friendica
/
friendica
mirror of https://github.com/friendica/friendica
6
0
Fork 1
Code Issues Packages Projects Releases 1 Wiki Activity

Removed forbidden - crashing the tests again

This commit is contained in:
Michael 2021-11-18 07:25:16 +00:00
parent 42bd7918ad
commit 5a5110d45a
1 changed files with 19 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

119
include/api.php
View File

@ -518,9 +518,6 @@ function api_item_get_user(App $a, $item)
*/ */
function api_account_verify_credentials($type) function api_account_verify_credentials($type)
{ {
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_READ); BaseApi::checkAllowedScope(BaseApi::SCOPE_READ);
unset($_REQUEST["user_id"]); unset($_REQUEST["user_id"]);
@ -587,10 +584,6 @@ function api_statuses_mediap($type)
{ {
$a = DI::app(); $a = DI::app();
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE); BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE);
$user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray(); $user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray();
@ -643,10 +636,6 @@ function api_statuses_update($type)
{ {
$a = DI::app(); $a = DI::app();
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE); BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE);
// convert $_POST array items to the form we use for web posts. // convert $_POST array items to the form we use for web posts.
@ -825,10 +814,6 @@ function api_media_upload()
{ {
$a = DI::app(); $a = DI::app();
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE); BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE);
if (empty($_FILES['media'])) { if (empty($_FILES['media'])) {
@ -1108,9 +1093,6 @@ api_register_func('api/users/lookup', 'api_users_lookup', true);
*/ */
function api_search($type) function api_search($type)
{ {
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_READ); BaseApi::checkAllowedScope(BaseApi::SCOPE_READ);
$user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray(); $user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray();
@ -1140,7 +1122,7 @@ function api_search($type)
$params = ['order' => ['id' => true], 'limit' => [$start, $count]]; $params = ['order' => ['id' => true], 'limit' => [$start, $count]];
if (preg_match('/^#(\w+)$/', $searchTerm, $matches) === 1 && isset($matches[1])) { if (preg_match('/^#(\w+)$/', $searchTerm, $matches) === 1 && isset($matches[1])) {
$searchTerm = $matches[1]; $searchTerm = $matches[1];
$condition = ["`iid` > ? AND `name` = ? AND (NOT `private` OR (`private` AND `uid` = ?))", $since_id, $searchTerm, local_user()]; $condition = ["`iid` > ? AND `name` = ? AND (NOT `private` OR (`private` AND `uid` = ?))", $since_id, $searchTerm, BaseApi::getCurrentUserID()];
$tags = DBA::select('tag-search-view', ['uri-id'], $condition); $tags = DBA::select('tag-search-view', ['uri-id'], $condition);
$uriids = []; $uriids = [];
while ($tag = DBA::fetch($tags)) { while ($tag = DBA::fetch($tags)) {
@ -1215,9 +1197,6 @@ api_register_func('api/search', 'api_search', true);
*/ */
function api_statuses_home_timeline($type) function api_statuses_home_timeline($type)
{ {
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_READ); BaseApi::checkAllowedScope(BaseApi::SCOPE_READ);
$user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray(); $user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray();
@ -1309,9 +1288,6 @@ api_register_func('api/statuses/friends_timeline', 'api_statuses_home_timeline',
*/ */
function api_statuses_public_timeline($type) function api_statuses_public_timeline($type)
{ {
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_READ); BaseApi::checkAllowedScope(BaseApi::SCOPE_READ);
$user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray(); $user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray();
@ -1392,9 +1368,6 @@ api_register_func('api/statuses/public_timeline', 'api_statuses_public_timeline'
*/ */
function api_statuses_networkpublic_timeline($type) function api_statuses_networkpublic_timeline($type)
{ {
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_READ); BaseApi::checkAllowedScope(BaseApi::SCOPE_READ);
$user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray(); $user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray();
@ -1453,9 +1426,6 @@ api_register_func('api/statuses/networkpublic_timeline', 'api_statuses_networkpu
*/ */
function api_statuses_show($type) function api_statuses_show($type)
{ {
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_READ); BaseApi::checkAllowedScope(BaseApi::SCOPE_READ);
$user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray(); $user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray();
@ -1532,9 +1502,6 @@ api_register_func('api/statuses/show', 'api_statuses_show', true);
*/ */
function api_conversation_show($type) function api_conversation_show($type)
{ {
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_READ); BaseApi::checkAllowedScope(BaseApi::SCOPE_READ);
$user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray(); $user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray();
@ -1616,10 +1583,6 @@ function api_statuses_repeat($type)
$a = DI::app(); $a = DI::app();
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE); BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE);
// params // params
@ -1641,7 +1604,7 @@ function api_statuses_repeat($type)
if (DBA::isResult($item) && !empty($item['body'])) { if (DBA::isResult($item) && !empty($item['body'])) {
if (in_array($item['network'], [Protocol::ACTIVITYPUB, Protocol::DFRN, Protocol::TWITTER])) { if (in_array($item['network'], [Protocol::ACTIVITYPUB, Protocol::DFRN, Protocol::TWITTER])) {
if (!Item::performActivity($id, 'announce', local_user())) { if (!Item::performActivity($id, 'announce', BaseApi::getCurrentUserID())) {
throw new InternalServerErrorException(); throw new InternalServerErrorException();
} }
@ -1697,10 +1660,6 @@ api_register_func('api/statuses/retweet', 'api_statuses_repeat', true, API_METHO
*/ */
function api_statuses_destroy($type) function api_statuses_destroy($type)
{ {
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE); BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE);
// params // params
@ -1742,9 +1701,6 @@ api_register_func('api/statuses/destroy', 'api_statuses_destroy', true, API_METH
*/ */
function api_statuses_mentions($type) function api_statuses_mentions($type)
{ {
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_READ); BaseApi::checkAllowedScope(BaseApi::SCOPE_READ);
$user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray(); $user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray();
@ -1820,9 +1776,6 @@ api_register_func('api/statuses/replies', 'api_statuses_mentions', true);
*/ */
function api_statuses_user_timeline($type) function api_statuses_user_timeline($type)
{ {
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_READ); BaseApi::checkAllowedScope(BaseApi::SCOPE_READ);
$user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray(); $user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray();
@ -1899,10 +1852,6 @@ api_register_func('api/statuses/user_timeline', 'api_statuses_user_timeline', tr
*/ */
function api_favorites_create_destroy($type) function api_favorites_create_destroy($type)
{ {
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE); BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE);
// for versioned api. // for versioned api.
@ -1981,9 +1930,6 @@ function api_favorites($type)
{ {
global $called_api; global $called_api;
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_READ); BaseApi::checkAllowedScope(BaseApi::SCOPE_READ);
$user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray(); $user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray();
@ -2757,9 +2703,6 @@ api_register_func('api/lists/subscriptions', 'api_lists_list', true);
*/ */
function api_lists_ownerships($type) function api_lists_ownerships($type)
{ {
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_READ); BaseApi::checkAllowedScope(BaseApi::SCOPE_READ);
// params // params
@ -2805,9 +2748,6 @@ api_register_func('api/lists/ownerships', 'api_lists_ownerships', true);
*/ */
function api_lists_statuses($type) function api_lists_statuses($type)
{ {
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_READ); BaseApi::checkAllowedScope(BaseApi::SCOPE_READ);
$user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray(); $user_info = DI::twitterUser()->createFromUserId(BaseApi::getCurrentUserID())->toArray();
@ -3068,16 +3008,9 @@ api_register_func('api/friendships/incoming', 'api_friendships_incoming', true);
*/ */
function api_direct_messages_new($type) function api_direct_messages_new($type)
{ {
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE); BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE);
$uid = BaseApi::getCurrentUserID(); $uid = BaseApi::getCurrentUserID();
if (empty($uid)) {
throw new ForbiddenException();
}
if (empty($_POST["text"]) || empty($_POST["screen_name"]) && empty($_POST["user_id"])) { if (empty($_POST["text"]) || empty($_POST["screen_name"]) && empty($_POST["user_id"])) {
