Subject: | some parts of AuthCookie don't work if you have a user_id of 0 |
There's a bunch of code in both versions of AuthCookie that won't work
if you, for some bizarre reason, have a user who's ID is 0 (zero).
I've attached a git diff that (i think) should fix it, but i had to make
a change to the Sample handler in the tests to get it to work. It was
returning an empty string for non-logged in users, as opposed to
returning nothing, or undef.
The documentation doesn't explicitly say the the empty string should
work as a non-valid return from authen_ses_key, but because the test was
like that, i could understand some reluctance to apply this patch as is.
Subject: | ac.patch |
diff --git a/lib/Apache/AuthCookie.pm b/lib/Apache/AuthCookie.pm
index ec7f10e..5aec195 100644
--- a/lib/Apache/AuthCookie.pm
+++ b/lib/Apache/AuthCookie.pm
@@ -17,7 +17,7 @@ sub recognize_user ($$) {
my ($self, $r) = @_;
# only check if user is not already set
- return DECLINED if $r->connection->user;
+ return DECLINED if defined($r->connection->user);
my $debug = $r->dir_config("AuthCookieDebug") || 0;
my ($auth_type, $auth_name) = ($r->auth_type, $r->auth_name);
@@ -33,7 +33,7 @@ sub recognize_user ($$) {
return DECLINED unless $cookie;
my ($user, @args) = $auth_type->authen_ses_key($r, $cookie);
- if ($user and scalar @args == 0) {
+ if (defined($user) and scalar @args == 0) {
$r->log_error("user is $user") if $debug >= 2;
# if SessionTimeout is on, send new cookie with new Expires.
@@ -272,7 +272,7 @@ sub authenticate ($$) {
my ($auth_user, @args) =
$auth_type->authen_ses_key($r, $ses_key_cookie);
- if ($auth_user and scalar @args == 0) {
+ if (defined($auth_user) and scalar @args == 0) {
# We have a valid session key, so we return with an OK value.
# Tell the rest of Apache what the authentication method and
@@ -375,7 +375,7 @@ sub authorize ($$) {
my $reqs_arr = $r->requires or return DECLINED;
my $user = $r->connection->user;
- unless ($user) {
+ unless (defined($user)) {
# user is either undef or =0 which means the authentication failed
$r->log_reason("No user authenticated", $r->uri);
diff --git a/lib/Apache2/AuthCookie.pm b/lib/Apache2/AuthCookie.pm
index 4505a3f..714d810 100644
--- a/lib/Apache2/AuthCookie.pm
+++ b/lib/Apache2/AuthCookie.pm
@@ -25,7 +25,7 @@ sub recognize_user {
my ($self, $r) = @_;
# only check if user is not already set
- return DECLINED if $r->user;
+ return DECLINED if defined($r->user);
my $debug = $r->dir_config("AuthCookieDebug") || 0;
@@ -46,7 +46,7 @@ sub recognize_user {
my ($user,@args) = $auth_type->authen_ses_key($r, $cookie);
- if ($user and scalar @args == 0) {
+ if (defined($user) and scalar @args == 0) {
$r->server->log_error("user is $user") if $debug >= 2;
# send cookie with update expires timestamp if session timeout is on
@@ -273,7 +273,7 @@ sub authenticate {
if ($ses_key_cookie) {
my ($auth_user, @args) = $auth_type->authen_ses_key($r, $ses_key_cookie);
- if ($auth_user and scalar @args == 0) {
+ if (defined($auth_user) and scalar @args == 0) {
# We have a valid session key, so we return with an OK value.
# Tell the rest of Apache what the authentication method and
# user is.
@@ -380,7 +380,7 @@ sub authorize {
$r->server->log_error("authorize user=$user type=$auth_type") if $debug >=3;
- unless ($user) {
+ unless (defined($user)) {
# user is either undef or =0 which means the authentication failed
$r->server->log_error("No user authenticated", $r->uri);
return HTTP_FORBIDDEN;
diff --git a/t/lib/Sample/Apache/AuthCookieHandler.pm b/t/lib/Sample/Apache/AuthCookieHandler.pm
index f424397..d4e8574 100644
--- a/t/lib/Sample/Apache/AuthCookieHandler.pm
+++ b/t/lib/Sample/Apache/AuthCookieHandler.pm
@@ -33,7 +33,7 @@ sub authen_ses_key ($$$) {
} elsif ($user eq "some-user") {
$user;
} else {
- "";
+ undef;
}
}
diff --git a/t/lib/Sample/Apache2/AuthCookieHandler.pm b/t/lib/Sample/Apache2/AuthCookieHandler.pm
index d397860..8dd238e 100644
--- a/t/lib/Sample/Apache2/AuthCookieHandler.pm
+++ b/t/lib/Sample/Apache2/AuthCookieHandler.pm
@@ -35,7 +35,7 @@ sub authen_ses_key ($$$) {
} elsif ($user eq "some-user") {
$user;
} else {
- "";
+ undef;
}
}