Implement permission checking for OAuth clients using the xperm table. Currently 'all' permissions are applied to OAuth clients which gives them the same rights as the channel owner and full access to API functions as the channel owner. However, individual permissions can now be created. These mirror the permission names from the normal permission table (although it isn't required that they do so). Lack of an xp_perm entry for the specified permission and lack of an 'all' override indicates permission denied.
This commit is contained in:
		
							
								
								
									
										10
									
								
								boot.php
									
									
									
									
									
								
							
							
						
						
									
										10
									
								
								boot.php
									
									
									
									
									
								
							| @@ -651,6 +651,7 @@ class App { | ||||
| 	public  $observer   = null;            // xchan record of the page observer | ||||
| 	public  $profile_uid = 0;              // If applicable, the channel_id of the "page owner" | ||||
| 	public  $poi        = null;            // "person of interest", generally a referenced connection | ||||
| 	private $oauth_key  = null;            // consumer_id of oauth request, if used | ||||
| 	public  $layout     = array();         // Comanche parsed template | ||||
| 	public  $pdl        = null; | ||||
| 	private $perms      = null;            // observer permissions | ||||
| @@ -934,6 +935,7 @@ class App { | ||||
| 		$this->observer = $xchan; | ||||
| 	} | ||||
|  | ||||
|  | ||||
| 	function get_observer() { | ||||
| 		return $this->observer; | ||||
| 	} | ||||
| @@ -946,6 +948,14 @@ class App { | ||||
| 		return $this->perms; | ||||
| 	} | ||||
|  | ||||
| 	function set_oauth_key($consumer_id) { | ||||
| 		$this->oauth_key = $consumer_id; | ||||
| 	} | ||||
|  | ||||
| 	function get_oauth_key() { | ||||
| 		return $this->oauth_key; | ||||
| 	} | ||||
|  | ||||
| 	function get_apps() { | ||||
| 		return $this->apps; | ||||
| 	} | ||||
|   | ||||
| @@ -78,11 +78,14 @@ require_once('include/items.php'); | ||||
| //			list($consumer,$token) = $oauth->verify_request(OAuthRequest::from_request()); | ||||
| 			if (!is_null($token)){ | ||||
| 				$oauth->loginUser($token->uid); | ||||
|  | ||||
| 				$a->set_oauth_key($consumer->key); | ||||
|  | ||||
| 				call_hooks('logged_in', $a->user); | ||||
| 				return; | ||||
| 			} | ||||
| 			echo __file__.__line__.__function__."<pre>";  | ||||
| 			var_dump($consumer, $token);  | ||||
| //			var_dump($consumer, $token);  | ||||
| 			die(); | ||||
| 		} | ||||
| 		catch(Exception $e) { | ||||
|   | ||||
| @@ -24,8 +24,10 @@ class FKOAuthDataStore extends OAuthDataStore { | ||||
| 			dbesc($consumer_key) | ||||
| 		); | ||||
|  | ||||
| 		if (count($r)) | ||||
| 		if($r) { | ||||
| 			get_app()->set_oauth_key($consumer_key); | ||||
| 			return new OAuthConsumer($r[0]['client_id'],$r[0]['pw'],$r[0]['redirect_uri']); | ||||
| 		} | ||||
| 		return null; | ||||
|   } | ||||
|  | ||||
| @@ -132,6 +134,7 @@ class FKOAuthDataStore extends OAuthDataStore { | ||||
| } | ||||
|  | ||||
| class FKOAuth1 extends OAuthServer { | ||||
|  | ||||
| 	function __construct() { | ||||
| 		parent::__construct(new FKOAuthDataStore()); | ||||
| 		$this->add_signature_method(new OAuthSignatureMethod_PLAINTEXT()); | ||||
|   | ||||
| @@ -65,6 +65,10 @@ function get_perms() { | ||||
|  */ | ||||
| function get_all_perms($uid, $observer_xchan, $internal_use = true) { | ||||
|  | ||||
