strk/friendica
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

allow_api removed

Browse source
This commit is contained in:
Michael 2021-11-18 07:14:23 +00:00
parent 98b68b47f0
commit 42bd7918ad
3 changed files with 3 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
include/api.php
View file

@ -73,27 +73,6 @@ define('API_LOG_PREFIX', 'API {action} - ');
$API = []; $API = [];
$called_api = []; $called_api = [];
/**
* Auth API user
*
* It is not sufficient to use local_user() to check whether someone is allowed to use the API,
* because this will open CSRF holes (just embed an image with src=friendicasite.com/api/statuses/update?status=CSRF
* into a page, and visitors will post something without noticing it).
*/
function api_user()
{
$user = OAuth::getCurrentUserID();
if (!empty($user)) {
return $user;
}
if (!empty($_SESSION['allow_api'])) {
return local_user();
}
return false;
}
/** /**
* Get source name from API client * Get source name from API client
* *

10
src/Security/BasicAuth.php
View file

@ -123,7 +123,6 @@ class BasicAuth
private static function getUserIdByAuth(bool $do_login = true):int private static function getUserIdByAuth(bool $do_login = true):int
{ {
$a = DI::app(); $a = DI::app();
Session::set('allow_api', false);
self::$current_user_id = 0; self::$current_user_id = 0;
// workaround for HTTP-auth in CGI mode // workaround for HTTP-auth in CGI mode
@ -187,15 +186,10 @@ class BasicAuth
DI::auth()->setForUser($a, $record, false, false, $login_refresh); DI::auth()->setForUser($a, $record, false, false, $login_refresh);
Session::set('allow_api', true);
Hook::callAll('logged_in', $record); Hook::callAll('logged_in', $record);
if (Session::get('allow_api')) { self::$current_user_id = local_user();
self::$current_user_id = local_user();
} else {
self::$current_user_id = 0;
}
return self::$current_user_id; return self::$current_user_id;
} }
} }

