authx - If `Authorization:` header is disabled, then ignore it.

diff --git a/ext/authx/authx.php b/ext/authx/authx.php
index 220be9577aee573afdad7969e1ea826ff11269d1..ff3958a87007bfe2429644486c715d777b5b0302 100644 (file)
--- a/ext/authx/authx.php
+++ b/ext/authx/authx.php
@@ -13,7 +13,7 @@ Civi::dispatcher()->addListener('civi.invoke.auth', function($e) {
     return (new \Civi\Authx\Authenticator())->auth($e, ['flow' => 'xheader', 'cred' => $_SERVER['HTTP_X_CIVI_AUTH'], 'siteKey' => $siteKey]);
   }
 
-  if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
+  if (!empty($_SERVER['HTTP_AUTHORIZATION']) && !empty(Civi::settings()->get('authx_header_cred'))) {
     return (new \Civi\Authx\Authenticator())->auth($e, ['flow' => 'header', 'cred' => $_SERVER['HTTP_AUTHORIZATION'], 'siteKey' => $siteKey]);
   }