Merge pull request WP-API#17 from WP-API/check-user-auth

rachelbaker · rachelbaker · commit dbf82461a831 · 2014-07-07T07:55:22.000-05:00
Ensure users are logged in when authorizing
diff --git a/lib/class-wp-json-authentication-oauth1-authorize.php b/lib/class-wp-json-authentication-oauth1-authorize.php
@@ -38,6 +38,11 @@ public function register_hooks() {
 	 * default wp-login handlers.
 	 */
 	public function handle_request() {
+		if ( ! is_user_logged_in() ) {
+			wp_safe_redirect( wp_login_url( $_SERVER['REQUEST_URI'] ) );
+			exit;
+		}
+
 		$response = $this->render_page();
 		if ( is_wp_error( $response ) ) {
 			$this->display_error( $response );
diff --git a/lib/class-wp-json-authentication-oauth1.php b/lib/class-wp-json-authentication-oauth1.php
@@ -377,6 +377,10 @@ public function authorize_request_token( $key, $user = null ) {
 			$user = $user->ID;
 		}
 
+		if ( empty( $user ) ) {
+			return new WP_Error( 'json_oauth1_invalid_user', __( 'Invalid user specified for access token' ) );
+		}
+
 		$token['authorized'] = true;
 		$token['verifier'] = wp_generate_password( self::VERIFIER_LENGTH, false );
 		$token['user'] = $user;
