diff options
| author | Michele <macno@macno.org> | 2010-01-17 11:21:07 +0100 |
|---|---|---|
| committer | Zach Copley <zach@status.net> | 2010-01-27 14:06:27 -0800 |
| commit | b0a325f7d0418575cdb46b7074c4cd2317f04980 (patch) | |
| tree | 0bfdc95e93e06f025a40156fe9f4b6bad09c0a5d | |
| parent | f650b40706bc3ecf0944a2e64cb30eeaf3728659 (diff) | |
HTTP auth provided is evaluated even if it's not required
| -rw-r--r-- | lib/apiauth.php | 33 |
1 files changed, 19 insertions, 14 deletions
diff --git a/lib/apiauth.php b/lib/apiauth.php index ad9651ff2..ac5e997c7 100644 --- a/lib/apiauth.php +++ b/lib/apiauth.php @@ -84,16 +84,22 @@ class ApiAuthAction extends ApiAction } else { $this->checkBasicAuthUser(); } + } else { - // Reject API calls with the wrong access level + // Check to see if a basic auth user is there even + // if one's not required - if ($this->isReadOnly($args) == false) { - if ($this->access != self::READ_WRITE) { - $msg = 'API resource requires read-write access, ' . - 'but you only have read access.'; - $this->clientError($msg, 401, $this->format); - exit(); - } + $this->checkBasicAuthUser(false); + } + + // Reject API calls with the wrong access level + + if ($this->isReadOnly($args) == false) { + if ($this->access != self::READ_WRITE) { + $msg = 'API resource requires read-write access, ' . + 'but you only have read access.'; + $this->clientError($msg, 401, $this->format); + exit; } } @@ -206,13 +212,13 @@ class ApiAuthAction extends ApiAction * @return boolean true or false */ - function checkBasicAuthUser() + function checkBasicAuthUser($required = true) { $this->basicAuthProcessHeader(); $realm = common_config('site', 'name') . ' API'; - if (!isset($this->auth_user_nickname)) { + if (!isset($this->auth_user_nickname) && $required) { header('WWW-Authenticate: Basic realm="' . $realm . '"'); // show error if the user clicks 'cancel' @@ -222,11 +228,10 @@ class ApiAuthAction extends ApiAction } else { - $user = common_check_user($this->auth_user_nickname, - $this->auth_user_password); - if (Event::handle('StartSetApiUser', array(&$user))) { - $this->auth_user = $user; + $this->auth_user = common_check_user($this->auth_user_nickname, + $this->auth_user_password); + Event::handle('EndSetApiUser', array($user)); } |