From 3ae4786131db55882ccb0ec34ead383bf6ba3143 Mon Sep 17 00:00:00 2001 From: Robert Kaiser Date: Fri, 28 Oct 2016 20:56:13 +0200 Subject: [PATCH] remove the saved redirect when it's being used, always accept email scope --- authorize.php | 6 +++--- index.php | 5 +++++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/authorize.php b/authorize.php index 2a7e0a5..4275254 100644 --- a/authorize.php +++ b/authorize.php @@ -55,8 +55,8 @@ if (!count($errors)) { exit(); } - // Display an authorization form. - if (empty($_POST)) { + // Display an authorization form (unless the scope is email, which we always grant in this system). + if (empty($_POST) && (@$request->query['scope'] != 'email')) { $para = $body->appendElement('p', sprintf(_('Hi %s!'), $user['email'])); $para->setAttribute('class', 'userwelcome'); @@ -71,7 +71,7 @@ if (!count($errors)) { } else { // Handle authorize request, forwarding code in GET parameters if the user has authorized your client. - $is_authorized = ($_POST['authorized'] === 'yes'); + $is_authorized = (($_POST['authorized'] === 'yes') || ($request->query['scope'] == 'email')); $server->handleAuthorizeRequest($request, $response, $is_authorized); /* For testing only if ($is_authorized) { diff --git a/index.php b/index.php index e01c7d1..ee03d8b 100644 --- a/index.php +++ b/index.php @@ -70,6 +70,11 @@ if (!count($errors)) { // If the session has a redirect set, make sure it's performed. if (strlen(@$session['saved_redirect'])) { header('Location: '.$utils->getDomainBaseURL().$session['saved_redirect']); + // Remove redirect. + $result = $db->prepare('UPDATE `auth_sessions` SET `saved_redirect` = :redir WHERE `id` = :sessid;'); + if (!$result->execute(array(':redir' => '', ':sessid' => $session['id']))) { + $utils->log('redir_save_failure', 'session: '.$session['id'].', redirect: (empty)'); + } } // If the session has a user set, create a new one - otherwise take existing session entry. if (intval($session['user'])) { -- 2.43.0