$app['apiApp'] = null; $app['apiAppLoadedBySecret'] = false; $app['apiUser'] = null; $app['apiUserToken'] = null; $appRepo = new API2ApplicationRepository(); if ($data['app_secret']) { $apiapp = $appRepo->loadByAppTokenAndAppSecret($data['app_token'], $data['app_secret']); $app['apiAppLoadedBySecret'] = true; } else { $apiapp = $appRepo->loadByAppToken($data['app_token']); } if ($apiapp && !$apiapp->getIsClosedBySysAdmin()) { $app['apiApp'] = $apiapp; $app['userAgent']->setApi2ApplicationId($apiapp->getId()); // User Token $userTokenRepo = new API2ApplicationUserTokenRepository(); if ($data['user_token']) { $app['apiUserToken'] = $userTokenRepo->loadByAppAndUserTokenAndUserSecret($apiapp, $data['user_token'], $data['user_secret']); if ($app['apiUserToken']) { // User $userRepo = new UserAccountRepository(); $app['apiUser'] = $userRepo->loadByID($app['apiUserToken']->getUserId()); } } } // user permissons $userPermissionsRepo = new \repositories\UserPermissionsRepository($app['extensions']); // if app is not editor or token is not editor, remove edit permissions $removeEditPermissions = $app['apiApp'] && !$app['apiApp']->getIsEditor() || $app['apiUserToken'] && !$app['apiUserToken']->getIsEditor(); $app['currentUserPermissions'] = $userPermissionsRepo->getPermissionsForUserInSite($app['apiUser'], $app['currentSite'], $removeEditPermissions, true); // finally user actions
public function userTokenJson(Application $app) { $appRepo = new API2ApplicationRepository(); $appRequestTokenRepo = new API2ApplicationRequestTokenRepository(); $userAuthorisationTokenRepo = new API2ApplicationUserAuthorisationTokenRepository(); $userTokenRepo = new API2ApplicationUserTokenRepository(); if (!$app['apiApp'] || !$app['apiAppLoadedBySecret']) { return json_encode(array('success' => false)); } // Load and check request token! $data = array_merge($_GET, $_POST); $authorisationToken = $data['authorisation_token'] && $data['request_token'] ? $userAuthorisationTokenRepo->loadByAppAndAuthorisationTokenAndRequestToken($app['apiApp'], $data['authorisation_token'], $data['request_token']) : null; if (!$authorisationToken || $authorisationToken->getIsUsed()) { return json_encode(array('success' => false)); } // get user tokens $userTokenRepo->createForAppAndUserId($app['apiApp'], $authorisationToken->getUserId()); $userToken = $userTokenRepo->loadByAppAndUserID($app['apiApp'], $authorisationToken->getUserId()); // mark token used $userAuthorisationTokenRepo->markTokenUsed($authorisationToken); // return if ($userToken) { return json_encode(array('success' => true, 'permissions' => array('is_editor' => $userToken->getIsEditor()), 'user_token' => $userToken->getUserToken(), 'user_secret' => $userToken->getUserSecret())); } else { // This might happen if user redraws permissions from app between logging in and app gotting tokens, // since loadByAppAndUserID() checks user permisisons. return json_encode(array('success' => false)); } }