return; return;
@ -3154,10 +3087,6 @@ api_register_func('api/direct_messages/new', 'api_direct_messages_new', true, AP
*/ */
function api_direct_messages_destroy($type) function api_direct_messages_destroy($type)
{ {
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE); BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE);
// params // params
@ -3227,12 +3156,9 @@ api_register_func('api/direct_messages/destroy', 'api_direct_messages_destroy',
*/ */
function api_friendships_destroy($type) function api_friendships_destroy($type)
{ {
BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE);
$uid = BaseApi::getCurrentUserID(); $uid = BaseApi::getCurrentUserID();
if ($uid === false) {
throw new HTTPException\ForbiddenException();
}
$owner = User::getOwnerDataById($uid); $owner = User::getOwnerDataById($uid);
if (!$owner) { if (!$owner) {
Logger::notice(API_LOG_PREFIX . 'No owner {uid} found', ['module' => 'api', 'action' => 'friendships_destroy', 'uid' => $uid]); Logger::notice(API_LOG_PREFIX . 'No owner {uid} found', ['module' => 'api', 'action' => 'friendships_destroy', 'uid' => $uid]);
@ -3309,9 +3235,6 @@ api_register_func('api/friendships/destroy', 'api_friendships_destroy', true, AP
*/ */
function api_direct_messages_box($type, $box, $verbose) function api_direct_messages_box($type, $box, $verbose)
{ {
if (empty(BaseApi::getCurrentUserID())) {
throw new ForbiddenException();
}
BaseApi::checkAllowedScope(BaseApi::SCOPE_READ); BaseApi::checkAllowedScope(BaseApi::SCOPE_READ);
// params // params
@ -3477,14 +3400,13 @@ api_register_func('api/direct_messages', 'api_direct_messages_inbox', true);
*/ */
function api_fr_photos_list($type) function api_fr_photos_list($type)
{ {
if (empty(BaseApi::getCurrentUserID())) { BaseApi::checkAllowedScope(BaseApi::SCOPE_READ);
throw new ForbiddenException();
}
$r = DBA::toArray(DBA::p( $r = DBA::toArray(DBA::p(
"SELECT `resource-id`, MAX(scale) AS `scale`, `album`, `filename`, `type`, MAX(`created`) AS `created`, "SELECT `resource-id`, MAX(scale) AS `scale`, `album`, `filename`, `type`, MAX(`created`) AS `created`,
MAX(`edited`) AS `edited`, MAX(`desc`) AS `desc` FROM `photo` MAX(`edited`) AS `edited`, MAX(`desc`) AS `desc` FROM `photo`
WHERE `uid` = ? AND NOT `photo-type` IN (?, ?) GROUP BY `resource-id`, `album`, `filename`, `type`", WHERE `uid` = ? AND NOT `photo-type` IN (?, ?) GROUP BY `resource-id`, `album`, `filename`, `type`",
local_user(), Photo::CONTACT_AVATAR, Photo::CONTACT_BANNER BaseApi::getCurrentUserID(), Photo::CONTACT_AVATAR, Photo::CONTACT_BANNER
)); ));
$typetoext = [ $typetoext = [
'image/jpeg' => 'jpg', 'image/jpeg' => 'jpg',
@ -3528,9 +3450,8 @@ function api_fr_photos_list($type)
*/ */
function api_fr_photo_create_update($type) function api_fr_photo_create_update($type)
{ {
if (empty(BaseApi::getCurrentUserID())) { BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE);
throw new ForbiddenException();
}
// input params // input params
$photo_id = $_REQUEST['photo_id'] ?? null; $photo_id = $_REQUEST['photo_id'] ?? null;
$desc = $_REQUEST['desc'] ?? null; $desc = $_REQUEST['desc'] ?? null;
@ -3666,9 +3587,8 @@ function api_fr_photo_create_update($type)
*/ */
function api_fr_photo_detail($type) function api_fr_photo_detail($type)
{ {
if (empty(BaseApi::getCurrentUserID())) { BaseApi::checkAllowedScope(BaseApi::SCOPE_READ);
throw new ForbiddenException();
}
if (empty($_REQUEST['photo_id'])) { if (empty($_REQUEST['photo_id'])) {
throw new BadRequestException("No photo id."); throw new BadRequestException("No photo id.");
} }
@ -3698,9 +3618,8 @@ function api_fr_photo_detail($type)
*/ */
function api_account_update_profile_image($type) function api_account_update_profile_image($type)
{ {
if (empty(BaseApi::getCurrentUserID())) { BaseApi::checkAllowedScope(BaseApi::SCOPE_WRITE);
throw new ForbiddenException();
}
// input params // input params
$profile_id = $_REQUEST['profile_id'] ?? 0; $profile_id = $_REQUEST['profile_id'] ?? 0;
@ -3941,13 +3860,13 @@ function save_media_to_database($mediatype, $media, $type, $album, $allow_cid, $
// upload normal image (scales 0, 1, 2) // upload normal image (scales 0, 1, 2)
logger::info("photo upload: starting new photo upload"); logger::info("photo upload: starting new photo upload");
$r = Photo::store($Image, local_user(), $visitor, $resource_id, $filename, $album, 0, Photo::DEFAULT, $allow_cid, $allow_gid, $deny_cid, $deny_gid, $desc); $r = Photo::store($Image, BaseApi::getCurrentUserID(), $visitor, $resource_id, $filename, $album, 0, Photo::DEFAULT, $allow_cid, $allow_gid, $deny_cid, $deny_gid, $desc);
