Merge pull request #11106 from annando/issue-11101

Issue 11101: Fix API authentification
2021-12-17 09:09:15 +01:00 · 2021-12-17 09:09:15 +01:00 · 9f401a5952
parent 8ab1306067 0a3026abce
commit 9f401a5952
2 changed files with 19 additions and 12 deletions
--- a/src/Module/Api/Mastodon/Apps.php
+++ b/src/Module/Api/Mastodon/Apps.php
@ -26,12 +26,17 @@ use Friendica\Database\DBA;
 use Friendica\DI;
 use Friendica\Module\BaseApi;
 use Friendica\Util\Network;
 use Psr\Http\Message\ResponseInterface;
 /**
 * Apps class to register new OAuth clients
 */
 class Apps extends BaseApi
 {
 	public function run(array $request = [], bool $scopecheck = true): ResponseInterface
 	{
 		return parent::run($request, false);
 	}
 	/**
 	 * @throws \Friendica\Network\HTTPException\InternalServerErrorException
 	 */
--- a/src/Module/BaseApi.php
+++ b/src/Module/BaseApi.php
@ -79,19 +79,21 @@ class BaseApi extends BaseModule
 	 *
 	 * @throws HTTPException\ForbiddenException
 	 */
-	public function run(array $request = []): ResponseInterface
+	public function run(array $request = [], bool $scopecheck = true): ResponseInterface
 	{
-		switch ($this->server['REQUEST_METHOD'] ?? Router::GET) {
+		if ($scopecheck) {
-			case Router::DELETE:
+			switch ($this->server['REQUEST_METHOD'] ?? Router::GET) {
-			case Router::PATCH:
+				case Router::DELETE:
-			case Router::POST:
+				case Router::PATCH:
-			case Router::PUT:
+				case Router::POST:
-				self::checkAllowedScope(self::SCOPE_WRITE);
+				case Router::PUT:
-
+					self::checkAllowedScope(self::SCOPE_WRITE);
-				if (!self::getCurrentUserID()) {
+	
-					throw new HTTPException\ForbiddenException($this->t('Permission denied.'));
+					if (!self::getCurrentUserID()) {
-				}
+						throw new HTTPException\ForbiddenException($this->t('Permission denied.'));
-				break;
+					}
 					break;
 			}	
 		}
 		return parent::run($request);