- local user = luci.sauth.read(luci.http.getcookie("sysauth"))
-
-
- if not luci.util.contains(accs, user) then
- if not sysauth(def) then
+ local sess = ctx.authsession or luci.http.getcookie("sysauth")
+ sess = sess and sess:match("^[A-F0-9]+$")
+ local user = sauth.read(sess)
+
+ if not util.contains(accs, user) then
+ if authen then
+ local user, sess = authen(luci.sys.user.checkpasswd, accs, def)
+ if not user or not util.contains(accs, user) then
+ return
+ else
+ local sid = sess or luci.sys.uniqueid(16)
+ luci.http.header("Set-Cookie", "sysauth=" .. sid.."; path=/")
+ if not sess then
+ sauth.write(sid, user)
+ end
+ ctx.authsession = sid
+ end
+ else
+ luci.http.status(403, "Forbidden")