From e2c2740365b1f25beca1e174c8c5bda2950b7466 Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xinu.at>
Date: Tue, 3 Feb 2015 00:44:46 +0100
Subject: implement api/user/create_apikey

Signed-off-by: Florian Pritz <bluewind@xinu.at>
---
 application/core/MY_Controller.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'application/core')

diff --git a/application/core/MY_Controller.php b/application/core/MY_Controller.php
index 1e724a865..fc08b10ae 100644
--- a/application/core/MY_Controller.php
+++ b/application/core/MY_Controller.php
@@ -66,7 +66,13 @@ class MY_Controller extends CI_Controller {
 			show_error("Function not JSON enabled");
 		}
 
-		if ($this->input->post("apikey") !== false) {
+		if ($this->uri->segment(1) == "api") {
+			is_cli_client(true);
+		}
+
+		if ($this->input->post("apikey") !== false
+				|| ($this->input->post("username") !== false
+					&& $this->input->post("password") !== false)) {
 			/* This relies on the authentication code always verifying the supplied
 			 * apikey. If the key is not verified/logged in an attacker could simply
 			 * add an empty "apikey" field to the CSRF form to circumvent the
-- 
cgit v1.2.3-24-g4f1b