From 42bd7918ad7172cdd3d2134d9be1478cd88a694d Mon Sep 17 00:00:00 2001 From: Michael Date: Thu, 18 Nov 2021 07:14:23 +0000 Subject: [PATCH] allow_api removed --- include/api.php | 21 --------------------- src/Security/BasicAuth.php | 10 ++-------- tests/legacy/ApiTest.php | 16 +--------------- 3 files changed, 3 insertions(+), 44 deletions(-) diff --git a/include/api.php b/include/api.php index 5f89b7ecf..20d77b754 100644 --- a/include/api.php +++ b/include/api.php @@ -73,27 +73,6 @@ define('API_LOG_PREFIX', 'API {action} - '); $API = []; $called_api = []; -/** - * Auth API user - * - * It is not sufficient to use local_user() to check whether someone is allowed to use the API, - * because this will open CSRF holes (just embed an image with src=friendicasite.com/api/statuses/update?status=CSRF - * into a page, and visitors will post something without noticing it). - */ -function api_user() -{ - $user = OAuth::getCurrentUserID(); - if (!empty($user)) { - return $user; - } - - if (!empty($_SESSION['allow_api'])) { - return local_user(); - } - - return false; -} - /** * Get source name from API client * diff --git a/src/Security/BasicAuth.php b/src/Security/BasicAuth.php index d4c8bc6dc..52657057e 100644 --- a/src/Security/BasicAuth.php +++ b/src/Security/BasicAuth.php @@ -123,7 +123,6 @@ class BasicAuth private static function getUserIdByAuth(bool $do_login = true):int { $a = DI::app(); - Session::set('allow_api', false); self::$current_user_id = 0; // workaround for HTTP-auth in CGI mode @@ -187,15 +186,10 @@ class BasicAuth DI::auth()->setForUser($a, $record, false, false, $login_refresh); - Session::set('allow_api', true); - Hook::callAll('logged_in', $record); - if (Session::get('allow_api')) { - self::$current_user_id = local_user(); - } else { - self::$current_user_id = 0; - } + self::$current_user_id = local_user(); + return self::$current_user_id; } } diff --git a/tests/legacy/ApiTest.php b/tests/legacy/ApiTest.php index 34f3f6659..f4dda4c6b 100644 --- a/tests/legacy/ApiTest.php +++ b/tests/legacy/ApiTest.php @@ -110,7 +110,6 @@ class ApiTest extends FixtureTest // Most API require login so we force the session $_SESSION = [ - 'allow_api' => true, 'authenticated' => true, 'uid' => $this->selfUser['id'] ]; @@ -234,8 +233,7 @@ class ApiTest extends FixtureTest */ public function testApiUserWithUnallowedUser() { - $_SESSION = ['allow_api' => false]; - self::assertEquals(false, api_user()); + // self::assertEquals(false, api_user()); } /** @@ -715,7 +713,6 @@ class ApiTest extends FixtureTest /* $_SERVER['PHP_AUTH_USER'] = 'Test user'; $_SERVER['PHP_AUTH_PW'] = 'password'; - $_SESSION['allow_api'] = false; BasicAuth::setCurrentUserID(); self::assertFalse(api_get_user()); */ @@ -1432,7 +1429,6 @@ class ApiTest extends FixtureTest public function testApiSearchWithUnallowedUser() { $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); - $_SESSION['allow_api'] = false; $_GET['screen_name'] = $this->selfUser['nick']; BasicAuth::setCurrentUserID(); api_search('json'); @@ -1489,7 +1485,6 @@ class ApiTest extends FixtureTest public function testApiStatusesHomeTimelineWithUnallowedUser() { $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); - $_SESSION['allow_api'] = false; $_GET['screen_name'] = $this->selfUser['nick']; BasicAuth::setCurrentUserID(); api_statuses_home_timeline('json'); @@ -1561,7 +1556,6 @@ class ApiTest extends FixtureTest public function testApiStatusesPublicTimelineWithUnallowedUser() { $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); - $_SESSION['allow_api'] = false; $_GET['screen_name'] = $this->selfUser['nick']; BasicAuth::setCurrentUserID(); api_statuses_public_timeline('json'); @@ -1616,7 +1610,6 @@ class ApiTest extends FixtureTest public function testApiStatusesNetworkpublicTimelineWithUnallowedUser() { $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); - $_SESSION['allow_api'] = false; $_GET['screen_name'] = $this->selfUser['nick']; BasicAuth::setCurrentUserID(); api_statuses_networkpublic_timeline('json'); @@ -1680,7 +1673,6 @@ class ApiTest extends FixtureTest public function testApiStatusesShowWithUnallowedUser() { $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); - $_SESSION['allow_api'] = false; $_GET['screen_name'] = $this->selfUser['nick']; BasicAuth::setCurrentUserID(); api_statuses_show('json'); @@ -1722,7 +1714,6 @@ class ApiTest extends FixtureTest public function testApiConversationShowWithUnallowedUser() { $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); - $_SESSION['allow_api'] = false; $_GET['screen_name'] = $this->selfUser['nick']; BasicAuth::setCurrentUserID(); api_conversation_show('json'); @@ -1839,7 +1830,6 @@ class ApiTest extends FixtureTest public function testApiStatusesMentionsWithUnallowedUser() { $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); - $_SESSION['allow_api'] = false; $_GET['screen_name'] = $this->selfUser['nick']; BasicAuth::setCurrentUserID(); api_statuses_mentions('json'); @@ -1907,7 +1897,6 @@ class ApiTest extends FixtureTest public function testApiStatusesUserTimelineWithUnallowedUser() { $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); - $_SESSION['allow_api'] = false; $_GET['screen_name'] = $this->selfUser['nick']; BasicAuth::setCurrentUserID(); api_statuses_user_timeline('json'); @@ -2037,7 +2026,6 @@ class ApiTest extends FixtureTest public function testApiFavoritesWithUnallowedUser() { $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); - $_SESSION['allow_api'] = false; $_GET['screen_name'] = $this->selfUser['nick']; BasicAuth::setCurrentUserID(); api_favorites('json'); @@ -2464,7 +2452,6 @@ class ApiTest extends FixtureTest public function testApiListsStatusesWithUnallowedUser() { $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); - $_SESSION['allow_api'] = false; $_GET['screen_name'] = $this->selfUser['nick']; BasicAuth::setCurrentUserID(); api_lists_statuses('json'); @@ -2893,7 +2880,6 @@ class ApiTest extends FixtureTest public function testApiDirectMessagesBoxWithUnallowedUser() { $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); - $_SESSION['allow_api'] = false; $_GET['screen_name'] = $this->selfUser['nick']; BasicAuth::setCurrentUserID(); api_direct_messages_box('json', 'sentbox', 'false');