From: arno <arenevier@fdn.fr>
Date: Fri, 7 Aug 2009 14:04:02 +0000 (+0200)
Subject: authentification with password is possible when performing update/add/delete
X-Git-Tag: v0.2~9
X-Git-Url: https://dev.renevier.net/gitweb.cgi?p=syp.git;a=commitdiff_plain;h=080f837e8fbca48c55f4549df13b9c4772db3613

authentification with password is possible when performing update/add/delete
---

diff --git a/api.php b/api.php
index 18c7179..052b514 100644
--- a/api.php
+++ b/api.php
@@ -175,28 +175,41 @@ function unique_file ($dirname, $relpath, $con) {
    return null;
 }
 
-function main ($con) {
-    if (!isset ($_POST ["request"])) {
-        request_error ();
-    }
-    if ($_POST ["request"] == "auth") {
-        $pwd = unquote ($_POST["password"]);
-        $user = "admin";
+function check_auth ($con, $pwd, $cookie_name, $auth_only) {
+    $authentificated = false;
+    $user = "admin";
+
+    if ($pwd) {
         if ($con->checkpwdmd5 ($user, md5 ($pwd))) {
             // cookie will be valid for 2 weeks. I've chosen that value
             // arbitrarily, and it may change in the future.
             $time = time () + 14 * 60 * 24 * 60;
-            $cookie_name = sprintf ("%sauth", DBPREFIX);
             setcookie ($cookie_name, md5 ($pwd), $time, "" , "", false, true);
-            success_auth ();
+            $authentificated = true;
+            if ($auth_only) {
+                success_auth ();
+            }
         } else {
             unauthorized_error ();
         }
     }
-    if (!($con->checkpwdmd5 ("admin",
-                             $_COOKIE [sprintf ("%sauth", DBPREFIX)]))) {
+
+    if (!$authentificated && !($con->checkpwdmd5 ($user,
+                             $_COOKIE [$cookie_name]))) {
         unauthorized_error ();
     }
+}
+
+function main ($con) {
+    if (!isset ($_POST ["request"])) {
+        request_error ();
+    }
+
+    $pwd = unquote ($_POST["password"]);
+    $cookie_name = sprintf ("%sauth", DBPREFIX);
+    // does user only want authentication or does he want to do other things
+    $auth_only = ($_POST ["request"] == "auth");
+    check_auth ($con, $pwd, $cookie_name, $auth_only);
 
     switch ($_POST ["request"]) {
         case "update":
diff --git a/devdoc/api.txt b/devdoc/api.txt
index cc1413e..590964a 100644
--- a/devdoc/api.txt
+++ b/devdoc/api.txt
@@ -11,13 +11,15 @@ Client submits a classic html form to server.
 **note**: In this documentation, php notation is used (`_POST` and `_FILES`),
 but server may be written in any language.
 
+` _POST["password"]` may contains user password. If it is set, access is
+ checked. If it is not set, authentification cookie is checked. If neither are
+ present, or if one of them is wrong, access is denied.
+
 `_POST["request"]` is either:
 
 ## auth
  asks for authentication
 
- * ` _POST["password"]` must contains user password
-
 ## add
  adds a new feature