From 2dc60cfd3352e163edc222cfe0a804876ec87300 Mon Sep 17 00:00:00 2001
From: Philipp <admin@philipp.info>
Date: Sun, 28 Nov 2021 14:10:40 +0100
Subject: [PATCH] Make API call permission checks more reliable - don't need to
 inherit every Module method anymore

---
 src/Module/BaseApi.php | 51 +++++++++++++++++-------------------------
 1 file changed, 21 insertions(+), 30 deletions(-)

diff --git a/src/Module/BaseApi.php b/src/Module/BaseApi.php
index cd9cfb8f5..db5f191cf 100644
--- a/src/Module/BaseApi.php
+++ b/src/Module/BaseApi.php
@@ -22,6 +22,7 @@
 namespace Friendica\Module;
 
 use Friendica\App;
+use Friendica\App\Router;
 use Friendica\BaseModule;
 use Friendica\Core\L10n;
 use Friendica\Core\Logger;
@@ -36,6 +37,7 @@ use Friendica\Security\BasicAuth;
 use Friendica\Security\OAuth;
 use Friendica\Util\DateTimeFormat;
 use Friendica\Util\Profiler;
+use Psr\Http\Message\ResponseInterface;
 use Psr\Log\LoggerInterface;
 
 class BaseApi extends BaseModule
@@ -70,40 +72,29 @@ class BaseApi extends BaseModule
 		$this->app = $app;
 	}
 
-	protected function delete(array $request = [])
+	/**
+	 * Additionally checks, if the caller is permitted to do this action
+	 *
+	 * {@inheritDoc}
+	 *
+	 * @throws HTTPException\ForbiddenException
+	 */
+	public function run(array $request = []): ResponseInterface
 	{
-		self::checkAllowedScope(self::SCOPE_WRITE);
+		switch ($this->server['REQUEST_METHOD'] ?? Router::GET) {
+			case Router::DELETE:
+			case Router::PATCH:
+			case Router::POST:
+			case Router::PUT:
+				self::checkAllowedScope(self::SCOPE_WRITE);
 
-		if (!$this->app->isLoggedIn()) {
-			throw new HTTPException\ForbiddenException($this->t('Permission denied.'));
+				if (!$this->app->isLoggedIn()) {
+					throw new HTTPException\ForbiddenException($this->t('Permission denied.'));
+				}
+				break;
 		}
-	}
 
-	protected function patch(array $request = [])
-	{
-		self::checkAllowedScope(self::SCOPE_WRITE);
-
-		if (!$this->app->isLoggedIn()) {
-			throw new HTTPException\ForbiddenException($this->t('Permission denied.'));
-		}
-	}
-
-	protected function post(array $request = [])
-	{
-		self::checkAllowedScope(self::SCOPE_WRITE);
-
-		if (!$this->app->isLoggedIn()) {
-			throw new HTTPException\ForbiddenException($this->t('Permission denied.'));
-		}
-	}
-
-	public function put(array $request = [])
-	{
-		self::checkAllowedScope(self::SCOPE_WRITE);
-
-		if (!$this->app->isLoggedIn()) {
-			throw new HTTPException\ForbiddenException($this->t('Permission denied.'));
-		}
+		return parent::run($request);
 	}
 
 	/**