Andreas Gohr wrote: > Hi > >> Attached patch adds two new events to dokuwiki to facilitate >> authentication of signed requests as well as to sign outgoing HTTP requests. > > Nice, I got a question about the changes in auth.php though: > > - > auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r'],$_REQUEST['http_credentials']); > + $evt = new Doku_Event('ACTION_ON_AUTH',$ACT); > + $evt->advise_before(); > + if(empty($_SERVER['REMOTE_USER'])) { > + > auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r'],$_REQUEST['http_credentials']); > + } > + $evt->advise_after(); > + unset($evt); > > You add a if(empty($_SERVER['REMOTE_USER'])) check which IMHO would > prevent logging in where DokuWiki runs within a Webserver (basic auth) > protected environment. I assume you added this to be able to set > REMOTE_USER in the before event handler. Shouldn't we better use yes, you assumed correctly ;) In my case, the OAuth-plugin is setting $_SERVER['REMOTE_USER']=$user; global $USERINFO, $auth; $USERINFO = $auth->getUserData($user); to authenticate. Many plugins (eg. blog, feed, openid) get the 'currently logged in username' from $_SERVER['REMOTE_USER'] instead of the global $USERINFO :( > + if($evt->advise_before()) { > + > auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r'],$_REQUEST['http_credentials']); > + } yes, that's indeed a better solution. But it should be negated: if (!$evt->advise_before()) auth_login(...) auth_login() should only be called if the plugin(s) _fail(s)_ to provide authentication. robin -- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist