From 1475ff63ddeb56c277836092d2b02861cb47e4ee Mon Sep 17 00:00:00 2001
From: Tom Needham <needham.thomas@gmail.com>
Date: Wed, 12 Dec 2012 21:04:23 +0000
Subject: [PATCH] API: Add check to see if the user is authorised to run the
 api method

---
 lib/api.php | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/lib/api.php b/lib/api.php
index e119b878210..84d1155b594 100644
--- a/lib/api.php
+++ b/lib/api.php
@@ -86,12 +86,16 @@ class OC_API {
 			parse_str(file_get_contents("php://input"), $_DELETE);
 		}
 		$name = $parameters['_route'];
-		// Loop through registered actions
-		if(is_callable(self::$actions[$name]['action'])){
-			$response = call_user_func(self::$actions[$name]['action'], $parameters);
+		// Check authentication and availability
+		if(self::isAuthorised(self::$actions[$name])){
+			if(is_callable(self::$actions[$name]['action'])){
+				$response = call_user_func(self::$actions[$name]['action'], $parameters);
+			} else {
+				$response = new OC_OCS_Result(null, 998, 'Internal server error');
+			} 
 		} else {
-			$response = new OC_OCS_Result(null, 998, 'Internal server error.');
-		} 
+			$response = new OC_OCS_Result(null, 997, 'Unauthorised');
+		}
 		// Send the response
 		$formats = array('json', 'xml');
 		$format = !empty($_GET['format']) && in_array($_GET['format'], $formats) ? $_GET['format'] : 'xml';
-- 
2.39.5