[dokuwiki] Re: signing requests
- From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Mon, 9 Mar 2009 21:37:14 +0100
Hi
> Attached patch adds two new events to dokuwiki to facilitate
> authentication of signed requests as well as to sign outgoing HTTP requests.
Nice, I got a question about the changes in auth.php though:
-
auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r'],$_REQUEST['http_credentials']);
+ $evt = new Doku_Event('ACTION_ON_AUTH',$ACT);
+ $evt->advise_before();
+ if(empty($_SERVER['REMOTE_USER'])) {
+
auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r'],$_REQUEST['http_credentials']);
+ }
+ $evt->advise_after();
+ unset($evt);
You add a if(empty($_SERVER['REMOTE_USER'])) check which IMHO would
prevent logging in where DokuWiki runs within a Webserver (basic auth)
protected environment. I assume you added this to be able to set
REMOTE_USER in the before event handler. Shouldn't we better use
+ if($evt->advise_before()) {
+
auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r'],$_REQUEST['http_credentials']);
+ }
instead?
Andi
--
splitbrain.org
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
Other related posts:
