removing username/password authorization for REST by default - developers can add...

git-svn-id: http://code.elgg.org/elgg/trunk@3627 36083f99-b078-4883-b0ff-0f9b5a30f544

diff --git a/engine/lib/pam.php b/engine/lib/pam.php
index 04f29f412ee62688a5397521a31802cbc5834ff4..17b10b5ccfd4bdcebfb234ee99fcb5c9a45f259d 100644 (file)
--- a/engine/lib/pam.php
+++ b/engine/lib/pam.php
@@ -44,6 +44,17 @@ function register_pam_handler($handler, $importance = "sufficient") {
        return false;
 }
 
+/**
+ * Unregisters a PAM handler.
+ *
+ * @param string $handler The PAM handler function name
+ */
+function unregister_pam_handler($handler) {
+       global $_PAM_HANDLERS;
+
+       unset($_PAM_HANDLERS[$handler]);
+}
+
 /**
  * Attempt to authenticate.
  * This function will process all registered PAM handlers or stop when the first 

diff --git a/services/api/rest.php b/services/api/rest.php
index a569e7e266500c78b929b0700ca5752d64dcf74f..46931f8b549729ca9b920d84fb5e2786a1b1447f 100644 (file)
--- a/services/api/rest.php
+++ b/services/api/rest.php
@@ -29,6 +29,9 @@ if ((isset($CONFIG->disable_api)) && ($CONFIG->disable_api == true)) {
 
 // plugins should return true to control what API and user authentication handlers are registered
 if (trigger_plugin_hook('rest', 'init', null, false) == false) {
+       // remove normal password pam (does not work by default with REST anyway)
+       unregister_pam_handler('pam_auth_userpass');
+       
        // check session - this usually means a REST call from a web browser
        register_pam_handler('pam_auth_session');
        // user token can also be used for user authentication