From 2bebdd344b7259738c2d424572d202482d92e6f1 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Wed, 16 Dec 2009 14:56:46 +0300 Subject: [PATCH] api: forbid login when api is disabled (fixed) --- api/index.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/api/index.php b/api/index.php index 332e84f5a..8d7e1db96 100644 --- a/api/index.php +++ b/api/index.php @@ -58,14 +58,21 @@ $login = db_escape_string($_REQUEST["user"]); $password = db_escape_string($_REQUEST["password"]); - if (get_pref($link, "ENABLE_API_ACCESS", $login)) { + $result = db_query($link, "SELECT id FROM ttrss_users WHERE login = '$login'"); + + if (db_num_rows($result) != 0) { + $uid = db_fetch_result($result, 0, "id"); + } else { + $uid = 0; + } + + if (get_pref($link, "ENABLE_API_ACCESS", $uid)) { if (authenticate_user($link, $login, $password)) { print json_encode(array("uid" => $_SESSION["uid"])); } else { print json_encode(array("error" => "LOGIN_ERROR")); } } else { - logout_user(); print json_encode(array("error" => "API_DISABLED")); }