Merge branch 'master' into testing

[quix0rs-gnu-social.git] / lib / apiauth.php

diff --git a/lib/apiauth.php b/lib/apiauth.php
index 99500404f94712673848b84f46e459c3521cc312..e78de618ee2a4eb1713278d2592a54efd828c127 100644 (file)
--- a/lib/apiauth.php
+++ b/lib/apiauth.php
@@ -38,7 +38,6 @@ if (!defined('STATUSNET')) {
     exit(1);
 }
 
-require_once INSTALLDIR . '/lib/api.php';
 require_once INSTALLDIR . '/lib/apioauth.php';
 
 /**
@@ -55,6 +54,7 @@ class ApiAuthAction extends ApiAction
 {
     var $auth_user_nickname = null;
     var $auth_user_password = null;
+    var $oauth_source       = null;
 
     /**
      * Take arguments for running, looks for an OAuth request,
@@ -73,20 +73,18 @@ class ApiAuthAction extends ApiAction
         // NOTE: $this->auth_user has to get set in prepare(), not handle(),
         // because subclasses do stuff with it in their prepares.
 
-        if ($this->requiresAuth()) {
+        $oauthReq = $this->getOAuthRequest();
 
-            $oauthReq = $this->getOAuthRequest();
-
-            if (!$oauthReq) {
+        if (!$oauthReq) {
+            if ($this->requiresAuth()) {
                 $this->checkBasicAuthUser(true);
             } else {
-                $this->checkOAuthRequest($oauthReq);
+                // Check to see if a basic auth user is there even
+                // if one's not required
+                $this->checkBasicAuthUser(false);
             }
         } else {
-
-            // Check to see if a basic auth user is there even
-            // if one's not required
-            $this->checkBasicAuthUser(false);
+            $this->checkOAuthRequest($oauthReq);
         }
 
         // Reject API calls with the wrong access level
@@ -108,7 +106,6 @@ class ApiAuthAction extends ApiAction
      * This is to avoid doign any unnecessary DB lookups.
      *
      * @return mixed the OAuthRequest or false
-     *
      */
 
     function getOAuthRequest()
@@ -137,7 +134,6 @@ class ApiAuthAction extends ApiAction
      * @param OAuthRequest $request the OAuth Request
      *
      * @return nothing
-     *
      */
 
     function checkOAuthRequest($request)
@@ -239,9 +235,13 @@ class ApiAuthAction extends ApiAction
     {
         $this->basicAuthProcessHeader();
 
-        $realm = common_config('site', 'name') . ' API';
+        $realm = common_config('api', 'realm');
 
-        if (!isset($this->auth_user_nickname) && $required) {
+        if (empty($realm)) {
+            $realm = common_config('site', 'name') . ' API';
+        }
+
+        if (empty($this->auth_user_nickname) && $required) {
             header('WWW-Authenticate: Basic realm="' . $realm . '"');
 
             // show error if the user clicks 'cancel'
@@ -267,7 +267,7 @@ class ApiAuthAction extends ApiAction
 
             $this->access = self::READ_WRITE;
 
-            if (empty($this->auth_user) && $required) {
+            if (empty($this->auth_user) && ($required || isset($_SERVER['PHP_AUTH_USER']))) {
 
                 // basic authentication failed
 
@@ -294,11 +294,15 @@ class ApiAuthAction extends ApiAction
 
     function basicAuthProcessHeader()
     {
-        if (isset($_SERVER['AUTHORIZATION'])
-            || isset($_SERVER['HTTP_AUTHORIZATION'])
-            ) {
-            $authorization_header = isset($_SERVER['HTTP_AUTHORIZATION'])
-              ? $_SERVER['HTTP_AUTHORIZATION'] : $_SERVER['AUTHORIZATION'];
+        $authHeaders = array('AUTHORIZATION',
+                             'HTTP_AUTHORIZATION',
+                             'REDIRECT_HTTP_AUTHORIZATION'); // rewrite for CGI
+        $authorization_header = null;
+        foreach ($authHeaders as $header) {
+            if (isset($_SERVER[$header])) {
+                $authorization_header = $_SERVER[$header];
+                break;
+            }
         }
 
         if (isset($_SERVER['PHP_AUTH_USER'])) {