From 65d11704bb4b0fdccd094e2337aebd5a7f2a764c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 20 Aug 2019 13:46:15 +0200 Subject: [PATCH] Fix Protect DAV when $dolibarr_main_authentication is forceuser Compatibility with twoauth --- htdocs/api/class/api_login.class.php | 8 ++++++-- htdocs/dav/fileserver.php | 13 ++++++++++++- htdocs/langs/en_US/admin.lang | 3 ++- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/htdocs/api/class/api_login.class.php b/htdocs/api/class/api_login.class.php index 2bf464f7296..b2b1f08f8b6 100644 --- a/htdocs/api/class/api_login.class.php +++ b/htdocs/api/class/api_login.class.php @@ -57,12 +57,15 @@ class Login */ public function index($login, $password, $entity = '', $reset = 0) { - global $conf, $dolibarr_main_authentication, $dolibarr_auto_user; - // Authentication mode + // TODO Remove the API login. The token must be generated from backoffice only. + + // Authentication mode if (empty($dolibarr_main_authentication)) $dolibarr_main_authentication = 'http,dolibarr'; + $dolibarr_main_authentication = preg_replace('/twoauth/', 'dolibarr', $dolibarr_main_authentication); + // Authentication mode: forceuser if ($dolibarr_main_authentication == 'forceuser') { @@ -73,6 +76,7 @@ class Login throw new RestException(403, "Your instance is set to use the automatic login '".$dolibarr_auto_user."' that is not the requested login. API usage is forbidden in this mode."); } } + // Set authmode $authmode = explode(',', $dolibarr_main_authentication); diff --git a/htdocs/dav/fileserver.php b/htdocs/dav/fileserver.php index 143f48d2033..b056ac9730c 100644 --- a/htdocs/dav/fileserver.php +++ b/htdocs/dav/fileserver.php @@ -69,7 +69,7 @@ $tmpDir = $conf->dav->multidir_output[$entity]; // We need root dir, not a d $authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function ($username, $password) { global $user; global $conf; - global $dolibarr_main_authentication; + global $dolibarr_main_authentication, $dolibarr_auto_user; if (empty($user->login)) { @@ -91,6 +91,17 @@ $authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function ($username, $p if (empty($dolibarr_main_authentication)) $dolibarr_main_authentication='dolibarr'; $dolibarr_main_authentication = preg_replace('/twoauth/', 'dolibarr', $dolibarr_main_authentication); + // Authentication mode: forceuser + if ($dolibarr_main_authentication == 'forceuser') + { + if (empty($dolibarr_auto_user)) $dolibarr_auto_user='auto'; + if ($dolibarr_auto_user != $username) + { + dol_syslog("Warning: your instance is set to use the automatic forced login '".$dolibarr_auto_user."' that is not the requested login. DAV usage is forbidden in this mode."); + return false; + } + } + $authmode = explode(',', $dolibarr_main_authentication); $entity = (GETPOST('entity', 'int') ? GETPOST('entity', 'int') : (!empty($conf->entity) ? $conf->entity : 1)); diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang index c95c9fe05cc..ee3da865377 100644 --- a/htdocs/langs/en_US/admin.lang +++ b/htdocs/langs/en_US/admin.lang @@ -1932,4 +1932,5 @@ DeleteEmailCollector=Delete email collector ConfirmDeleteEmailCollector=Are you sure you want to delete this email collector? RecipientEmailsWillBeReplacedWithThisValue=Recipient emails will be always replaced with this value AtLeastOneDefaultBankAccountMandatory=At least 1 default bank account must be defined -RestrictApiToIps=Allow available APIs to some host IP only (wildcard not allowed, use space between values). Empty means every hosts can use the available APIs. \ No newline at end of file +RestrictApiToIps=Allow available APIs to some host IP only (wildcard not allowed, use space between values). Empty means every hosts can use the available APIs. +BaseOnSabeDavVersion=Based on the library SabreDAV version \ No newline at end of file