http: apply channel check to ticket and credentials

Before, if the ticket denied channel access, credentials couldn't be used to
override.

Signed-off-by: Sven Wegener <sven.wegener@stealer.net>

diff --git a/src/http.c b/src/http.c
index ef8604571b56abe35990137a365ed73cc79e4171..f17e7edab3a363265d4167bb186651d7aacd370a 100644 (file)
--- a/src/http.c
+++ b/src/http.c
@@ -576,19 +576,25 @@ http_access_verify_channel(http_connection_t *hc, int mask,
   if (ticket)
     http_access_verify_ticket(hc);
 
-  if (hc->hc_access)
+  if (hc->hc_access) {
     res = access_verify2(hc->hc_access, mask);
 
+    if (!res && !channel_access(ch, hc->hc_access, 0))
+      res = -1;
+  }
+
   if (res) {
     access_destroy(hc->hc_access);
     hc->hc_access = access_get(hc->hc_username, hc->hc_password,
                                (struct sockaddr *)hc->hc_peer);
-    if (hc->hc_access)
+    if (hc->hc_access) {
       res = access_verify2(hc->hc_access, mask);
+
+      if (!res && !channel_access(ch, hc->hc_access, 0))
+        res = -1;
+    }
   }
 
-  if (!res && !channel_access(ch, hc->hc_access, 0))
-    res = -1;
 
   return res;
 }