EndSetApiUser will always contain a User

diff --git a/EVENTS.txt b/EVENTS.txt
index 197b8afe6fa8a4f033fccb06369018507fabd318..8f094d16434a3b86e270806e758ce769e68f2b33 100644 (file)
--- a/EVENTS.txt
+++ b/EVENTS.txt
@@ -627,10 +627,10 @@ EndSetUser: After setting the currently logged in user
 - $user: user
 
 StartSetApiUser: Before setting the current API user
-- $user: user
+- &$user: user, can be set during event handling (return false to stop processing)
 
 EndSetApiUser: After setting the current API user
-- $user: user
+- $user: user, only called if this is an actual user
 
 StartHasRole: Before determing if the a profile has a given role
 - $profile: profile in question

diff --git a/lib/apiauthaction.php b/lib/apiauthaction.php
index 92e35695efd97f251603cc4f22cfbb5e35cd2f32..2eca6b646762257a94d78b87e72fdc3f0df12d3b 100644 (file)
--- a/lib/apiauthaction.php
+++ b/lib/apiauthaction.php
@@ -212,21 +212,25 @@ class ApiAuthAction extends ApiAction
                     // Set the auth user
                     if (Event::handle('StartSetApiUser', array(&$user))) {
                         $user = User::getKV('id', $appUser->profile_id);
-                        if (!empty($user)) {
-                            if (!$user->hasRight(Right::API)) {
-                                // TRANS: Authorization exception thrown when a user without API access tries to access the API.
-                                throw new AuthorizationException(_('Not allowed to use API.'));
-                            }
+                    }
+                    if ($user instanceof User) {
+                        if (!$user->hasRight(Right::API)) {
+                            // TRANS: Authorization exception thrown when a user without API access tries to access the API.
+                            throw new AuthorizationException(_('Not allowed to use API.'));
                         }
                         $this->auth_user = $user;
-                        // FIXME: setting the value returned by common_current_user()
-                        // There should probably be a better method for this. common_set_user()
-                        // does lots of session stuff.
-                        global $_cur;
-                        $_cur = $this->auth_user;
-                        Event::handle('EndSetApiUser', array($user));
+                        Event::handle('EndSetApiUser', array($this->auth_user));
+                    } else {
+                        // If $user is not a real User, let's force it to null.
+                        $this->auth_user = null;
                     }
 
+                    // FIXME: setting the value returned by common_current_user()
+                    // There should probably be a better method for this. common_set_user()
+                    // does lots of session stuff.
+                    global $_cur;
+                    $_cur = $this->auth_user;
+
                     $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
                         "application '%s' (id: %d) with %s access.";
 
@@ -297,17 +301,17 @@ class ApiAuthAction extends ApiAction
             $user = common_check_user($this->auth_user_nickname,
                                       $this->auth_user_password);
 
-            if (Event::handle('StartSetApiUser', array(&$user))) {
-
-                if ($user instanceof User) {
-                    if (!$user->hasRight(Right::API)) {
-                        // TRANS: Authorization exception thrown when a user without API access tries to access the API.
-                        throw new AuthorizationException(_('Not allowed to use API.'));
-                    }
-                    $this->auth_user = $user;
+            Event::handle('StartSetApiUser', array(&$user));
+            if ($user instanceof User) {
+                if (!$user->hasRight(Right::API)) {
+                    // TRANS: Authorization exception thrown when a user without API access tries to access the API.
+                    throw new AuthorizationException(_('Not allowed to use API.'));
                 }
+                $this->auth_user = $user;
 
-                Event::handle('EndSetApiUser', array($user));
+                Event::handle('EndSetApiUser', array($this->auth_user));
+            } else {
+                $this->auth_user = null;
             }
 
             // By default, basic auth users have rw access