HTTP auth provided is evaluated even if it's not required

author: Michele <macno@macno.org> 2010-01-17 11:21:07 +0100
committer: Zach Copley <zach@status.net> 2010-01-27 14:06:27 -0800
commit: b0a325f7d0418575cdb46b7074c4cd2317f04980 (patch)
tree: 0bfdc95e93e06f025a40156fe9f4b6bad09c0a5d /lib
parent: f650b40706bc3ecf0944a2e64cb30eeaf3728659 (diff)
1 files changed, 19 insertions, 14 deletions
diff --git a/lib/apiauth.php b/lib/apiauth.php
index ad9651ff2..ac5e997c7 100644
--- a/lib/apiauth.php
+++ b/lib/apiauth.php
@@ -84,16 +84,22 @@ class ApiAuthAction extends ApiAction
             } else {
                 $this->checkBasicAuthUser();
             }
+        } else {
 
-            // Reject API calls with the wrong access level
+            // Check to see if a basic auth user is there even
+            // if one's not required
 
-            if ($this->isReadOnly($args) == false) {
-                if ($this->access != self::READ_WRITE) {
-                    $msg = 'API resource requires read-write access, ' .
-                      'but you only have read access.';
-                    $this->clientError($msg, 401, $this->format);
-                    exit();
-                }
+            $this->checkBasicAuthUser(false);
+        }
+
+        // Reject API calls with the wrong access level
+
+        if ($this->isReadOnly($args) == false) {
+            if ($this->access != self::READ_WRITE) {
+                $msg = 'API resource requires read-write access, ' .
+                       'but you only have read access.';
+                $this->clientError($msg, 401, $this->format);
+                exit;
             }
         }
 
@@ -206,13 +212,13 @@ class ApiAuthAction extends ApiAction
      * @return boolean true or false
      */
 
-    function checkBasicAuthUser()
+    function checkBasicAuthUser($required = true)
     {
         $this->basicAuthProcessHeader();
 
         $realm = common_config('site', 'name') . ' API';
 
-        if (!isset($this->auth_user_nickname)) {
+        if (!isset($this->auth_user_nickname) && $required) {
             header('WWW-Authenticate: Basic realm="' . $realm . '"');
 
             // show error if the user clicks 'cancel'
@@ -222,11 +228,10 @@ class ApiAuthAction extends ApiAction
 
         } else {
 
-            $user = common_check_user($this->auth_user_nickname,
-                                      $this->auth_user_password);
-
             if (Event::handle('StartSetApiUser', array(&$user))) {
-                $this->auth_user = $user;
+                $this->auth_user = common_check_user($this->auth_user_nickname,
+                                                     $this->auth_user_password);
+
                 Event::handle('EndSetApiUser', array($user));
             }
author	Michele <macno@macno.org>	2010-01-17 11:21:07 +0100
committer	Zach Copley <zach@status.net>	2010-01-27 14:06:27 -0800
commit	b0a325f7d0418575cdb46b7074c4cd2317f04980 (patch)
tree	0bfdc95e93e06f025a40156fe9f4b6bad09c0a5d /lib
parent	f650b40706bc3ecf0944a2e64cb30eeaf3728659 (diff)