EndSetApiUser will always contain a User

2015-02-13 01:19:59 +01:00 · 2015-02-13 01:19:59 +01:00 · a063bb43a8
commit a063bb43a8
parent 69e04e5cbd
2 changed files with 26 additions and 22 deletions
--- a/EVENTS.txt
+++ b/EVENTS.txt
@ -627,10 +627,10 @@ EndSetUser: After setting the currently logged in user
 - $user: user

 StartSetApiUser: Before setting the current API user
- $user: user
+- &$user: user, can be set during event handling (return false to stop processing)

 EndSetApiUser: After setting the current API user
- $user: user
+- $user: user, only called if this is an actual user

 StartHasRole: Before determing if the a profile has a given role
 - $profile: profile in question
--- a/lib/apiauthaction.php
+++ b/lib/apiauthaction.php
@ -212,20 +212,24 @@ class ApiAuthAction extends ApiAction
                    // Set the auth user
                    if (Event::handle('StartSetApiUser', array(&$user))) {
                        $user = User::getKV('id', $appUser->profile_id);
-                        if (!empty($user)) {
+                    }
+                    if ($user instanceof User) {
                        if (!$user->hasRight(Right::API)) {
                            // TRANS: Authorization exception thrown when a user without API access tries to access the API.
                            throw new AuthorizationException(_('Not allowed to use API.'));
                        }
-                        }
                        $this->auth_user = $user;
+                        Event::handle('EndSetApiUser', array($this->auth_user));
+                    } else {
+                        // If $user is not a real User, let's force it to null.
+                        $this->auth_user = null;
+                    }
+
                    // FIXME: setting the value returned by common_current_user()
                    // There should probably be a better method for this. common_set_user()
                    // does lots of session stuff.
                    global $_cur;
                    $_cur = $this->auth_user;
-                        Event::handle('EndSetApiUser', array($user));
-                    }

                    $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
                        "application '%s' (id: %d) with %s access.";
@ -297,17 +301,17 @@ class ApiAuthAction extends ApiAction
            $user = common_check_user($this->auth_user_nickname,
                                      $this->auth_user_password);

-            if (Event::handle('StartSetApiUser', array(&$user))) {
-
+            Event::handle('StartSetApiUser', array(&$user));
            if ($user instanceof User) {
                if (!$user->hasRight(Right::API)) {
                    // TRANS: Authorization exception thrown when a user without API access tries to access the API.
                    throw new AuthorizationException(_('Not allowed to use API.'));
                }
                $this->auth_user = $user;
-                }

-                Event::handle('EndSetApiUser', array($user));
+                Event::handle('EndSetApiUser', array($this->auth_user));
+            } else {
+                $this->auth_user = null;
            }

            // By default, basic auth users have rw access