forked from Wavyzz/dolibarr
Fix Protect DAV when $dolibarr_main_authentication is forceuser
Compatibility with twoauth
This commit is contained in:
Laurent Destailleur
@@ -57,12 +57,15 @@ class Login
|
||||
*/
|
||||
public function index($login, $password, $entity = '', $reset = 0)
|
||||
{
|
||||
|
||||
global $conf, $dolibarr_main_authentication, $dolibarr_auto_user;
|
||||
|
||||
// Authentication mode
|
||||
// TODO Remove the API login. The token must be generated from backoffice only.
|
||||
|
||||
// Authentication mode
|
||||
if (empty($dolibarr_main_authentication))
|
||||
$dolibarr_main_authentication = 'http,dolibarr';
|
||||
$dolibarr_main_authentication = preg_replace('/twoauth/', 'dolibarr', $dolibarr_main_authentication);
|
||||
|
||||
// Authentication mode: forceuser
|
||||
if ($dolibarr_main_authentication == 'forceuser')
|
||||
{
|
||||
@@ -73,6 +76,7 @@ class Login
|
||||
throw new RestException(403, "Your instance is set to use the automatic login '".$dolibarr_auto_user."' that is not the requested login. API usage is forbidden in this mode.");
|
||||
}
|
||||
}
|
||||
|
||||
// Set authmode
|
||||
$authmode = explode(',', $dolibarr_main_authentication);
|
||||
|
||||
|
||||
@@ -69,7 +69,7 @@ $tmpDir = $conf->dav->multidir_output[$entity]; // We need root dir, not a d
|
||||
$authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function ($username, $password) {
|
||||
global $user;
|
||||
global $conf;
|
||||
global $dolibarr_main_authentication;
|
||||
global $dolibarr_main_authentication, $dolibarr_auto_user;
|
||||
|
||||
if (empty($user->login))
|
||||
{
|
||||
@@ -91,6 +91,17 @@ $authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function ($username, $p
|
||||
if (empty($dolibarr_main_authentication)) $dolibarr_main_authentication='dolibarr';
|
||||
$dolibarr_main_authentication = preg_replace('/twoauth/', 'dolibarr', $dolibarr_main_authentication);
|
||||
|
||||
// Authentication mode: forceuser
|
||||
if ($dolibarr_main_authentication == 'forceuser')
|
||||
{
|
||||
if (empty($dolibarr_auto_user)) $dolibarr_auto_user='auto';
|
||||
if ($dolibarr_auto_user != $username)
|
||||
{
|
||||
dol_syslog("Warning: your instance is set to use the automatic forced login '".$dolibarr_auto_user."' that is not the requested login. DAV usage is forbidden in this mode.");
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
$authmode = explode(',', $dolibarr_main_authentication);
|
||||
$entity = (GETPOST('entity', 'int') ? GETPOST('entity', 'int') : (!empty($conf->entity) ? $conf->entity : 1));
|
||||
|
||||
|
||||
@@ -1932,4 +1932,5 @@ DeleteEmailCollector=Delete email collector
|
||||
ConfirmDeleteEmailCollector=Are you sure you want to delete this email collector?
|
||||
RecipientEmailsWillBeReplacedWithThisValue=Recipient emails will be always replaced with this value
|
||||
AtLeastOneDefaultBankAccountMandatory=At least 1 default bank account must be defined
|
||||
RestrictApiToIps=Allow available APIs to some host IP only (wildcard not allowed, use space between values). Empty means every hosts can use the available APIs.
|
||||
RestrictApiToIps=Allow available APIs to some host IP only (wildcard not allowed, use space between values). Empty means every hosts can use the available APIs.
|
||||
BaseOnSabeDavVersion=Based on the library SabreDAV version
|
||||
Reference in New Issue
Block a user