Problem with API Authentication and LDAP

When using LDAP authentication, the API authentication fails to reject invalid access tokens.

I believe this is because the function authToken in html/includes/ does:

$username = get_user(…)
if (!empty($username)) .

This will always be true if LDAP is enabled since the function get_user in html/includes/authentication/ returns an array:

$userlist = array(
‘username’ => $username,
‘realname’ => $realname,
‘user_id’ => $user_id,
‘email’ => $email,

This array will always be returned to the authToken function as long as the X-Auth-Token header is set, and it doesn’t matter what it is set to.