Make API call permission checks more reliable

- don't need to inherit every Module method anymore
This commit is contained in:
Philipp 2021-11-28 14:10:40 +01:00 committed by Hypolite Petovan
parent 9cec38f916
commit 2dc60cfd33

View file

@ -22,6 +22,7 @@
namespace Friendica\Module; namespace Friendica\Module;
use Friendica\App; use Friendica\App;
use Friendica\App\Router;
use Friendica\BaseModule; use Friendica\BaseModule;
use Friendica\Core\L10n; use Friendica\Core\L10n;
use Friendica\Core\Logger; use Friendica\Core\Logger;
@ -36,6 +37,7 @@ use Friendica\Security\BasicAuth;
use Friendica\Security\OAuth; use Friendica\Security\OAuth;
use Friendica\Util\DateTimeFormat; use Friendica\Util\DateTimeFormat;
use Friendica\Util\Profiler; use Friendica\Util\Profiler;
use Psr\Http\Message\ResponseInterface;
use Psr\Log\LoggerInterface; use Psr\Log\LoggerInterface;
class BaseApi extends BaseModule class BaseApi extends BaseModule
@ -70,40 +72,29 @@ class BaseApi extends BaseModule
$this->app = $app; $this->app = $app;
} }
protected function delete(array $request = []) /**
* Additionally checks, if the caller is permitted to do this action
*
* {@inheritDoc}
*
* @throws HTTPException\ForbiddenException
*/
public function run(array $request = []): ResponseInterface
{ {
switch ($this->server['REQUEST_METHOD'] ?? Router::GET) {
case Router::DELETE:
case Router::PATCH:
case Router::POST:
case Router::PUT:
self::checkAllowedScope(self::SCOPE_WRITE); self::checkAllowedScope(self::SCOPE_WRITE);
if (!$this->app->isLoggedIn()) { if (!$this->app->isLoggedIn()) {
throw new HTTPException\ForbiddenException($this->t('Permission denied.')); throw new HTTPException\ForbiddenException($this->t('Permission denied.'));
} }
break;
} }
protected function patch(array $request = []) return parent::run($request);
{
self::checkAllowedScope(self::SCOPE_WRITE);
if (!$this->app->isLoggedIn()) {
throw new HTTPException\ForbiddenException($this->t('Permission denied.'));
}
}
protected function post(array $request = [])
{
self::checkAllowedScope(self::SCOPE_WRITE);
if (!$this->app->isLoggedIn()) {
throw new HTTPException\ForbiddenException($this->t('Permission denied.'));
}
}
public function put(array $request = [])
{
self::checkAllowedScope(self::SCOPE_WRITE);
if (!$this->app->isLoggedIn()) {
throw new HTTPException\ForbiddenException($this->t('Permission denied.'));
}
} }
/** /**