Robin Gareus wrote: > Mikhail I. Izmestev wrote: >> + $evdata = array( >> + 'action' => $ACT, >> + 'user' => $_REQUEST['u'], >> + 'password' => $_REQUEST['p'], >> + 'sticky' => $_REQUEST['r'], >> + 'silent' => $_REQUEST['http_credentials'], >> + ); >> + $evt = new Doku_Event('AUTH_LOGIN_CHECK',$ACT); >> >> May be $evdata instead $ACT must be used here? > > yes, you are quite right. Andy can you patch inc/auth.php: > > - $evt = new Doku_Event('AUTH_LOGIN_CHECK',$ACT); > + $evt = new Doku_Event('AUTH_LOGIN_CHECK',$evdata); > > I did not notice this, because the OAuth-plugin does not use > $event->data, only $event->preventDefault(). > > To raise a bit of concern: > > Andy: OOPS - I meant "@Andi:" - sorry to get your name wrong.. > What were your intentions passing a modifiable username&password > along with the event, anyway? > > My original patch ( see > //www.freelists.org/post/dokuwiki/signing-requests,3 ) did not > include this. > > I don't see a good use-case for rewriting username&password from within > an event hook. It will only inspire coders to /inject/ passwords via > "AUTH_LOGIN_CHECK". Yet passwords should be handled via an > inc/auth/*class.php > > IMHO this event should only react on tokens or signatures and directly > set $_SERVER['REMOTE_USER']=$user; global $auth, $USERINFO; > $USERINFO = $auth->getUserData($_SERVER['REMOTE_USER']); > > The problem with calling auth_login() is that it generates a session and > doku_cookie, which should be left alone when authenticating a single > request by signature. > > 2c, > robin -- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist