70688a29ce74bb1fafd03ef2dda79ef38ea2891b
angie
  Wed May 25 16:44:20 2016 -0700
Fixing bug that allowed faked wiki cookie name to override hgLogin name.  refs #17397 note-8, note-9.

diff --git src/hg/lib/wikiLink.c src/hg/lib/wikiLink.c
index d22d2d4..fc7b2b6 100644
--- src/hg/lib/wikiLink.c
+++ src/hg/lib/wikiLink.c
@@ -469,34 +469,34 @@
 char *wikiHost = cfgOption(CFG_WIKI_HOST);
 if (isEmpty(wikiHost) || sameString(wikiHost, "HTTPHOST"))
     wikiHost = hHttpHost();
 return cloneString(wikiHost);
 }
 
 char *wikiLinkUserName()
 /* Return the user name specified in cookies from the browser, or NULL if 
  * the user doesn't appear to be logged in. */
 {
 if (loginSystemEnabled())
     {
     if (! alreadyAuthenticated)
         errAbort("wikiLinkUserName: loginValidateCookies must be called first.");
     char *userName = getLoginUserName();
-    if (isEmpty(userName) && wikiLinkEnabled())                   // TODO: remove in July 2016
-        userName = findCookieData(wikiLinkUserNameCookie());      // TODO: remove in July 2016
     if (isEmpty(userName) && isNotEmpty(remoteUserName))
         userName = remoteUserName;
+    if (isEmpty(userName) && wikiLinkEnabled())                   // TODO: remove in July 2016
+        userName = findCookieData(wikiLinkUserNameCookie());      // TODO: remove in July 2016
     if (authenticated)
         return cloneString(userName);
     }
 else if (wikiLinkEnabled())
     {
     char *wikiUserName = findCookieData(wikiLinkUserNameCookie());
     char *wikiLoggedIn = findCookieData(wikiLinkLoggedInCookie());
     if (isNotEmpty(wikiLoggedIn) && isNotEmpty(wikiUserName))
         return cloneString(wikiUserName);
     }
 else
     errAbort("wikiLinkUserName called when wiki is not enabled (specified "
         "in hg.conf).");
 return NULL;
 }