not only break, if access is granted. It should also break, if
access was *denied* by one provider. To be safe, it has to break
also, if an error occured. So the patch turns the condition around
and continues only, if the user was not found.
I find it also weird, that if auth was denied (by password
usually), the AuthBasicAuthoritative behaviour can override that
by "passing to lower modules". The patch changes that behaviour,
too.
Justin notes:
I'm kind of on the fence about that. I was originally thinking
optimistically, but yeah, it might make sense to do it
pessimistically. If there's any error, bug out.
Submitted by: Andre Malo <nd@perlig.de>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97801
13f79535-47bb-0310-9956-
ffa450edef68
auth_result = provider->check_password(r, sent_user, sent_pw);
- /* Access is granted. Stop checking. */
- if (auth_result == AUTH_GRANTED) {
+ /* Something occured. Stop checking. */
+ if (auth_result != AUTH_USER_NOT_FOUND) {
break;
}
int return_code;
/* If we're not authoritative, then any error is ignored. */
- if (!(conf->authoritative)) {
+ if (!(conf->authoritative) && auth_result != AUTH_DENIED) {
return DECLINED;
}
auth_result = provider->get_realm_hash(r, user, conf->realm,
&password);
- /* User is found. Stop checking. */
- if (auth_result == AUTH_USER_FOUND) {
+ /* Something occured. Stop checking. */
+ if (auth_result != AUTH_USER_NOT_FOUND) {
break;
}
projects / apache / commitdiff