From 4cdd0d7ca35a37394811df817de7372daec4b2cd Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@bah.org.ru>
Date: Wed, 16 Dec 2009 14:49:33 +0300
Subject: api: forbid login when api is disabled

---
 api/index.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/api/index.php b/api/index.php
index 90ca5405c..332e84f5a 100644
--- a/api/index.php
+++ b/api/index.php
@@ -58,10 +58,15 @@
 			$login = db_escape_string($_REQUEST["user"]);
 			$password = db_escape_string($_REQUEST["password"]);
 
-			if (authenticate_user($link, $login, $password)) {
-				print json_encode(array("uid" => $_SESSION["uid"]));
+			if (get_pref($link, "ENABLE_API_ACCESS", $login)) {
+				if (authenticate_user($link, $login, $password)) {
+					print json_encode(array("uid" => $_SESSION["uid"]));
+				} else {
+					print json_encode(array("error" => "LOGIN_ERROR"));
+				}
 			} else {
-				print json_encode(array("error" => "LOGIN_ERROR"));
+				logout_user();
+				print json_encode(array("error" => "API_DISABLED"));
 			}
 
 			break;
-- 
cgit v1.2.3