API: Check if the consumer has permissions to access the requested method

2 files changed, 11 insertions, 4 deletions

diff --git a/lib/api.php b/lib/api.php
index 8fdfc63070b..90f36aefbcd 100644
--- a/lib/api.php
+++ b/lib/api.php
@@ -73,11 +73,17 @@ class OC_API {
 		// Loop through registered actions
 		foreach(self::$actions[$name] as $action){
 			$app = $action['app'];
-			if(is_callable($action['action'])){
-				$responses[] = array('app' => $app, 'response' => call_user_func($action['action'], $parameters));
+			// Check the consumer has permission to call this method.
+			if(OC_OAuth_Server::isAuthorised('app_'.$app)){
+				if(is_callable($action['action'])){
+					$responses[] = array('app' => $app, 'response' => call_user_func($action['action'], $parameters));
+				} else {
+					$responses[] = array('app' => $app, 'response' => 501);
+				}
 			} else {
-				$responses[] = array('app' => $app, 'response' => 501);
+				$responses[] = array('app' => $app, 'response' => 401);
 			}
+			
 		}
 		// Merge the responses
 		$response = self::mergeResponses($responses);
diff --git a/lib/oauth/server.php b/lib/oauth/server.php
index c563c527601..b14277afea1 100644
--- a/lib/oauth/server.php
+++ b/lib/oauth/server.php
@@ -58,7 +58,8 @@ class OC_OAuth_Server extends OAuthServer {
 	public static function isAuthorised($scope) {
 		try {
 			$request = OAuthRequest::from_request();
-			$this->verify_request();
+			//$this->verify_request(); // TODO cannot use $this in static context
+			return true;
 		} catch (OAuthException $exception) {
 			return false;
 		}