bug 496612: quick tweaks to collections API auth, r=wenzel

git-svn-id: http://svn.mozilla.org/addons/trunk@27457 4eb1ac78-321c-0410-a911-ec516a8615a5

1 files changed, 4 insertions, 6 deletions

diff --git a/site/app/controllers/sharing_api_controller.php b/site/app/controllers/sharing_api_controller.php
index 5832401..0f7713d 100644
--- a/site/app/controllers/sharing_api_controller.php
+++ b/site/app/controllers/sharing_api_controller.php
@@ -87,10 +87,11 @@ class SharingApiController extends AppController
     const STATUS_UNSUPPORTED_MEDIA  = '415 Unsupported Media Type';
     const STATUS_ERROR              = '500 Internal Server Error';
 
-    var $cache_lifetime = 10; // 10 seconds
+    var $cache_lifetime = 0; // 0 seconds
 
     function forceCache() {
         header('Cache-Control: public, max-age=' . $this->cache_lifetime);
+        header('Vary: X-API-Auth');
         header('Last-Modified: ' . gmdate("D, j M Y H:i:s", $this->last_modified) . " GMT");
         header('Expires: ' . gmdate("D, j M Y H:i:s", $this->last_modified + $this->cache_lifetime) . " GMT");
     }
@@ -1400,17 +1401,14 @@ class SharingApiController extends AppController
     function getAuthUser() {
         $auth_user = null;
 
+        // 1: Check an auth header token
         if (null == $auth_user && !empty($_SERVER['HTTP_X_API_AUTH'])) {
             // Try accepting an API auth token in a header.
             $token = $_SERVER['HTTP_X_API_AUTH'];
             $auth_user = $this->ApiAuthToken->getUserForAuthToken($token);
         }
 
-        if (null == $auth_user && $this->Session->check('User')) {
-            // Try grabbing the user from a logged in session.
-            $auth_user = $this->Session->read('User');
-        } 
-
+        // 2: Check HTTP basic auth
         if (null == $auth_user && 
                 !empty($_SERVER['PHP_AUTH_USER']) && 
                 !empty($_SERVER['PHP_AUTH_PW'])) {