16
tests/legacy/ApiTest.php
View file

@ -110,7 +110,6 @@ class ApiTest extends FixtureTest
// Most API require login so we force the session // Most API require login so we force the session
$_SESSION = [ $_SESSION = [
'allow_api' => true,
'authenticated' => true, 'authenticated' => true,
'uid' => $this->selfUser['id'] 'uid' => $this->selfUser['id']
]; ];
@ -234,8 +233,7 @@ class ApiTest extends FixtureTest
*/ */
public function testApiUserWithUnallowedUser() public function testApiUserWithUnallowedUser()
{ {
$_SESSION = ['allow_api' => false]; // self::assertEquals(false, api_user());
self::assertEquals(false, api_user());
} }
/** /**
@ -715,7 +713,6 @@ class ApiTest extends FixtureTest
/* /*
$_SERVER['PHP_AUTH_USER'] = 'Test user'; $_SERVER['PHP_AUTH_USER'] = 'Test user';
$_SERVER['PHP_AUTH_PW'] = 'password'; $_SERVER['PHP_AUTH_PW'] = 'password';
$_SESSION['allow_api'] = false;
BasicAuth::setCurrentUserID(); BasicAuth::setCurrentUserID();
self::assertFalse(api_get_user()); self::assertFalse(api_get_user());
*/ */
@ -1432,7 +1429,6 @@ class ApiTest extends FixtureTest
public function testApiSearchWithUnallowedUser() public function testApiSearchWithUnallowedUser()
{ {
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
$_SESSION['allow_api'] = false;
$_GET['screen_name'] = $this->selfUser['nick']; $_GET['screen_name'] = $this->selfUser['nick'];
BasicAuth::setCurrentUserID(); BasicAuth::setCurrentUserID();
api_search('json'); api_search('json');
@ -1489,7 +1485,6 @@ class ApiTest extends FixtureTest
public function testApiStatusesHomeTimelineWithUnallowedUser() public function testApiStatusesHomeTimelineWithUnallowedUser()
{ {
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
$_SESSION['allow_api'] = false;
$_GET['screen_name'] = $this->selfUser['nick']; $_GET['screen_name'] = $this->selfUser['nick'];
BasicAuth::setCurrentUserID(); BasicAuth::setCurrentUserID();
api_statuses_home_timeline('json'); api_statuses_home_timeline('json');
@ -1561,7 +1556,6 @@ class ApiTest extends FixtureTest
public function testApiStatusesPublicTimelineWithUnallowedUser() public function testApiStatusesPublicTimelineWithUnallowedUser()
{ {
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
$_SESSION['allow_api'] = false;
$_GET['screen_name'] = $this->selfUser['nick']; $_GET['screen_name'] = $this->selfUser['nick'];
BasicAuth::setCurrentUserID(); BasicAuth::setCurrentUserID();
api_statuses_public_timeline('json'); api_statuses_public_timeline('json');
@ -1616,7 +1610,6 @@ class ApiTest extends FixtureTest
public function testApiStatusesNetworkpublicTimelineWithUnallowedUser() public function testApiStatusesNetworkpublicTimelineWithUnallowedUser()
{ {
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
$_SESSION['allow_api'] = false;
$_GET['screen_name'] = $this->selfUser['nick']; $_GET['screen_name'] = $this->selfUser['nick'];
BasicAuth::setCurrentUserID(); BasicAuth::setCurrentUserID();
api_statuses_networkpublic_timeline('json'); api_statuses_networkpublic_timeline('json');
@ -1680,7 +1673,6 @@ class ApiTest extends FixtureTest
public function testApiStatusesShowWithUnallowedUser() public function testApiStatusesShowWithUnallowedUser()
{ {
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
$_SESSION['allow_api'] = false;
$_GET['screen_name'] = $this->selfUser['nick']; $_GET['screen_name'] = $this->selfUser['nick'];
BasicAuth::setCurrentUserID(); BasicAuth::setCurrentUserID();
api_statuses_show('json'); api_statuses_show('json');
@ -1722,7 +1714,6 @@ class ApiTest extends FixtureTest
public function testApiConversationShowWithUnallowedUser() public function testApiConversationShowWithUnallowedUser()
{ {
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
$_SESSION['allow_api'] = false;
$_GET['screen_name'] = $this->selfUser['nick']; $_GET['screen_name'] = $this->selfUser['nick'];
BasicAuth::setCurrentUserID(); BasicAuth::setCurrentUserID();
api_conversation_show('json'); api_conversation_show('json');
@ -1839,7 +1830,6 @@ class ApiTest extends FixtureTest
public function testApiStatusesMentionsWithUnallowedUser() public function testApiStatusesMentionsWithUnallowedUser()
{ {
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
$_SESSION['allow_api'] = false;
$_GET['screen_name'] = $this->selfUser['nick']; $_GET['screen_name'] = $this->selfUser['nick'];
BasicAuth::setCurrentUserID(); BasicAuth::setCurrentUserID();
api_statuses_mentions('json'); api_statuses_mentions('json');
@ -1907,7 +1897,6 @@ class ApiTest extends FixtureTest
public function testApiStatusesUserTimelineWithUnallowedUser() public function testApiStatusesUserTimelineWithUnallowedUser()
{ {
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
$_SESSION['allow_api'] = false;
$_GET['screen_name'] = $this->selfUser['nick']; $_GET['screen_name'] = $this->selfUser['nick'];
BasicAuth::setCurrentUserID(); BasicAuth::setCurrentUserID();
api_statuses_user_timeline('json'); api_statuses_user_timeline('json');
@ -2037,7 +2026,6 @@ class ApiTest extends FixtureTest
public function testApiFavoritesWithUnallowedUser() public function testApiFavoritesWithUnallowedUser()
{ {
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
$_SESSION['allow_api'] = false;
$_GET['screen_name'] = $this->selfUser['nick']; $_GET['screen_name'] = $this->selfUser['nick'];
BasicAuth::setCurrentUserID(); BasicAuth::setCurrentUserID();
api_favorites('json'); api_favorites('json');
@ -2464,7 +2452,6 @@ class ApiTest extends FixtureTest
public function testApiListsStatusesWithUnallowedUser() public function testApiListsStatusesWithUnallowedUser()
{ {
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
$_SESSION['allow_api'] = false;
$_GET['screen_name'] = $this->selfUser['nick']; $_GET['screen_name'] = $this->selfUser['nick'];
BasicAuth::setCurrentUserID(); BasicAuth::setCurrentUserID();
api_lists_statuses('json'); api_lists_statuses('json');
@ -2893,7 +2880,6 @@ class ApiTest extends FixtureTest
public function testApiDirectMessagesBoxWithUnallowedUser() public function testApiDirectMessagesBoxWithUnallowedUser()
{ {
$this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class); $this->expectException(\Friendica\Network\HTTPException\ForbiddenException::class);
$_SESSION['allow_api'] = false;
$_GET['screen_name'] = $this->selfUser['nick']; $_GET['screen_name'] = $this->selfUser['nick'];
BasicAuth::setCurrentUserID(); BasicAuth::setCurrentUserID();
api_direct_messages_box('json', 'sentbox', 'false'); api_direct_messages_box('json', 'sentbox', 'false');