soup-auth-manager: make URI username/password override cached info

This allows a page to, eg, force a logout by sending an XMLHttpRequest
using a bad password.

Based on a patch from Sergio Villar.

https://bugzilla.gnome.org/show_bug.cgi?id=631679

1 files changed, 7 insertions, 9 deletions

diff --git a/libsoup/soup-auth-manager.c b/libsoup/soup-auth-manager.c
index 5d1d1bcd..bb5ebb1f 100644
--- a/libsoup/soup-auth-manager.c
+++ b/libsoup/soup-auth-manager.c
@@ -361,9 +361,6 @@ authenticate_auth (SoupAuthManager *manager, SoupAuth *auth,
 	SoupAuthManagerPrivate *priv = SOUP_AUTH_MANAGER_GET_PRIVATE (manager);
 	SoupURI *uri;
 
-	if (soup_auth_is_authenticated (auth))
-		return TRUE;
-
 	if (proxy) {
 		SoupMessageQueue *queue;
 		SoupMessageQueueItem *item;
@@ -381,12 +378,13 @@ authenticate_auth (SoupAuthManager *manager, SoupAuth *auth,
 	} else
 		uri = soup_message_get_uri (msg);
 
-	if (uri->password && !prior_auth_failed) {
-		soup_auth_authenticate (auth, uri->user, uri->password);
-		return TRUE;
-	}
-
-	if (can_interact) {
+	/* If a password is specified explicitly in the URI, use it
+	 * even if the auth had previously already been authenticated.
+	 */
+	if (uri->password) {
+		if (!prior_auth_failed)
+			soup_auth_authenticate (auth, uri->user, uri->password);
+	} else if (!soup_auth_is_authenticated (auth) && can_interact) {
 		soup_auth_manager_emit_authenticate (manager, msg, auth,
 						     prior_auth_failed);
 	}