From 55e8473a7a87ebe85bcfa5cfb409ce9a9aeafdd0 Mon Sep 17 00:00:00 2001
From: Zach Copley <zach@status.net>
Date: Wed, 10 Mar 2010 03:39:05 +0000
Subject: [PATCH] A blank username should never be allowed.

---
 lib/apiauth.php | 2 +-
 lib/util.php    | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/apiauth.php b/lib/apiauth.php
index f63c84d8f3..32502399f9 100644
--- a/lib/apiauth.php
+++ b/lib/apiauth.php
@@ -241,7 +241,7 @@ class ApiAuthAction extends ApiAction
             $realm = common_config('site', 'name') . ' API';
         }
 
-        if (!isset($this->auth_user_nickname) && $required) {
+        if (empty($this->auth_user_nickname) && $required) {
             header('WWW-Authenticate: Basic realm="' . $realm . '"');
 
             // show error if the user clicks 'cancel'
diff --git a/lib/util.php b/lib/util.php
index da2799d4f9..5bef88ecc1 100644
--- a/lib/util.php
+++ b/lib/util.php
@@ -133,6 +133,11 @@ function common_munge_password($password, $id)
 
 function common_check_user($nickname, $password)
 {
+    // empty nickname always unacceptable
+    if (empty($nickname)) {
+        return false;
+    }
+
     $authenticatedUser = false;
 
     if (Event::handle('StartCheckPassword', array($nickname, $password, &$authenticatedUser))) {