Merge branch 'bugfix/basic-auth-api-only-11151'

fixes #11151
2016-02-15 14:24:29 +01:00 · 2016-02-15 14:24:29 +01:00 · 2b2f759ef5
parent 601592dbf8 74b4c344d6
commit 2b2f759ef5
2 changed files with 7 additions and 7 deletions
--- a/library/Icinga/Authentication/Auth.php
+++ b/library/Icinga/Authentication/Auth.php
@ -270,7 +270,7 @@ class Auth
    }

    /**
-     * Attempt to authenticate a user using HTTP authentication
+     * Attempt to authenticate a user using HTTP authentication on API requests only
     *
     * Supports only the Basic HTTP authentication scheme. XHR will be ignored.
     *
@ -278,13 +278,11 @@ class Auth
     */
    protected function authHttp()
    {
-        if ($this->getRequest()->isXmlHttpRequest()) {
+        $request = $this->getRequest();
+        if ($request->isXmlHttpRequest() || ! $request->isApiRequest()) {
            return false;
        }
-        if (($header = $this->getRequest()->getHeader('Authorization')) === false) {
-            return false;
-        }
-        if (empty($header)) {
+        if (empty($header = $request->getHeader('Authorization'))) {
            $this->challengeHttp();
        }
        list($scheme) = explode(' ', $header, 2);
--- a/library/Icinga/Web/Session/PhpSession.php
+++ b/library/Icinga/Web/Session/PhpSession.php
@ -213,7 +213,9 @@ class PhpSession extends Session
    public function refreshId()
    {
        $this->open();
-        session_regenerate_id();
+        if ($this->exists()) {
+            session_regenerate_id();
+        }
        session_write_close();
        $this->hasBeenTouched = true;
    }