Item14506: tokenAuth should replace the current user

If a valid authtoken is provided, switch the user to that new identity. Don't ignore it. Clear the SUDO information from the session.
foswiki · Oct 12, 2017 · 5f4cdb2 · 5f4cdb2
1 parent 21409f4
commit 5f4cdb2
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/core/lib/Foswiki/LoginManager.pm b/core/lib/Foswiki/LoginManager.pm
@@ -355,14 +355,16 @@ sub loadSession {
       if defined $authUser;
 
 =begin TML
-   * Step 4: Still no user?  Try Token authentication.
+   * Step 4: Try Token authentication.  Allow the Token Auth to replace the current session user.  If a user provides a valid authentication token, it essentially logs them out and logs in a new user.
+      * If the user is currently running "sudo'd" to the admin user, clear that as well.
 =cut
 
-    if ( !$authUser ) {
+    my $tokenUser = $this->_getTokenCredentials($session);
+    if ($tokenUser) {
         _trace( $this,
-            "No session user, checking URI Params for an authentication token"
-        );
-        $authUser = $this->_getTokenCredentials($session);
+            "Replacing current user with $tokenUser from authtoken" );
+        $this->{_cgisession}->clear('SUDOFROMAUTHUSER');
+        $authUser = $tokenUser;
     }
 
 =begin TML