ -1722,7 +1714,6 @@ class ApiTest extends FixtureTest
 	public function testApiConversationShowWithUnallowedUser()
 	{
 		$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-		$_SESSION['allow_api'] = false;
 		$_GET['screen_name']   = $this->selfUser['nick'];
 		BasicAuth::setCurrentUserID();
 		api_conversation_show('json');
@@ -1839,7 +1830,6 @@ class ApiTest extends FixtureTest
 	public function testApiStatusesMentionsWithUnallowedUser()
 	{
 		$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-		$_SESSION['allow_api'] = false;
 		$_GET['screen_name']   = $this->selfUser['nick'];
 		BasicAuth::setCurrentUserID();
 		api_statuses_mentions('json');
@@ -1907,7 +1897,6 @@ class ApiTest extends FixtureTest
 	public function testApiStatusesUserTimelineWithUnallowedUser()
 	{
 		$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-		$_SESSION['allow_api'] = false;
 		$_GET['screen_name']   = $this->selfUser['nick'];
 		BasicAuth::setCurrentUserID();
 		api_statuses_user_timeline('json');
@@ -2037,7 +2026,6 @@ class ApiTest extends FixtureTest
 	public function testApiFavoritesWithUnallowedUser()
 	{
 		$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-		$_SESSION['allow_api'] = false;
 		$_GET['screen_name']   = $this->selfUser['nick'];
 		BasicAuth::setCurrentUserID();
 		api_favorites('json');
@@ -2464,7 +2452,6 @@ class ApiTest extends FixtureTest
 	public function testApiListsStatusesWithUnallowedUser()
 	{
 		$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-		$_SESSION['allow_api'] = false;
 		$_GET['screen_name']   = $this->selfUser['nick'];
 		BasicAuth::setCurrentUserID();
 		api_lists_statuses('json');
@@ -2893,7 +2880,6 @@ class ApiTest extends FixtureTest
 	public function testApiDirectMessagesBoxWithUnallowedUser()
 	{
 		$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
-		$_SESSION['allow_api'] = false;
 		$_GET['screen_name']   = $this->selfUser['nick'];
 		BasicAuth::setCurrentUserID();
 		api_direct_messages_box('json', 'sentbox', 'false');