Browse Source

Added scope check

pull/10252/head
Michael 1 month ago
parent
commit
49207a8624
53 changed files with 107 additions and 62 deletions
  1. +5
    -2
      database.sql
  2. +9
    -0
      src/Factory/Api/Mastodon/Error.php
  3. +1
    -1
      src/Module/Api/Friendica/Events/Index.php
  4. +1
    -1
      src/Module/Api/Friendica/Profile/Show.php
  5. +1
    -1
      src/Module/Api/Mastodon/Accounts/Block.php
  6. +2
    -2
      src/Module/Api/Mastodon/Accounts/Follow.php
  7. +1
    -1
      src/Module/Api/Mastodon/Accounts/Followers.php
  8. +1
    -1
      src/Module/Api/Mastodon/Accounts/Following.php
  9. +1
    -1
      src/Module/Api/Mastodon/Accounts/IdentityProofs.php
  10. +1
    -1
      src/Module/Api/Mastodon/Accounts/Lists.php
  11. +1
    -1
      src/Module/Api/Mastodon/Accounts/Mute.php
  12. +1
    -1
      src/Module/Api/Mastodon/Accounts/Note.php
  13. +1
    -1
      src/Module/Api/Mastodon/Accounts/Relationships.php
  14. +1
    -1
      src/Module/Api/Mastodon/Accounts/Search.php
  15. +1
    -1
      src/Module/Api/Mastodon/Accounts/Unblock.php
  16. +1
    -1
      src/Module/Api/Mastodon/Accounts/Unfollow.php
  17. +1
    -1
      src/Module/Api/Mastodon/Accounts/Unmute.php
  18. +1
    -1
      src/Module/Api/Mastodon/Accounts/UpdateCredentials.php
  19. +1
    -1
      src/Module/Api/Mastodon/Accounts/VerifyCredentials.php
  20. +1
    -1
      src/Module/Api/Mastodon/Announcements.php
  21. +4
    -3
      src/Module/Api/Mastodon/Apps.php
  22. +1
    -1
      src/Module/Api/Mastodon/Blocks.php
  23. +1
    -1
      src/Module/Api/Mastodon/Bookmarks.php
  24. +1
    -1
      src/Module/Api/Mastodon/Favourited.php
  25. +2
    -2
      src/Module/Api/Mastodon/FollowRequests.php
  26. +3
    -3
      src/Module/Api/Mastodon/Lists.php
  27. +1
    -1
      src/Module/Api/Mastodon/Lists/Accounts.php
  28. +3
    -1
      src/Module/Api/Mastodon/Markers.php
  29. +4
    -1
      src/Module/Api/Mastodon/Media.php
  30. +1
    -1
      src/Module/Api/Mastodon/Mutes.php
  31. +1
    -1
      src/Module/Api/Mastodon/Notifications.php
  32. +1
    -1
      src/Module/Api/Mastodon/Notifications/Clear.php
  33. +1
    -1
      src/Module/Api/Mastodon/Notifications/Dismiss.php
  34. +1
    -1
      src/Module/Api/Mastodon/Preferences.php
  35. +2
    -2
      src/Module/Api/Mastodon/Statuses.php
  36. +1
    -1
      src/Module/Api/Mastodon/Statuses/Bookmark.php
  37. +1
    -1
      src/Module/Api/Mastodon/Statuses/Favourite.php
  38. +1
    -1
      src/Module/Api/Mastodon/Statuses/Mute.php
  39. +1
    -1
      src/Module/Api/Mastodon/Statuses/Pin.php
  40. +1
    -1
      src/Module/Api/Mastodon/Statuses/Reblog.php
  41. +1
    -1
      src/Module/Api/Mastodon/Statuses/Unbookmark.php
  42. +1
    -1
      src/Module/Api/Mastodon/Statuses/Unfavourite.php
  43. +1
    -1
      src/Module/Api/Mastodon/Statuses/Unmute.php
  44. +1
    -1
      src/Module/Api/Mastodon/Statuses/Unpin.php
  45. +1
    -1
      src/Module/Api/Mastodon/Statuses/Unreblog.php
  46. +1
    -1
      src/Module/Api/Mastodon/Suggestions.php
  47. +1
    -1
      src/Module/Api/Mastodon/Timelines/Home.php
  48. +1
    -1
      src/Module/Api/Mastodon/Timelines/ListTimeline.php
  49. +1
    -1
      src/Module/Api/Mastodon/Timelines/Tag.php
  50. +1
    -1
      src/Module/Api/Twitter/ContactEndpoint.php
  51. +28
    -4
      src/Module/BaseApi.php
  52. +3
    -1
      static/dbstructure.config.php
  53. +1
    -0
      static/dbview.config.php

