From 3b859aa9ef01d065b40943f5a5701f35217b89f3 Mon Sep 17 00:00:00 2001
From: redmatrix <redmatrix@redmatrix.me>
Date: Sun, 17 May 2015 18:14:50 -0700
Subject: [PATCH] Implement permission checking for OAuth clients using the
 xperm table. Currently 'all' permissions are applied to OAuth clients which
 gives them the same rights as the channel owner and full access to API
 functions as the channel owner. However, individual permissions can now be
 created. These mirror the permission names from the normal permission table
 (although it isn't required that they do so). Lack of an xp_perm entry for
 the specified permission and lack of an 'all' override indicates permission
 denied.

---
 boot.php                    | 10 +++++
 include/api.php             |  5 ++-
 include/oauth.php           | 11 +++--
 include/permissions.php     | 84 +++++++++++++++++++++++++++++++++++++
 util/shredder/ShredOAuth.sh |  2 +-
 5 files changed, 106 insertions(+), 6 deletions(-)

diff --git a/boot.php b/boot.php
index 8dcc3b56b..ad75a2d25 100755
--- a/boot.php
+++ b/boot.php
@@ -651,6 +651,7 @@ class App {
 	public  $observer   = null;            // xchan record of the page observer
 	public  $profile_uid = 0;              // If applicable, the channel_id of the "page owner"
 	public  $poi        = null;            // "person of interest", generally a referenced connection
+	private $oauth_key  = null;            // consumer_id of oauth request, if used
 	public  $layout     = array();         // Comanche parsed template
 	public  $pdl        = null;
 	private $perms      = null;            // observer permissions
@@ -934,6 +935,7 @@ class App {
 		$this->observer = $xchan;
 	}
 
+
 	function get_observer() {
 		return $this->observer;
 	}
@@ -946,6 +948,14 @@ class App {
 		return $this->perms;
 	}
 
+	function set_oauth_key($consumer_id) {
+		$this->oauth_key = $consumer_id;
+	}
+
+	function get_oauth_key() {
+		return $this->oauth_key;
+	}
+
 	function get_apps() {
 		return $this->apps;
 	}
diff --git a/include/api.php b/include/api.php
index 12247c183..788a84208 100644
--- a/include/api.php
+++ b/include/api.php
@@ -78,11 +78,14 @@ require_once('include/items.php');
 //			list($consumer,$token) = $oauth->verify_request(OAuthRequest::from_request());
 			if (!is_null($token)){
 				$oauth->loginUser($token->uid);
+
+				$a->set_oauth_key($consumer->key);
+
 				call_hooks('logged_in', $a->user);
 				return;
 			}
 			echo __file__.__line__.__function__."<pre>"; 
-			var_dump($consumer, $token); 
+//			var_dump($consumer, $token); 
 			die();
 		}
 		catch(Exception $e) {
diff --git a/include/oauth.php b/include/oauth.php
index 8eb8a83d8..ec754db95 100644
--- a/include/oauth.php
+++ b/include/oauth.php
@@ -20,19 +20,21 @@ class FKOAuthDataStore extends OAuthDataStore {
 		logger(__function__.":".$consumer_key);
 //      echo "<pre>"; var_dump($consumer_key); killme();
 
-		$r = q("SELECT client_id, pw, redirect_uri FROM clients WHERE client_id='%s'",
+		$r = q("SELECT client_id, pw, redirect_uri FROM clients WHERE client_id = '%s'",
 			dbesc($consumer_key)
 		);
 
-		if (count($r))
+		if($r) {
+			get_app()->set_oauth_key($consumer_key);
 			return new OAuthConsumer($r[0]['client_id'],$r[0]['pw'],$r[0]['redirect_uri']);
+		}
 		return null;
   }
 
   function lookup_token($consumer, $token_type, $token) {
 		logger(__function__.":".$consumer.", ". $token_type.", ".$token);
 
-		$r = q("SELECT id, secret,scope, expires, uid  FROM tokens WHERE client_id='%s' AND scope='%s' AND id='%s'",
+		$r = q("SELECT id, secret, scope, expires, uid  FROM tokens WHERE client_id = '%s' AND scope = '%s' AND id = '%s'",
 			dbesc($consumer->key),
 			dbesc($token_type),
 			dbesc($token)
@@ -51,7 +53,7 @@ class FKOAuthDataStore extends OAuthDataStore {
   function lookup_nonce($consumer, $token, $nonce, $timestamp) {
 //		echo __file__.":".__line__."<pre>"; var_dump($consumer,$key); killme();
 
