Fix for #2635: use ssl-sometimes settings for Twitter settings & auth pages

2010-09-02 10:40:41 -07:00 · 2010-09-02 10:40:41 -07:00 · 4cbbfdab84
commit 4cbbfdab84
parent 8f06e3b281
2 changed files with 26 additions and 2 deletions
--- a/lib/util.php
+++ b/lib/util.php
@ -1018,8 +1018,7 @@ function common_local_url($action, $args=null, $params=null, $fragment=null, $ad
 function common_is_sensitive($action)
 {
-    static $sensitive = array('login', 'register', 'passwordsettings',
+    static $sensitive = array('login', 'register', 'passwordsettings', 'api');
                              'twittersettings', 'api');
    $ssl = null;
    if (Event::handle('SensitiveAction', array($action, &$ssl))) {
--- a/plugins/TwitterBridge/TwitterBridgePlugin.php
+++ b/plugins/TwitterBridge/TwitterBridgePlugin.php
@ -335,5 +335,30 @@ class TwitterBridgePlugin extends Plugin
        return (bool)$this->adminImportControl;
    }
    /**
     * When the site is set to ssl=sometimes mode, we should make sure our
     * various auth-related pages are on SSL to keep things looking happy.
     * Although we're not submitting passwords directly, we do link out to
     * an authentication source and it's a lot happier if we've got some
     * protection against MitM.
     *
     * @param string $action name
     * @param boolean $ssl outval to force SSL
     * @return mixed hook return value
     */
    function onSensitiveAction($action, &$ssl)
    {
        $sensitive = array('twitteradminpanel',
                           'twittersettings',
                           'twitterauthorization',
                           'twitterlogin');
        if (in_array($action, $sensitive)) {
            $ssl = true;
            return false;
        } else {
            return true;
        }
    }
 }