+ 5
- 2
database.sql View File

@ -1,6 +1,6 @@
-- ------------------------------------------
-- Friendica 2021.06-dev (Siberian Iris)
-- DB_UPDATE_VERSION 1417
-- DB_UPDATE_VERSION 1418
-- ------------------------------------------
@ -378,6 +378,7 @@ CREATE TABLE IF NOT EXISTS `application` (
`read` boolean COMMENT 'Read scope',
`write` boolean COMMENT 'Write scope',
`follow` boolean COMMENT 'Follow scope',
`push` boolean COMMENT 'Push scope',
PRIMARY KEY(`id`),
UNIQUE INDEX `client_id` (`client_id`)
) DEFAULT COLLATE utf8mb4_general_ci COMMENT='OAuth application';
@ -395,6 +396,7 @@ CREATE TABLE IF NOT EXISTS `application-token` (
`read` boolean COMMENT 'Read scope',
`write` boolean COMMENT 'Write scope',
`follow` boolean COMMENT 'Follow scope',
`push` boolean COMMENT 'Push scope',
PRIMARY KEY(`application-id`,`uid`),
INDEX `uid_id` (`uid`,`application-id`),
FOREIGN KEY (`application-id`) REFERENCES `application` (`id`) ON UPDATE RESTRICT ON DELETE CASCADE,
@ -1525,7 +1527,8 @@ CREATE VIEW `application-view` AS SELECT
`application-token`.`scopes` AS `scopes`,
`application-token`.`read` AS `read`,
`application-token`.`write` AS `write`,
`application-token`.`follow` AS `follow`
`application-token`.`follow` AS `follow`,
`application-token`.`push` AS `push`
FROM `application-token`
INNER JOIN `application` ON `application-token`.`application-id` = `application`.`id`;


+ 9
- 0
src/Factory/Api/Mastodon/Error.php View File

@ -54,6 +54,15 @@ class Error extends BaseFactory
System::jsonError(401, $errorobj->toArray());
}
public function Forbidden(string $error = '')
{
$error = $error ?: DI::l10n()->t('Token is not authorized with a valid user or is missing a required scope');
$error_description = '';
$errorobj = New \Friendica\Object\Api\Mastodon\Error($error, $error_description);
System::jsonError(403, $errorobj->toArray());
}
public function InternalError(string $error = '')
{
$error = $error ?: DI::l10n()->t('Internal Server Error');


+ 1
- 1
src/Module/Api/Friendica/Events/Index.php View File

@ -35,7 +35,7 @@ class Index extends BaseApi
{
public static function rawContent(array $parameters = [])
{
if (self::login() === false) {
if (self::login(self::SCOPE_READ) === false) {
throw new HTTPException\ForbiddenException();
}


+ 1
- 1
src/Module/Api/Friendica/Profile/Show.php View File

@ -37,7 +37,7 @@ class Show extends BaseApi
{
public static function rawContent(array $parameters = [])
{
if (self::login() === false) {
if (self::login(self::SCOPE_READ) === false) {
throw new HTTPException\ForbiddenException();
}


+ 1
- 1
src/Module/Api/Mastodon/Accounts/Block.php View File

@ -33,7 +33,7 @@ class Block extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_FOLLOW);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 2
- 2
src/Module/Api/Mastodon/Accounts/Follow.php View File

@ -33,7 +33,7 @@ class Follow extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_FOLLOW);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {
@ -42,6 +42,6 @@ class Follow extends BaseApi
$cid = Contact::follow($parameters['id'], self::getCurrentUserID());
System::jsonExit(DI::mstdnRelationship()->createFromContactId($cid)->toArray());
System::jsonExit(DI::mstdnRelationship()->createFromContactId($cid, $uid)->toArray());
}
}

+ 1
- 1
src/Module/Api/Mastodon/Accounts/Followers.php View File

@ -37,7 +37,7 @@ class Followers extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Accounts/Following.php View File

