From 05156b708a16c5a20d4081242c398e667792de15 Mon Sep 17 00:00:00 2001 From: Michele Date: Sun, 17 Jan 2010 11:21:07 +0100 Subject: [PATCH] HTTP auth provided is evaluated even if it's not required --- lib/apiauth.php | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/lib/apiauth.php b/lib/apiauth.php index 691db584b7..b4292408a1 100644 --- a/lib/apiauth.php +++ b/lib/apiauth.php @@ -79,10 +79,13 @@ class ApiAuthAction extends ApiAction $this->checkOAuthRequest(); } else { $this->checkBasicAuthUser(); - // By default, all basic auth users have read and write access - - $this->access = self::READ_WRITE; } + } else { + + // Check to see if a basic auth user is there even + // if one's not required + + $this->checkBasicAuthUser(false); } return true; @@ -198,13 +201,13 @@ class ApiAuthAction extends ApiAction * @return boolean true or false */ - function checkBasicAuthUser() + function checkBasicAuthUser($required = true) { $this->basicAuthProcessHeader(); $realm = common_config('site', 'name') . ' API'; - if (!isset($this->auth_user)) { + if (!isset($this->auth_user) && $required) { header('WWW-Authenticate: Basic realm="' . $realm . '"'); // show error if the user clicks 'cancel' @@ -212,12 +215,16 @@ class ApiAuthAction extends ApiAction $this->showBasicAuthError(); exit; - } else { + } else if (isset($this->auth_user)) { $nickname = $this->auth_user; $password = $this->auth_pw; $user = common_check_user($nickname, $password); if (Event::handle('StartSetApiUser', array(&$user))) { $this->auth_user = $user; + + // By default, all basic auth users have read and write access + $this->access = self::READ_WRITE; + Event::handle('EndSetApiUser', array($user)); }