From 0085bcd791b1fef460d97301491a999ab1783a73 Mon Sep 17 00:00:00 2001
From: John Reese <jreese@leetcode.net>
Date: Thu, 3 Dec 2009 09:33:19 -0500
Subject: [PATCH] Fix #11031, 10930: fix anonymous user auto-login

The original issue with 10930 was that user verification, when checking
to see if a user was logged in, would trigger automatic login of the
anonymous user account, which would lead to a redirect loop, where each
page load would auto-login the anonymous user and immediately log them
out and redirect.

The original fix for this disabled auto-login of the anonymous user
account when calling auth_is_user_authenticated(), which broke
expectations of much of the codebase.  By re-enabling auto-login, but
offering optional bypass of this process, it fixes both issues.

Any page expecting to correctly work with unauthenticated users will
need to pass a False parameter to the function to bypass automatic
anonymous login.
---
 core/authentication_api.php | 5 +++--
 verify.php                  | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/core/authentication_api.php b/core/authentication_api.php
index dd7478147d..f906113c09 100644
--- a/core/authentication_api.php
+++ b/core/authentication_api.php
@@ -85,15 +85,16 @@ function auth_ensure_user_authenticated( $p_return_page = '' ) {
 /**
  * Return true if there is a currently logged in and authenticated user, false otherwise
  *
+ * @param boolean auto-login anonymous user
  * @return bool
  * @access public
  */
-function auth_is_user_authenticated() {
+function auth_is_user_authenticated( $p_login_anonymous=true ) {
 	global $g_cache_cookie_valid;
 	if( $g_cache_cookie_valid == true ) {
 		return $g_cache_cookie_valid;
 	}
-	$g_cache_cookie_valid = auth_is_cookie_valid( auth_get_current_user_cookie( false ) );
+	$g_cache_cookie_valid = auth_is_cookie_valid( auth_get_current_user_cookie( $p_login_anonymous ) );
 	return $g_cache_cookie_valid;
 }
 
diff --git a/verify.php b/verify.php
index d5ce9a06be..31d22b5cdc 100644
--- a/verify.php
+++ b/verify.php
@@ -37,7 +37,7 @@
 	$f_confirm_hash = gpc_get_string('confirm_hash');
 
 	# force logout on the current user if already authenticated
-	if( auth_is_user_authenticated() ) {
+	if( auth_is_user_authenticated( false ) ) {
 		auth_logout();
 
 		# reload the page after logout