-		$r = q("SELECT id, secret  FROM tokens WHERE client_id='%s' AND id='%s' AND expires=%d",
+		$r = q("SELECT id, secret FROM tokens WHERE client_id = '%s' AND id = '%s' AND expires = %d",
 			dbesc($consumer->key),
 			dbesc($nonce),
 			intval($timestamp)
@@ -132,6 +134,7 @@ class FKOAuthDataStore extends OAuthDataStore {
 }
 
 class FKOAuth1 extends OAuthServer {
+
 	function __construct() {
 		parent::__construct(new FKOAuthDataStore());
 		$this->add_signature_method(new OAuthSignatureMethod_PLAINTEXT());
diff --git a/include/permissions.php b/include/permissions.php
index 68ff2b3d4..f63c6da18 100644
--- a/include/permissions.php
+++ b/include/permissions.php
@@ -65,6 +65,10 @@ function get_perms() {
  */
 function get_all_perms($uid, $observer_xchan, $internal_use = true) {
 
+	$api = get_app()->get_oauth_key();
+	if($api)
+		return get_all_api_perms($uid,$api);	
+
 	$global_perms = get_perms();
 
 	// Save lots of individual lookups
@@ -265,6 +269,10 @@ function get_all_perms($uid, $observer_xchan, $internal_use = true) {
  */
 function perm_is_allowed($uid, $observer_xchan, $permission) {
 
+	$api = get_app()->get_oauth_key();
+	if($api)
+		return api_perm_is_allowed($uid,$api,$permission);
+
 	$arr = array(
 		'channel_id'    => $uid,
 		'observer_hash' => $observer_xchan,
@@ -388,6 +396,82 @@ function perm_is_allowed($uid, $observer_xchan, $permission) {
 	return false;
 }
 
+function get_all_api_perms($uid,$api) {	
+
+	$global_perms = get_perms();
+
+	$ret = array();
+
+	$r = q("select * from xperm where xp_client = '%s' and xp_channel = %d",
+		dbesc($api),
+		intval($uid)
+	);
+
+	if(! $r)
+		return false;
+
+	$allow_all = false;
+	$allowed = array();
+	foreach($r as $rr) {
+		if($rr['xp_perm'] === 'all')
+			$allow_all = true;
+		if(! in_array($rr['xp_perm'],$allowed))
+			$allowed[] = $rr['xp_perm'];
+	}
+
+	foreach($global_perms as $perm_name => $permission) {
+		if($allow_all || in_array($perm_name,$allowed))
+			$ret[$perm_name] = true;
+		else
+			$ret[$perm_name] = false;
+
+	}
+
+	$arr = array(
+		'channel_id'    => $uid,
+		'observer_hash' => $observer_xchan,
+		'permissions'   => $ret);
+
+	call_hooks('get_all_api_perms',$arr);
+
+	return $arr['permissions'];
+
+}
+
+
+function api_perm_is_allowed($uid,$api,$permission) {
+
+	$arr = array(
+		'channel_id'    => $uid,
+		'observer_hash' => $observer_xchan,
+		'permission'    => $permission,
+		'result'        => false
+	);
+
+	call_hooks('api_perm_is_allowed', $arr);
+	if($arr['result'])
+		return true;
+
+	$r = q("select * from xperm where xp_client = '%s' and xp_channel = %d and ( xp_perm = 'all' OR xp_perm = '%s' )",
+		dbesc($api),
+		intval($uid),
+		dbesc($permission)
+	);
+
+	if(! $r)
+		return false;
+
+	foreach($r as $rr) {
+		if($rr['xp_perm'] === 'all' || $rr['xp_perm'] === $permission)
+			return true;
+
+	}
+
+	return false;
+
+}
+
+
 
 // Check a simple array of observers against a permissions
 // return a simple array of those with permission
diff --git a/util/shredder/ShredOAuth.sh b/util/shredder/ShredOAuth.sh
index 9828124c7..f39d6f7c4 100755
--- a/util/shredder/ShredOAuth.sh
+++ b/util/shredder/ShredOAuth.sh
@@ -128,7 +128,7 @@ FO_statuses_update () {
     $(OAuth_param 'status' "$2")
     )
   
-  params[${#params[@]}]=$(OAuth_param 'source' "shred")
+  params[${#params[@]}]=$(OAuth_param 'source' "shredder")
   
   [[ "$3" != "" ]] && params[${#params[@]}]=$(OAuth_param 'in_reply_to_status_id' "$3") && local in_reply_to_status_id=( '--data-urlencode' "in_reply_to_status_id=$3" )