implement api/user/create_apikey

Signed-off-by: Florian Pritz <bluewind@xinu.at>
author: Florian Pritz <bluewind@xinu.at> 2015-02-03 00:44:46 +0100
committer: Florian Pritz <bluewind@xinu.at> 2015-02-03 00:44:46 +0100
commit: e2c2740365b1f25beca1e174c8c5bda2950b7466 (patch)
tree: ccfdfe9fae92954acb4d1d2199f3c06c345b45a1 /application/core
parent: cb52a4cdc2daa45a61c728f5ec83603e6c6a71fa (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/application/core/MY_Controller.php b/application/core/MY_Controller.php
index 1e724a865..fc08b10ae 100644
--- a/application/core/MY_Controller.php
+++ b/application/core/MY_Controller.php
@@ -66,7 +66,13 @@ class MY_Controller extends CI_Controller {
 			show_error("Function not JSON enabled");
 		}
 
-		if ($this->input->post("apikey") !== false) {
+		if ($this->uri->segment(1) == "api") {
+			is_cli_client(true);
+		}
+
+		if ($this->input->post("apikey") !== false
+				|| ($this->input->post("username") !== false
+					&& $this->input->post("password") !== false)) {
 			/* This relies on the authentication code always verifying the supplied
 			 * apikey. If the key is not verified/logged in an attacker could simply
 			 * add an empty "apikey" field to the CSRF form to circumvent the
author	Florian Pritz <bluewind@xinu.at>	2015-02-03 00:44:46 +0100
committer	Florian Pritz <bluewind@xinu.at>	2015-02-03 00:44:46 +0100
commit	e2c2740365b1f25beca1e174c8c5bda2950b7466 (patch)
tree	ccfdfe9fae92954acb4d1d2199f3c06c345b45a1 /application/core
parent	cb52a4cdc2daa45a61c728f5ec83603e6c6a71fa (diff)