1 files changed, 23 insertions, 15 deletions

diff --git a/inc/auth.php b/inc/auth.php
index b9ed0b85e..bb0ad57dc 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -245,19 +245,21 @@ function auth_login($user, $pass, $sticky = false, $silent = false) {
             // we got a cookie - see if we can trust it
 
             // get session info
-            $session = $_SESSION[DOKU_COOKIE]['auth'];
-            if(isset($session) &&
-                $auth->useSessionCache($user) &&
-                ($session['time'] >= time() - $conf['auth_security_timeout']) &&
-                ($session['user'] == $user) &&
-                ($session['pass'] == sha1($pass)) && //still crypted
-                ($session['buid'] == auth_browseruid())
-            ) {
-
-                // he has session, cookie and browser right - let him in
-                $INPUT->server->set('REMOTE_USER', $user);
-                $USERINFO               = $session['info']; //FIXME move all references to session
-                return true;
+            if (isset($_SESSION[DOKU_COOKIE])) {
+                $session = $_SESSION[DOKU_COOKIE]['auth'];
+                if (isset($session) &&
+                    $auth->useSessionCache($user) &&
+                    ($session['time'] >= time() - $conf['auth_security_timeout']) &&
+                    ($session['user'] == $user) &&
+                    ($session['pass'] == sha1($pass)) && //still crypted
+                    ($session['buid'] == auth_browseruid())
+                ) {
+
+                    // he has session, cookie and browser right - let him in
+                    $INPUT->server->set('REMOTE_USER', $user);
+                    $USERINFO = $session['info']; //FIXME move all references to session
+                    return true;
+                }
             }
             // no we don't trust it yet - recheck pass but silent
             $secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session
@@ -467,8 +469,14 @@ function auth_ismanager($user = null, $groups = null, $adminonly = false, $recac
             $user = $INPUT->server->str('REMOTE_USER');
         }
     }
-    if(is_null($groups)) {
-        $groups = $USERINFO ? (array) $USERINFO['grps'] : array();
+    if (is_null($groups)) {
+        // checking the logged in user, or another one?
+        if ($USERINFO && $user === $INPUT->server->str('REMOTE_USER')) {
+            $groups =  (array) $USERINFO['grps'];
+        } else {
+            $groups = $auth->getUserData($user);
+            $groups = $groups ? $groups['grps'] : [];
+        }
     }
 
     // prefer cached result