[dokuwiki] Re: signing requests
- From: Robin Gareus <robin@xxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Tue, 10 Mar 2009 18:18:56 +0100
Andreas Gohr wrote:
> Hi
>
>> Attached patch adds two new events to dokuwiki to facilitate
>> authentication of signed requests as well as to sign outgoing HTTP requests.
>
> Nice, I got a question about the changes in auth.php though:
>
> -
> auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r'],$_REQUEST['http_credentials']);
> + $evt = new Doku_Event('ACTION_ON_AUTH',$ACT);
> + $evt->advise_before();
> + if(empty($_SERVER['REMOTE_USER'])) {
> +
> auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r'],$_REQUEST['http_credentials']);
> + }
> + $evt->advise_after();
> + unset($evt);
>
> You add a if(empty($_SERVER['REMOTE_USER'])) check which IMHO would
> prevent logging in where DokuWiki runs within a Webserver (basic auth)
> protected environment. I assume you added this to be able to set
> REMOTE_USER in the before event handler. Shouldn't we better use
yes, you assumed correctly ;)
In my case, the OAuth-plugin is setting
$_SERVER['REMOTE_USER']=$user;
global $USERINFO, $auth;
$USERINFO = $auth->getUserData($user);
to authenticate.
Many plugins (eg. blog, feed, openid) get the 'currently logged in
username' from $_SERVER['REMOTE_USER'] instead of the global $USERINFO :(
> + if($evt->advise_before()) {
> +
> auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r'],$_REQUEST['http_credentials']);
> + }
yes, that's indeed a better solution. But it should be negated:
if (!$evt->advise_before()) auth_login(...)
auth_login() should only be called if the plugin(s) _fail(s)_ to provide
authentication.
robin
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
Other related posts:
