Comments

sun’s picture

Status:Needs review» Reviewed & tested by the community
teunis’s picture

Works for me!

Alan Evans’s picture

Priority:Normal» Major
Status:Reviewed & tested by the community» Needs work

Library has moved on again since this patch was posted... will post a patch in a moment ...

Upping the priority, as this causes some serious breakages, for example auth failures on any installation which uses a non-standard port, due to client code signing with eg myhost.com:8080 and the older oauth.module lib validating against myhost.com:8080:8080 (see #1337718: OAuthRequest->http_url defaults to having the port twice! and a couple of other auth issues in the queue)

Alan Evans’s picture

Status:Needs work» Needs review
StatusFileSize
new2.29 KB
Alan Evans’s picture

StatusFileSize
new1.66 KB

Sorry, I didn't realise that the final block of the patch wasn't new code in the library but in fact a change that is required for two-legged oauth to work. Sun's original patch still stands. Reposting sun's original patch here for clarity and resetting to previous RTBC status, but leaving the priority at major as there are known bugs with the existing older version.

Having said that, I'm not 100% sure that the oauth.module-specific change is entirely secure (referring to the only remaining difference between google's code and the bundled version here). It looks mainly ok, as it should then be down to calling code to determine whether an empty token is ok ... so I *think* it's ok, but would be good to track down where this difference came from to be sure.

juampy’s picture

Status:Needs review» Closed (won't fix)

The dev version of the module uses Libraries API, so instead of containing the library it expects it to be downloaded at sites/all/libraries/oauth/OAuth.php, which fixes this issue.

See #1591692: Replace current OAuth library for more details.

sun’s picture

@juampy: Thanks! But btw, I hope you're not adding the Libraries API + oauth library dependency within an existing major version, as that would totally blow up sites that are merely updating from an earlier point release to a new.

juampy’s picture

Errrm, yes. It is currently at 7.x-3.0 and was going to be available at 7.x-3.1. I created 7.x-4.x to hold the migration to a better library.

Should I better use 7.x-4.x to implement Libraries API and 7.x-5.x for #1591692: Replace current OAuth library? If so, I will revert this work at 7.x-3.x and move those commits to 7.x-4.x.

sun’s picture

Status:Closed (won't fix)» Fixed

Totally, I think. No one expects API changes and dependency additions in a point release ;)

juampy’s picture

Status:Fixed» Active

OK, reopening in order to do these changes. Thanks for the feedback.

juampy’s picture

Status:Active» Fixed

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.