Merge pull request #3006 from splitbrain/auth-external-fallback

fallback to auth_login check when trustExternal returns null

3 files changed, 18 insertions, 9 deletions

diff --git a/inc/Extension/AuthPlugin.php b/inc/Extension/AuthPlugin.php
index 2123e1320..4b75fba95 100644
--- a/inc/Extension/AuthPlugin.php
+++ b/inc/Extension/AuthPlugin.php
@@ -165,9 +165,11 @@ abstract class AuthPlugin extends Plugin
      *
      * If this function is implemented it will be used to
      * authenticate a user - all other DokuWiki internals
-     * will not be used for authenticating, thus
-     * implementing the checkPass() function is not needed
-     * anymore.
+     * will not be used for authenticating (except this
+     * function returns null, in which case, DokuWiki will
+     * still run auth_login as a fallback, which may call
+     * checkPass()). If this function is not returning null,
+     * implementing checkPass() is not needed here anymore.
      *
      * The function can be used to authenticate against third
      * party cookies or Apache auth mechanisms and replaces
@@ -189,7 +191,8 @@ abstract class AuthPlugin extends Plugin
      * @param   string $user Username
      * @param   string $pass Cleartext Password
      * @param   bool $sticky Cookie should not expire
-     * @return  bool             true on successful auth
+     * @return  bool         true on successful auth,
+     *                       null on unknown result (fallback to checkPass)
      */
     public function trustExternal($user, $pass, $sticky = false)
     {
diff --git a/inc/Remote/ApiCore.php b/inc/Remote/ApiCore.php
index ffee37acf..3aa7861f4 100644
--- a/inc/Remote/ApiCore.php
+++ b/inc/Remote/ApiCore.php
@@ -972,9 +972,11 @@ class ApiCore
         if (!$auth) return 0;
 
         @session_start(); // reopen session for login
+        $ok = null;
         if ($auth->canDo('external')) {
             $ok = $auth->trustExternal($user, $pass, false);
-        } else {
+        }
+        if ($ok === null){
             $evdata = array(
                 'user' => $user,
                 'password' => $pass,
diff --git a/inc/auth.php b/inc/auth.php
index 0630a76f0..28c4a793e 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -100,10 +100,14 @@ function auth_setup() {
         $INPUT->set('p', stripctl($INPUT->str('p')));
     }
 
-    if(!is_null($auth) && $auth->canDo('external')) {
-        // external trust mechanism in place
-        $auth->trustExternal($INPUT->str('u'), $INPUT->str('p'), $INPUT->bool('r'));
-    } else {
+    $ok = null;
+    if (!is_null($auth) && $auth->canDo('external')) {
+        $ok = $auth->trustExternal($INPUT->str('u'), $INPUT->str('p'), $INPUT->bool('r'));
+    }
+
+    if ($ok === null) {
+        // external trust mechanism not in place, or returns no result,
+        // then attempt auth_login
         $evdata = array(
             'user'     => $INPUT->str('u'),
             'password' => $INPUT->str('p'),