From ee687bea188c64ece92f3df68f9b8608db498657 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Henek?= <stepan.henek@seznam.cz>
Date: Fri, 27 Sep 2013 20:44:41 +0200
Subject: [PATCH 1/2] Bugfix: auth PAM doesn't throw an exception when
 authenticating without username and password

---
 radicale/auth/PAM.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/radicale/auth/PAM.py b/radicale/auth/PAM.py
index 1660af1..565fa6c 100644
--- a/radicale/auth/PAM.py
+++ b/radicale/auth/PAM.py
@@ -36,6 +36,9 @@ GROUP_MEMBERSHIP = config.get("auth", "pam_group_membership")
 def is_authenticated(user, password):
     """Check if ``user``/``password`` couple is valid."""
 
+    if user is None or password is None:
+      return False
+
     # Check whether the user exists in the PAM system
     try:
         pwd.getpwnam(user).pw_uid

From 7c030896011b842d94643eb04b45cd1fb4b58f4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Henek?= <stepan.henek@seznam.cz>
Date: Fri, 27 Sep 2013 21:14:27 +0200
Subject: [PATCH 2/2] Bugfix: auth PAM check for membership in primary and
 supplementary groups

---
 radicale/auth/PAM.py | 33 +++++++++++++++++++++------------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/radicale/auth/PAM.py b/radicale/auth/PAM.py
index 565fa6c..d84b46c 100644
--- a/radicale/auth/PAM.py
+++ b/radicale/auth/PAM.py
@@ -50,6 +50,7 @@ def is_authenticated(user, password):
 
     # Check whether the group exists
     try:
+        # Obtain supplementary groups
         members = grp.getgrnam(GROUP_MEMBERSHIP).gr_mem
     except KeyError:
         log.LOGGER.debug(
@@ -57,18 +58,26 @@ def is_authenticated(user, password):
             GROUP_MEMBERSHIP)
         return False
 
-    # Check whether the user belongs to the required group
-    for member in members:
-        if member == user:
-            log.LOGGER.debug(
-                "The PAM user belongs to the required group (%s)" %
-                GROUP_MEMBERSHIP)
-            # Check the password
-            if pam.authenticate(user, password):
-                return True
-            else:
-                log.LOGGER.debug("Wrong PAM password")
-            break
+    # Check whether the user exists
+    try:
+        # Get user primary group
+        primary_group = grp.getgrgid(pwd.getpwnam(user).pw_gid).gr_name
+    except KeyError:
+        log.LOGGER.debug(
+            "The PAM user (%s) doesn't exist" %
+            user)
+        return False
+
+    # Check whether the user belongs to the required group (primary or supplementary)
+    if primary_group == GROUP_MEMBERSHIP or user in members:
+        log.LOGGER.debug(
+            "The PAM user belongs to the required group (%s)" %
+            GROUP_MEMBERSHIP)
+        # Check the password
+        if pam.authenticate(user, password):
+            return True
+        else:
+            log.LOGGER.debug("Wrong PAM password")
     else:
         log.LOGGER.debug(
             "The PAM user doesn't belong to the required group (%s)" %