diff options
author | cash <cash@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2009-11-06 12:34:00 +0000 |
---|---|---|
committer | cash <cash@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2009-11-06 12:34:00 +0000 |
commit | e38e82687bdb67eccadd46b2615df2baa4e0b7ce (patch) | |
tree | 6e90ff9592d3c9e2146b06ebc9746d652b00f1db | |
parent | 4044e085cd5b5698b05f1a070cd95b453c19aa69 (diff) | |
download | elgg-e38e82687bdb67eccadd46b2615df2baa4e0b7ce.tar.gz elgg-e38e82687bdb67eccadd46b2615df2baa4e0b7ce.tar.bz2 |
removing username/password authorization for REST by default - developers can add their own custom PAM using the plugin hook if they require this
git-svn-id: http://code.elgg.org/elgg/trunk@3627 36083f99-b078-4883-b0ff-0f9b5a30f544
-rw-r--r-- | engine/lib/pam.php | 11 | ||||
-rw-r--r-- | services/api/rest.php | 3 |
2 files changed, 14 insertions, 0 deletions
diff --git a/engine/lib/pam.php b/engine/lib/pam.php index 04f29f412..17b10b5cc 100644 --- a/engine/lib/pam.php +++ b/engine/lib/pam.php @@ -45,6 +45,17 @@ function register_pam_handler($handler, $importance = "sufficient") { } /** + * Unregisters a PAM handler. + * + * @param string $handler The PAM handler function name + */ +function unregister_pam_handler($handler) { + global $_PAM_HANDLERS; + + unset($_PAM_HANDLERS[$handler]); +} + +/** * Attempt to authenticate. * This function will process all registered PAM handlers or stop when the first * handler fails. A handler fails by either returning false or throwing an diff --git a/services/api/rest.php b/services/api/rest.php index a569e7e26..46931f8b5 100644 --- a/services/api/rest.php +++ b/services/api/rest.php @@ -29,6 +29,9 @@ if ((isset($CONFIG->disable_api)) && ($CONFIG->disable_api == true)) { // plugins should return true to control what API and user authentication handlers are registered if (trigger_plugin_hook('rest', 'init', null, false) == false) { + // remove normal password pam (does not work by default with REST anyway) + unregister_pam_handler('pam_auth_userpass'); + // check session - this usually means a REST call from a web browser register_pam_handler('pam_auth_session'); // user token can also be used for user authentication |