@ -37,7 +37,7 @@ class Following extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Accounts/IdentityProofs.php View File

@ -35,7 +35,7 @@ class IdentityProofs extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
System::jsonExit([]);
}


+ 1
- 1
src/Module/Api/Mastodon/Accounts/Lists.php View File

@ -38,7 +38,7 @@ class Lists extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Accounts/Mute.php View File

@ -33,7 +33,7 @@ class Mute extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_FOLLOW);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Accounts/Note.php View File

@ -34,7 +34,7 @@ class Note extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Accounts/Relationships.php View File

@ -37,7 +37,7 @@ class Relationships extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
if (empty($_REQUEST['id']) || !is_array($_REQUEST['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Accounts/Search.php View File

@ -40,7 +40,7 @@ class Search extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
// What to search for


+ 1
- 1
src/Module/Api/Mastodon/Accounts/Unblock.php View File

@ -33,7 +33,7 @@ class Unblock extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_FOLLOW);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Accounts/Unfollow.php View File

@ -33,7 +33,7 @@ class Unfollow extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_FOLLOW);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Accounts/Unmute.php View File

@ -33,7 +33,7 @@ class Unmute extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_FOLLOW);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Accounts/UpdateCredentials.php View File

@ -31,7 +31,7 @@ class UpdateCredentials extends BaseApi
{
public static function patch(array $parameters = [])
{
self::login();
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
$data = Network::postdata();


+ 1
- 1
src/Module/Api/Mastodon/Accounts/VerifyCredentials.php View File

@ -38,7 +38,7 @@ class VerifyCredentials extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
$self = User::getOwnerDataById($uid);


+ 1
- 1
src/Module/Api/Mastodon/Announcements.php View File

@ -35,7 +35,7 @@ class Announcements extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
// @todo Possibly use the message from the pageheader addon for this
System::jsonExit([]);


+ 4
- 3
src/Module/Api/Mastodon/Apps.php View File

@ -67,9 +67,10 @@ class Apps extends BaseApi
$fields['scopes'] = $scopes;
}
$fields['read'] = (stripos($scopes, 'read') !== false);
$fields['write'] = (stripos($scopes, 'write') !== false);
$fields['follow'] = (stripos($scopes, 'follow') !== false);
$fields['read'] = (stripos($scopes, self::SCOPE_READ) !== false);
$fields['write'] = (stripos($scopes, self::SCOPE_WRITE) !== false);
$fields['follow'] = (stripos($scopes, self::SCOPE_FOLLOW) !== false);
$fields['push'] = (stripos($scopes, self::SCOPE_PUSH) !== false);
if (!empty($website)) {
$fields['website'] = $website;


+ 1
- 1
src/Module/Api/Mastodon/Blocks.php View File

@ -37,7 +37,7 @@ class Blocks extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Bookmarks.php View File

@ -39,7 +39,7 @@ class Bookmarks extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
// Maximum number of results to return. Defaults to 20.


+ 1
- 1
src/Module/Api/Mastodon/Favourited.php View File

@ -40,7 +40,7 @@ class Favourited extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
// Maximum number of results to return. Defaults to 20.


+ 2
- 2
src/Module/Api/Mastodon/FollowRequests.php View File

@ -45,7 +45,7 @@ class FollowRequests extends BaseApi
*/
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_FOLLOW);
$uid = self::getCurrentUserID();
$introduction = DI::intro()->selectFirst(['id' => $parameters['id'], 'uid' => $uid]);
@ -83,7 +83,7 @@ class FollowRequests extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
$min_id = $_GET['min_id'] ?? null;


+ 3
- 3
src/Module/Api/Mastodon/Lists.php View File

@ -33,7 +33,7 @@ class Lists extends BaseApi
{
public static function delete(array $parameters = [])
{
self::login();
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
@ -54,7 +54,7 @@ class Lists extends BaseApi
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
$title = $_REQUEST['title'] ?? '';
@ -90,7 +90,7 @@ class Lists extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Lists/Accounts.php View File

@ -49,7 +49,7 @@ class Accounts extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 3
- 1
src/Module/Api/Mastodon/Markers.php View File

@ -31,6 +31,8 @@ class Markers extends BaseApi
{
public static function post(array $parameters = [])
{
self::login(self::SCOPE_WRITE);
self::unsupported('post');
}
@ -40,7 +42,7 @@ class Markers extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
System::jsonExit([]);
}


+ 4
- 1
src/Module/Api/Mastodon/Media.php View File

@ -33,6 +33,9 @@ class Media extends BaseApi
{
public static function put(array $parameters = [])
{
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
$data = self::getPutData();
self::unsupported('put');
}
@ -43,7 +46,7 @@ class Media extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Mutes.php View File

@ -37,7 +37,7 @@ class Mutes extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Notifications.php View File

@ -39,7 +39,7 @@ class Notifications extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
if (!empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Notifications/Clear.php View File

@ -32,7 +32,7 @@ class Clear extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
DBA::update('notify', ['seen' => true], ['uid' => $uid]);


+ 1
- 1
src/Module/Api/Mastodon/Notifications/Dismiss.php View File

@ -33,7 +33,7 @@ class Dismiss extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Preferences.php View File

@ -37,7 +37,7 @@ class Preferences extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
$user = User::getById($uid, ['language', 'allow_cid', 'allow_gid', 'deny_cid', 'deny_gid']);


+ 2
- 2
src/Module/Api/Mastodon/Statuses.php View File

@ -42,7 +42,7 @@ class Statuses extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
$data = self::getJsonPostData();
@ -190,7 +190,7 @@ class Statuses extends BaseApi
public static function delete(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Statuses/Bookmark.php View File

@ -35,7 +35,7 @@ class Bookmark extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Statuses/Favourite.php View File

@ -35,7 +35,7 @@ class Favourite extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Statuses/Mute.php View File

@ -34,7 +34,7 @@ class Mute extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Statuses/Pin.php View File

@ -34,7 +34,7 @@ class Pin extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Statuses/Reblog.php View File

@ -37,7 +37,7 @@ class Reblog extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Statuses/Unbookmark.php View File

@ -35,7 +35,7 @@ class Unbookmark extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Statuses/Unfavourite.php View File

@ -35,7 +35,7 @@ class Unfavourite extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Statuses/Unmute.php View File

@ -34,7 +34,7 @@ class Unmute extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Statuses/Unpin.php View File

@ -34,7 +34,7 @@ class Unpin extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Statuses/Unreblog.php View File

@ -37,7 +37,7 @@ class Unreblog extends BaseApi
{
public static function post(array $parameters = [])
{
self::login();
self::login(self::SCOPE_WRITE);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Suggestions.php View File

@ -37,7 +37,7 @@ class Suggestions extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
// Maximum number of results to return. Defaults to 40.


+ 1
- 1
src/Module/Api/Mastodon/Timelines/Home.php View File

@ -39,7 +39,7 @@ class Home extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
// Return results older than id


+ 1
- 1
src/Module/Api/Mastodon/Timelines/ListTimeline.php View File

@ -39,7 +39,7 @@ class ListTimeline extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
if (empty($parameters['id'])) {


+ 1
- 1
src/Module/Api/Mastodon/Timelines/Tag.php View File

@ -40,7 +40,7 @@ class Tag extends BaseApi
*/
public static function rawContent(array $parameters = [])
{
self::login();
self::login(self::SCOPE_READ);
$uid = self::getCurrentUserID();
if (empty($parameters['hashtag'])) {


+ 1
- 1
src/Module/Api/Twitter/ContactEndpoint.php View File

@ -39,7 +39,7 @@ abstract class ContactEndpoint extends BaseApi
{
parent::init($parameters);
if (!self::login()) {
if (!self::login(self::SCOPE_READ)) {
throw new HTTPException\UnauthorizedException();
}
}