| 	$api = get_app()->get_oauth_key(); | ||||
| 	if($api) | ||||
| 		return get_all_api_perms($uid,$api);	 | ||||
|  | ||||
| 	$global_perms = get_perms(); | ||||
|  | ||||
| 	// Save lots of individual lookups | ||||
| @@ -265,6 +269,10 @@ function get_all_perms($uid, $observer_xchan, $internal_use = true) { | ||||
|  */ | ||||
| function perm_is_allowed($uid, $observer_xchan, $permission) { | ||||
|  | ||||
| 	$api = get_app()->get_oauth_key(); | ||||
| 	if($api) | ||||
| 		return api_perm_is_allowed($uid,$api,$permission); | ||||
|  | ||||
| 	$arr = array( | ||||
| 		'channel_id'    => $uid, | ||||
| 		'observer_hash' => $observer_xchan, | ||||
| @@ -388,6 +396,82 @@ function perm_is_allowed($uid, $observer_xchan, $permission) { | ||||
| 	return false; | ||||
| } | ||||
|  | ||||
| function get_all_api_perms($uid,$api) {	 | ||||
|  | ||||
| 	$global_perms = get_perms(); | ||||
|  | ||||
| 	$ret = array(); | ||||
|  | ||||
| 	$r = q("select * from xperm where xp_client = '%s' and xp_channel = %d", | ||||
| 		dbesc($api), | ||||
| 		intval($uid) | ||||
| 	); | ||||
|  | ||||
| 	if(! $r) | ||||
| 		return false; | ||||
|  | ||||
| 	$allow_all = false; | ||||
| 	$allowed = array(); | ||||
| 	foreach($r as $rr) { | ||||
| 		if($rr['xp_perm'] === 'all') | ||||
| 			$allow_all = true; | ||||
| 		if(! in_array($rr['xp_perm'],$allowed)) | ||||
| 			$allowed[] = $rr['xp_perm']; | ||||
| 	} | ||||
|  | ||||
| 	foreach($global_perms as $perm_name => $permission) { | ||||
| 		if($allow_all || in_array($perm_name,$allowed)) | ||||
| 			$ret[$perm_name] = true; | ||||
| 		else | ||||
| 			$ret[$perm_name] = false; | ||||
|  | ||||
| 	} | ||||
|  | ||||
| 	$arr = array( | ||||
| 		'channel_id'    => $uid, | ||||
| 		'observer_hash' => $observer_xchan, | ||||
| 		'permissions'   => $ret); | ||||
|  | ||||
| 	call_hooks('get_all_api_perms',$arr); | ||||
|  | ||||
| 	return $arr['permissions']; | ||||
|  | ||||
| } | ||||
|  | ||||
|  | ||||
| function api_perm_is_allowed($uid,$api,$permission) { | ||||
|  | ||||
| 	$arr = array( | ||||
| 		'channel_id'    => $uid, | ||||
| 		'observer_hash' => $observer_xchan, | ||||
| 		'permission'    => $permission, | ||||
| 		'result'        => false | ||||
| 	); | ||||
|  | ||||
| 	call_hooks('api_perm_is_allowed', $arr); | ||||
| 	if($arr['result']) | ||||
| 		return true; | ||||
|  | ||||
| 	$r = q("select * from xperm where xp_client = '%s' and xp_channel = %d and ( xp_perm = 'all' OR xp_perm = '%s' )", | ||||
| 		dbesc($api), | ||||
| 		intval($uid), | ||||
| 		dbesc($permission) | ||||
| 	); | ||||
|  | ||||
| 	if(! $r) | ||||
| 		return false; | ||||
|  | ||||
| 	foreach($r as $rr) { | ||||
| 		if($rr['xp_perm'] === 'all' || $rr['xp_perm'] === $permission) | ||||
| 			return true; | ||||
|  | ||||
| 	} | ||||
|  | ||||
| 	return false; | ||||
|  | ||||
| } | ||||
|  | ||||
|  | ||||
|  | ||||
| // Check a simple array of observers against a permissions | ||||
| // return a simple array of those with permission | ||||
|   | ||||
| @@ -128,7 +128,7 @@ FO_statuses_update () { | ||||
|     $(OAuth_param 'status' "$2") | ||||
|     ) | ||||
|    | ||||
|   params[${#params[@]}]=$(OAuth_param 'source' "shred") | ||||
|   params[${#params[@]}]=$(OAuth_param 'source' "shredder") | ||||
|    | ||||
|   [[ "$3" != "" ]] && params[${#params[@]}]=$(OAuth_param 'in_reply_to_status_id' "$3") && local in_reply_to_status_id=( '--data-urlencode' "in_reply_to_status_id=$3" ) | ||||
|      | ||||
|   | ||||
		Reference in New Issue
	
	Block a user