We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

Commit b0a325f7 authored by Michele's avatar Michele Committed by Zach Copley

HTTP auth provided is evaluated even if it's not required

parent f650b407
......@@ -84,16 +84,22 @@ class ApiAuthAction extends ApiAction
} else {
$this->checkBasicAuthUser();
}
} else {
// Reject API calls with the wrong access level
// Check to see if a basic auth user is there even
// if one's not required
if ($this->isReadOnly($args) == false) {
if ($this->access != self::READ_WRITE) {
$msg = 'API resource requires read-write access, ' .
'but you only have read access.';
$this->clientError($msg, 401, $this->format);
exit();
}
$this->checkBasicAuthUser(false);
}
// Reject API calls with the wrong access level
if ($this->isReadOnly($args) == false) {
if ($this->access != self::READ_WRITE) {
$msg = 'API resource requires read-write access, ' .
'but you only have read access.';
$this->clientError($msg, 401, $this->format);
exit;
}
}
......@@ -206,13 +212,13 @@ class ApiAuthAction extends ApiAction
* @return boolean true or false
*/
function checkBasicAuthUser()
function checkBasicAuthUser($required = true)
{
$this->basicAuthProcessHeader();
$realm = common_config('site', 'name') . ' API';
if (!isset($this->auth_user_nickname)) {
if (!isset($this->auth_user_nickname) && $required) {
header('WWW-Authenticate: Basic realm="' . $realm . '"');
// show error if the user clicks 'cancel'
......@@ -222,11 +228,10 @@ class ApiAuthAction extends ApiAction
} else {
$user = common_check_user($this->auth_user_nickname,
$this->auth_user_password);
if (Event::handle('StartSetApiUser', array(&$user))) {
$this->auth_user = $user;
$this->auth_user = common_check_user($this->auth_user_nickname,
$this->auth_user_password);
Event::handle('EndSetApiUser', array($user));
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment