X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=lib%2Fapiauthaction.php;h=2eca6b646762257a94d78b87e72fdc3f0df12d3b;hb=dc0b62f63693fafb6400a2d2ed4a0ca51eb3fc6b;hp=a7b212d79ad55a1913ab12a7828b195589ceb1b2;hpb=17647dc3ffb97f1f1cd37da978a3d80b3475cf00;p=quix0rs-gnu-social.git

diff --git a/lib/apiauthaction.php b/lib/apiauthaction.php
index a7b212d79a..2eca6b6467 100644
--- a/lib/apiauthaction.php
+++ b/lib/apiauthaction.php
@@ -93,6 +93,8 @@ class ApiAuthAction extends ApiAction
                 // TRANS: Authorization exception thrown when a user without API access tries to access the API.
                 throw new AuthorizationException(_('Not allowed to use API.'));
             }
+            // Let's run this in the same way as if we've just authenticated the user (basic/oauth auth)
+            Event::handle('EndSetApiUser', array($this->auth_user));
             $this->access = self::READ_WRITE;
         } else {
             $oauthReq = $this->getOAuthRequest();
@@ -210,21 +212,25 @@ class ApiAuthAction extends ApiAction
                     // Set the auth user
                     if (Event::handle('StartSetApiUser', array(&$user))) {
                         $user = User::getKV('id', $appUser->profile_id);
-                        if (!empty($user)) {
-                            if (!$user->hasRight(Right::API)) {
-                                // TRANS: Authorization exception thrown when a user without API access tries to access the API.
-                                throw new AuthorizationException(_('Not allowed to use API.'));
-                            }
+                    }
+                    if ($user instanceof User) {
+                        if (!$user->hasRight(Right::API)) {
+                            // TRANS: Authorization exception thrown when a user without API access tries to access the API.
+                            throw new AuthorizationException(_('Not allowed to use API.'));
                         }
                         $this->auth_user = $user;
-                        // FIXME: setting the value returned by common_current_user()
-                        // There should probably be a better method for this. common_set_user()
-                        // does lots of session stuff.
-                        global $_cur;
-                        $_cur = $this->auth_user;
-                        Event::handle('EndSetApiUser', array($user));
+                        Event::handle('EndSetApiUser', array($this->auth_user));
+                    } else {
+                        // If $user is not a real User, let's force it to null.
+                        $this->auth_user = null;
                     }
 
+                    // FIXME: setting the value returned by common_current_user()
+                    // There should probably be a better method for this. common_set_user()
+                    // does lots of session stuff.
+                    global $_cur;
+                    $_cur = $this->auth_user;
+
                     $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
                         "application '%s' (id: %d) with %s access.";
 
@@ -290,37 +296,41 @@ class ApiAuthAction extends ApiAction
             $this->clientError(_('Could not authenticate you.'), 401);
 
         } elseif ($required) {
+            // $this->auth_user_nickname - i.e. PHP_AUTH_USER - will have a value since it was not empty
 
             $user = common_check_user($this->auth_user_nickname,
                                       $this->auth_user_password);
 
-            if (Event::handle('StartSetApiUser', array(&$user))) {
-
-                if ($user instanceof User) {
-                    if (!$user->hasRight(Right::API)) {
-                        // TRANS: Authorization exception thrown when a user without API access tries to access the API.
-                        throw new AuthorizationException(_('Not allowed to use API.'));
-                    }
-                    $this->auth_user = $user;
+            Event::handle('StartSetApiUser', array(&$user));
+            if ($user instanceof User) {
+                if (!$user->hasRight(Right::API)) {
+                    // TRANS: Authorization exception thrown when a user without API access tries to access the API.
+                    throw new AuthorizationException(_('Not allowed to use API.'));
                 }
+                $this->auth_user = $user;
 
-                Event::handle('EndSetApiUser', array($user));
+                Event::handle('EndSetApiUser', array($this->auth_user));
+            } else {
+                $this->auth_user = null;
             }
 
             // By default, basic auth users have rw access
             $this->access = self::READ_WRITE;
 
-            if (!$this->auth_user instanceof User && isset($_SERVER['PHP_AUTH_USER'])) {
+            if (!$this->auth_user instanceof User) {
                 $msg = sprintf(
                     "basic auth nickname = %s",
                     $this->auth_user_nickname
                 );
                 $this->logAuthFailure($msg);
+
+                // We must present WWW-Authenticate in accordance to HTTP status code 401
+                header('WWW-Authenticate: Basic realm="' . $realm . '"');
                 // TRANS: Client error thrown when authentication fails.
                 $this->clientError(_('Could not authenticate you.'), 401);
             }
         } else {
-            // all get rw access for actions that don't need auth
+            // all get rw access for actions that don't require auth
             $this->access = self::READ_WRITE;
         }
     }