Author: chabotc
Date: Sun Jan 25 11:12:01 2009
New Revision: 737500
URL: http://svn.apache.org/viewvc?rev=737500&view=rev
Log:
Added a hit about user id checking to the activity handler
Modified:
incubator/shindig/trunk/php/src/social/service/ActivityHandler.php
Modified: incubator/shindig/trunk/php/src/social/service/ActivityHandler.php
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/php/src/social/service/ActivityHandler.php?rev=737500&r1=737499&r2=737500&view=diff
==============================================================================
--- incubator/shindig/trunk/php/src/social/service/ActivityHandler.php
(original)
+++ incubator/shindig/trunk/php/src/social/service/ActivityHandler.php Sun Jan
25 11:12:01 2009
@@ -20,7 +20,7 @@
class ActivityHandler extends DataRequestHandler {
private $service;
-
+
private static $ACTIVITY_ID_PATH =
"/activities/{userId}/{groupId}/{activityId}";
public function __construct() {
@@ -89,6 +89,12 @@
if (! empty($activityIds)) {
throw new InvalidArgumentException("Cannot specify activityId in
create");
}
+ /*
+ * Note, on just about all types of social networks you would only allow
activities to be created when the owner == viewer, and the userId == viewer as
well, in code this would mean:
+ * if ($token->getOwnerId() != $token->getViewerId() ||
$token->getViewerId() != $userId->getUserId($token)) {
+ * throw new SocialSpiException("Create activity permission denied.",
ResponseError::$UNAUTHORIZED);
+ * }
+ */
return $this->service->createActivity($userIds[0],
$requestItem->getGroup(), $requestItem->getAppId(), $requestItem->getFields(),
$requestItem->getParameter("activity"), $requestItem->getToken());
}
