eliseuamaro/gnu-social
1
0
Fork 0
forked from GNUsocial/gnu-social
Code Issues Pull Requests Releases Wiki Activity

HTTP auth provided is evaluated even if it's not required

Browse Source
This commit is contained in:
Michele 2010-01-17 11:21:07 +01:00 committed by Zach Copley
parent f650b40706
commit b0a325f7d0
1 changed files with 19 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
lib/apiauth.php
View File

@ -84,16 +84,22 @@ class ApiAuthAction extends ApiAction
} else { } else {
$this->checkBasicAuthUser(); $this->checkBasicAuthUser();
} }
} else {
// Reject API calls with the wrong access level // Check to see if a basic auth user is there even
// if one's not required
if ($this->isReadOnly($args) == false) { $this->checkBasicAuthUser(false);
if ($this->access != self::READ_WRITE) { }
$msg = 'API resource requires read-write access, ' .
'but you only have read access.'; // Reject API calls with the wrong access level
$this->clientError($msg, 401, $this->format);
exit(); if ($this->isReadOnly($args) == false) {
} if ($this->access != self::READ_WRITE) {
$msg = 'API resource requires read-write access, ' .
'but you only have read access.';
$this->clientError($msg, 401, $this->format);
exit;
} }
} }
@ -206,13 +212,13 @@ class ApiAuthAction extends ApiAction
* @return boolean true or false * @return boolean true or false
*/ */
function checkBasicAuthUser() function checkBasicAuthUser($required = true)
{ {
$this->basicAuthProcessHeader(); $this->basicAuthProcessHeader();
$realm = common_config('site', 'name') . ' API'; $realm = common_config('site', 'name') . ' API';
if (!isset($this->auth_user_nickname)) { if (!isset($this->auth_user_nickname) && $required) {
header('WWW-Authenticate: Basic realm="' . $realm . '"'); header('WWW-Authenticate: Basic realm="' . $realm . '"');
// show error if the user clicks 'cancel' // show error if the user clicks 'cancel'
@ -222,11 +228,10 @@ class ApiAuthAction extends ApiAction
} else { } else {
$user = common_check_user($this->auth_user_nickname,
$this->auth_user_password);
if (Event::handle('StartSetApiUser', array(&$user))) { if (Event::handle('StartSetApiUser', array(&$user))) {
$this->auth_user = $user; $this->auth_user = common_check_user($this->auth_user_nickname,
$this->auth_user_password);
Event::handle('EndSetApiUser', array($user)); Event::handle('EndSetApiUser', array($user));
} }