From 2bebdd344b7259738c2d424572d202482d92e6f1 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@bah.org.ru>
Date: Wed, 16 Dec 2009 14:56:46 +0300
Subject: [PATCH] api: forbid login when api is disabled (fixed)

---
 api/index.php | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/api/index.php b/api/index.php
index 332e84f5..8d7e1db9 100644
--- a/api/index.php
+++ b/api/index.php
@@ -58,14 +58,21 @@
 			$login = db_escape_string($_REQUEST["user"]);
 			$password = db_escape_string($_REQUEST["password"]);
 
-			if (get_pref($link, "ENABLE_API_ACCESS", $login)) {
+			$result = db_query($link, "SELECT id FROM ttrss_users WHERE login = '$login'");
+
+			if (db_num_rows($result) != 0) {
+				$uid = db_fetch_result($result, 0, "id");
+			} else {
+				$uid = 0;
+			}
+
+			if (get_pref($link, "ENABLE_API_ACCESS", $uid)) {
 				if (authenticate_user($link, $login, $password)) {
 					print json_encode(array("uid" => $_SESSION["uid"]));
 				} else {
 					print json_encode(array("error" => "LOGIN_ERROR"));
 				}
 			} else {
-				logout_user();
 				print json_encode(array("error" => "API_DISABLED"));
 			}
 
-- 
2.39.5