if (!$r) { if (!$r) {
logger::notice("photo upload: image upload with scale 0 (original size) failed"); logger::notice("photo upload: image upload with scale 0 (original size) failed");
} }
if ($width > 640 || $height > 640) { if ($width > 640 || $height > 640) {
$Image->scaleDown(640); $Image->scaleDown(640);
$r = Photo::store($Image, local_user(), $visitor, $resource_id, $filename, $album, 1, Photo::DEFAULT, $allow_cid, $allow_gid, $deny_cid, $deny_gid, $desc); $r = Photo::store($Image, BaseApi::getCurrentUserID(), $visitor, $resource_id, $filename, $album, 1, Photo::DEFAULT, $allow_cid, $allow_gid, $deny_cid, $deny_gid, $desc);
if (!$r) { if (!$r) {
logger::notice("photo upload: image upload with scale 1 (640x640) failed"); logger::notice("photo upload: image upload with scale 1 (640x640) failed");
} }
@ -3955,7 +3874,7 @@ function save_media_to_database($mediatype, $media, $type, $album, $allow_cid, $
if ($width > 320 || $height > 320) { if ($width > 320 || $height > 320) {
$Image->scaleDown(320); $Image->scaleDown(320);
$r = Photo::store($Image, local_user(), $visitor, $resource_id, $filename, $album, 2, Photo::DEFAULT, $allow_cid, $allow_gid, $deny_cid, $deny_gid, $desc); $r = Photo::store($Image, BaseApi::getCurrentUserID(), $visitor, $resource_id, $filename, $album, 2, Photo::DEFAULT, $allow_cid, $allow_gid, $deny_cid, $deny_gid, $desc);
if (!$r) { if (!$r) {
logger::notice("photo upload: image upload with scale 2 (320x320) failed"); logger::notice("photo upload: image upload with scale 2 (320x320) failed");
} }
@ -3967,7 +3886,7 @@ function save_media_to_database($mediatype, $media, $type, $album, $allow_cid, $
if ($width > 300 || $height > 300) { if ($width > 300 || $height > 300) {
$Image->scaleDown(300); $Image->scaleDown(300);
$r = Photo::store($Image, local_user(), $visitor, $resource_id, $filename, $album, 4, $phototype, $allow_cid, $allow_gid, $deny_cid, $deny_gid, $desc); $r = Photo::store($Image, BaseApi::getCurrentUserID(), $visitor, $resource_id, $filename, $album, 4, $phototype, $allow_cid, $allow_gid, $deny_cid, $deny_gid, $desc);
if (!$r) { if (!$r) {
logger::notice("photo upload: profile image upload with scale 4 (300x300) failed"); logger::notice("photo upload: profile image upload with scale 4 (300x300) failed");
} }
@ -3975,7 +3894,7 @@ function save_media_to_database($mediatype, $media, $type, $album, $allow_cid, $
if ($width > 80 || $height > 80) { if ($width > 80 || $height > 80) {
$Image->scaleDown(80); $Image->scaleDown(80);
$r = Photo::store($Image, local_user(), $visitor, $resource_id, $filename, $album, 5, $phototype, $allow_cid, $allow_gid, $deny_cid, $deny_gid, $desc); $r = Photo::store($Image, BaseApi::getCurrentUserID(), $visitor, $resource_id, $filename, $album, 5, $phototype, $allow_cid, $allow_gid, $deny_cid, $deny_gid, $desc);
if (!$r) { if (!$r) {
logger::notice("photo upload: profile image upload with scale 5 (80x80) failed"); logger::notice("photo upload: profile image upload with scale 5 (80x80) failed");
} }
@ -3983,7 +3902,7 @@ function save_media_to_database($mediatype, $media, $type, $album, $allow_cid, $
if ($width > 48 || $height > 48) { if ($width > 48 || $height > 48) {
$Image->scaleDown(48); $Image->scaleDown(48);
$r = Photo::store($Image, local_user(), $visitor, $resource_id, $filename, $album, 6, $phototype, $allow_cid, $allow_gid, $deny_cid, $deny_gid, $desc); $r = Photo::store($Image, BaseApi::getCurrentUserID(), $visitor, $resource_id, $filename, $album, 6, $phototype, $allow_cid, $allow_gid, $deny_cid, $deny_gid, $desc);
if (!$r) { if (!$r) {
logger::notice("photo upload: profile image upload with scale 6 (48x48) failed"); logger::notice("photo upload: profile image upload with scale 6 (48x48) failed");
} }
@ -4090,7 +4009,7 @@ function prepare_photo_data($type, $scale, $photo_id)
FROM `photo` WHERE `uid` = ? AND `resource-id` = ? $scale_sql GROUP BY FROM `photo` WHERE `uid` = ? AND `resource-id` = ? $scale_sql GROUP BY
`resource-id`, `created`, `edited`, `title`, `desc`, `album`, `filename`, `resource-id`, `created`, `edited`, `title`, `desc`, `album`, `filename`,
`type`, `height`, `width`, `datasize`, `profile`, `allow_cid`, `deny_cid`, `allow_gid`, `deny_gid`", `type`, `height`, `width`, `datasize`, `profile`, `allow_cid`, `deny_cid`, `allow_gid`, `deny_gid`",
local_user(), BaseApi::getCurrentUserID(),
$photo_id $photo_id
)); ));