+ 28
- 4
src/Module/BaseApi.php View File

@ -35,6 +35,11 @@ require_once __DIR__ . '/../../include/api.php';
class BaseApi extends BaseModule
{
const SCOPE_READ = 'read';
const SCOPE_WRITE = 'write';
const SCOPE_FOLLOW = 'follow';
const SCOPE_PUSH = 'push';
/**
* @var string json|xml|rss|atom
*/
@ -175,6 +180,8 @@ class BaseApi extends BaseModule
*
* Simple Auth allow username in form of <pre>user@server</pre>, ignoring server part
*
* @param string $scope the requested scope (read, write, follow)
*
* @return bool Was a user authenticated?
* @throws HTTPException\ForbiddenException
* @throws HTTPException\UnauthorizedException
@ -186,7 +193,7 @@ class BaseApi extends BaseModule
* 'authenticated' => return status,
* 'user_record' => return authenticated user record
*/
protected static function login()
protected static function login(string $scope)
{
if (empty(self::$current_user_id)) {
self::$current_token = self::getTokenByBearer();
@ -197,6 +204,13 @@ class BaseApi extends BaseModule
}
}
if (!empty($scope) && !empty(self::$current_token)) {
if (empty(self::$current_token[$scope])) {
Logger::warning('The requested scope is not allowed', ['scope' => $scope, 'application' => self::$current_token]);
DI::mstdnError()->Forbidden();
}
}
if (empty(self::$current_user_id)) {
// The execution stops here if no one is logged in
api_login(DI::app());
@ -259,7 +273,7 @@ class BaseApi extends BaseModule
$bearer = trim(substr($authorization, 7));
$condition = ['access_token' => $bearer];
$token = DBA::selectFirst('application-view', ['uid', 'id', 'name', 'website', 'created_at', 'read', 'write', 'follow'], $condition);
$token = DBA::selectFirst('application-view', ['uid', 'id', 'name', 'website', 'created_at', 'read', 'write', 'follow', 'push'], $condition);
if (!DBA::isResult($token)) {
Logger::warning('Token not found', $condition);
return [];
@ -332,8 +346,18 @@ class BaseApi extends BaseModule
$access_token = bin2hex(random_bytes(32));
$fields = ['application-id' => $application['id'], 'uid' => $uid, 'code' => $code, 'access_token' => $access_token, 'scopes' => $scope,
'read' => (stripos($scope, 'read') !== false), 'write' => (stripos($scope, 'write') !== false),
'follow' => (stripos($scope, 'follow') !== false), 'created_at' => DateTimeFormat::utcNow(DateTimeFormat::MYSQL)];
'read' => (stripos($scope, self::SCOPE_READ) !== false),
'write' => (stripos($scope, self::SCOPE_WRITE) !== false),
'follow' => (stripos($scope, self::SCOPE_FOLLOW) !== false),
'push' => (stripos($scope, self::SCOPE_PUSH) !== false),
'created_at' => DateTimeFormat::utcNow(DateTimeFormat::MYSQL)];
foreach ([self::SCOPE_READ, self::SCOPE_WRITE, self::SCOPE_WRITE, self::SCOPE_PUSH] as $scope) {
if ($fields[$scope] && !$application[$scope]) {
Logger::warning('Requested token scope is not allowed for the application', ['token' => $fields, 'application' => $application]);
}
}
if (!DBA::insert('application-token', $fields, Database::INSERT_UPDATE)) {
return [];
}


+ 3
- 1
static/dbstructure.config.php View File

@ -55,7 +55,7 @@
use Friendica\Database\DBA;
if (!defined('DB_UPDATE_VERSION')) {
define('DB_UPDATE_VERSION', 1417);
define('DB_UPDATE_VERSION', 1418);
}
return [
@ -439,6 +439,7 @@ return [
"read" => ["type" => "boolean", "comment" => "Read scope"],
"write" => ["type" => "boolean", "comment" => "Write scope"],
"follow" => ["type" => "boolean", "comment" => "Follow scope"],
"push" => ["type" => "boolean", "comment" => "Push scope"],
],
"indexes" => [
"PRIMARY" => ["id"],
@ -457,6 +458,7 @@ return [
"read" => ["type" => "boolean", "comment" => "Read scope"],
"write" => ["type" => "boolean", "comment" => "Write scope"],
"follow" => ["type" => "boolean", "comment" => "Follow scope"],
"push" => ["type" => "boolean", "comment" => "Push scope"],
],
"indexes" => [
"PRIMARY" => ["application-id", "uid"],


+ 1
- 0
static/dbview.config.php View File

@ -53,6 +53,7 @@
"read" => ["application-token", "read"],
"write" => ["application-token", "write"],
"follow" => ["application-token", "follow"],
"push" => ["application-token", "push"],
],
"query" => "FROM `application-token`
INNER JOIN `application` ON `application-token`.`application-id` = `application`.`id`"


Loading…
Cancel
Save