Workaround for HTTP authentication in the API when running PHP as CGI/FastCGI. Exampl...

diff --git a/htaccess.sample b/htaccess.sample
index 37eb8e01ec01f1169159a1b920c265c00b9bfdc2..18a868698c1dc63e0c53554a0aa5fb13e92732c7 100644 (file)
--- a/htaccess.sample
+++ b/htaccess.sample
@@ -5,6 +5,11 @@
 
   RewriteBase /mublog/
 
+  ## Uncomment these if having trouble with API authentication
+  ## when PHP is running in CGI or FastCGI mode.
+  #RewriteCond %{HTTP:Authorization} ^(.*)
+  #RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
+
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteRule (.*) index.php?p=$1 [L,QSA]

diff --git a/lib/apiauth.php b/lib/apiauth.php
index 32502399f9f836bbd2d0607440a72200e14f4cd1..17f803a1ca9948bf7ac64fd4623b05d300dcf776 100644 (file)
--- a/lib/apiauth.php
+++ b/lib/apiauth.php
@@ -294,11 +294,15 @@ class ApiAuthAction extends ApiAction
 
     function basicAuthProcessHeader()
     {
-        if (isset($_SERVER['AUTHORIZATION'])
-            || isset($_SERVER['HTTP_AUTHORIZATION'])
-            ) {
-            $authorization_header = isset($_SERVER['HTTP_AUTHORIZATION'])
-              ? $_SERVER['HTTP_AUTHORIZATION'] : $_SERVER['AUTHORIZATION'];
+        $authHeaders = array('AUTHORIZATION',
+                             'HTTP_AUTHORIZATION',
+                             'REDIRECT_HTTP_AUTHORIZATION'); // rewrite for CGI
+        $authorization_header = null;
+        foreach ($authHeaders as $header) {
+            if (isset($_SERVER[$header])) {
+                $authorization_header = $_SERVER[$header];
+                break;
+            }
         }
 
         if (isset($_SERVER['PHP_AUTH_USER'])) {