[jonah] Authentication continued....

[Bill Edgington]

I figured out the authentication. Now I have a question about the program logic in backend.php:

Shouldn't it check getauth() first to see if an admin is logged in, and then force HTTP authentication if the getauth() check fails?

This way, an admin could update headlines without having to HTTP authenticate every time, and a cron job could use HTTP authentication.

Another thing - I think backend.php should allow access from any IP if ['conf']['ips'] is unset...

If you want, I can submit a patch.