1 files changed, 37 insertions, 14 deletions

diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 10f362717..0e166cc3b 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -1,22 +1,24 @@
 <?php
 class FreshRSS extends Minz_FrontController {
-	public function init($currentUser = null) {
-		Minz_Session::init('FreshRSS');
-		$this->accessControl($currentUser);
+	public function init() {
+		if (!isset($_SESSION)) {
+			Minz_Session::init('FreshRSS');
+		}
+		$this->accessControl(Minz_Session::param('currentUser', ''));
 		$this->loadParamsView();
 		$this->loadStylesAndScripts();
 		$this->loadNotifications();
 	}
 
 	private function accessControl($currentUser) {
-		if ($currentUser === null) {
+		if ($currentUser == '') {
 			switch (Minz_Configuration::authType()) {
 				case 'http_auth':
 					$currentUser = httpAuthUser();
 					$loginOk = $currentUser != '';
 					break;
 				case 'persona':
-					$currentUser = Minz_Configuration::defaultUser();
+					$currentUser = Minz_Configuration::defaultUser();	//TODO: Make Persona compatible with multi-user
 					$loginOk = Minz_Session::param('mail') != '';
 					break;
 				case 'none':
@@ -24,28 +26,49 @@ class FreshRSS extends Minz_FrontController {
 					$loginOk = true;
 					break;
 				default:
+					$currentUser = Minz_Configuration::defaultUser();
 					$loginOk = false;
 					break;
 			}
-		} elseif ((PHP_SAPI === 'cli') && (Minz_Request::actionName() === 'actualize')) {	//Command line
-			Minz_Configuration::_authType('none');
+		} else {
 			$loginOk = true;
 		}
 
-		if (!$loginOk || !isValidUser($currentUser)) {
-			$currentUser = Minz_Configuration::defaultUser();
-			$loginOk = false;
+		if (!ctype_alnum($currentUser)) {
+			Minz_Session::_param('currentUser', '');
+			die('Invalid username [' . $currentUser . ']!');
 		}
-		Minz_Configuration::_currentUser($currentUser);
-		Minz_View::_param ('loginOk', $loginOk);
 
 		try {
 			$this->conf = new FreshRSS_Configuration($currentUser);
 		} catch (Minz_Exception $e) {
-			// Permission denied or conf file does not exist
-			die($e->getMessage());
+			Minz_Session::_param('currentUser', '');
+			die('Invalid configuration for user [' . $currentUser . ']! ' . $e->getMessage());	//Permission denied or conf file does not exist
 		}
 		Minz_View::_param ('conf', $this->conf);
+		Minz_Session::_param('currentUser', $currentUser);
+
+		if ($loginOk) {
+			switch (Minz_Configuration::authType()) {
+				case 'http_auth':
+					$loginOk = $currentUser === httpAuthUser();
+					break;
+				case 'persona':
+					$loginOk = Minz_Session::param('mail') === $this->conf->mail_login;
+					break;
+				case 'none':
+					$loginOk = true;
+					break;
+				default:
+					$loginOk = false;
+					break;
+			}
+			if ((!$loginOk) && (PHP_SAPI === 'cli') && (Minz_Request::actionName() === 'actualize')) {	//Command line
+				Minz_Configuration::_authType('none');
+				$loginOk = true;
+			}
+		}
+		Minz_View::_param ('loginOk', $loginOk);
 	}
 
 	private function loadParamsView () {