forked from GNUsocial/gnu-social
HTTP auth provided is evaluated even if it's not required
This commit is contained in:
parent
f650b40706
commit
b0a325f7d0
@ -84,16 +84,22 @@ class ApiAuthAction extends ApiAction
|
||||
} else {
|
||||
$this->checkBasicAuthUser();
|
||||
}
|
||||
} else {
|
||||
|
||||
// Reject API calls with the wrong access level
|
||||
// Check to see if a basic auth user is there even
|
||||
// if one's not required
|
||||
|
||||
if ($this->isReadOnly($args) == false) {
|
||||
if ($this->access != self::READ_WRITE) {
|
||||
$msg = 'API resource requires read-write access, ' .
|
||||
'but you only have read access.';
|
||||
$this->clientError($msg, 401, $this->format);
|
||||
exit();
|
||||
}
|
||||
$this->checkBasicAuthUser(false);
|
||||
}
|
||||
|
||||
// Reject API calls with the wrong access level
|
||||
|
||||
if ($this->isReadOnly($args) == false) {
|
||||
if ($this->access != self::READ_WRITE) {
|
||||
$msg = 'API resource requires read-write access, ' .
|
||||
'but you only have read access.';
|
||||
$this->clientError($msg, 401, $this->format);
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
@ -206,13 +212,13 @@ class ApiAuthAction extends ApiAction
|
||||
* @return boolean true or false
|
||||
*/
|
||||
|
||||
function checkBasicAuthUser()
|
||||
function checkBasicAuthUser($required = true)
|
||||
{
|
||||
$this->basicAuthProcessHeader();
|
||||
|
||||
$realm = common_config('site', 'name') . ' API';
|
||||
|
||||
if (!isset($this->auth_user_nickname)) {
|
||||
if (!isset($this->auth_user_nickname) && $required) {
|
||||
header('WWW-Authenticate: Basic realm="' . $realm . '"');
|
||||
|
||||
// show error if the user clicks 'cancel'
|
||||
@ -222,11 +228,10 @@ class ApiAuthAction extends ApiAction
|
||||
|
||||
} else {
|
||||
|
||||
$user = common_check_user($this->auth_user_nickname,
|
||||
$this->auth_user_password);
|
||||
|
||||
if (Event::handle('StartSetApiUser', array(&$user))) {
|
||||
$this->auth_user = $user;
|
||||
$this->auth_user = common_check_user($this->auth_user_nickname,
|
||||
$this->auth_user_password);
|
||||
|
||||
Event::handle('EndSetApiUser', array($user));
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user