From f6f9e4508552bcc1b4e47a5f5f0f1b2ce88568aa Mon Sep 17 00:00:00 2001 From: Toby Zerner Date: Sat, 2 Jan 2016 15:07:33 +1030 Subject: [PATCH] Disable session (and thus enable sudo mode) when authenticating with API token --- src/Http/Middleware/AuthenticateWithHeader.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/Http/Middleware/AuthenticateWithHeader.php b/src/Http/Middleware/AuthenticateWithHeader.php index 447d62e84..044f1f489 100644 --- a/src/Http/Middleware/AuthenticateWithHeader.php +++ b/src/Http/Middleware/AuthenticateWithHeader.php @@ -37,10 +37,10 @@ class AuthenticateWithHeader implements MiddlewareInterface if (isset($parts[0]) && starts_with($parts[0], $this->prefix)) { $id = substr($parts[0], strlen($this->prefix)); - if (isset($parts[1]) && ApiKey::find($id)) { - $actor = $this->getUser($parts[1]); - - $request->getAttribute('session')->set('sudo_expiry', new DateTime); + if (isset($parts[1])) { + if (ApiKey::find($id)) { + $actor = $this->getUser($parts[1]); + } } elseif ($token = AccessToken::find($id)) { $token->touch(); @@ -49,6 +49,7 @@ class AuthenticateWithHeader implements MiddlewareInterface if (isset($actor)) { $request = $request->withAttribute('actor', $actor); + $request = $request->withoutAttribute('session'); } }