Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix Protect DAV when $dolibarr_main_authentication is forceuser

Browse Source 
Compatibility with twoauth
This commit is contained in:
Laurent Destailleur
2019-08-20 13:46:15 +02:00
parent 54234e011f
commit 65d11704bb
3 changed files with 20 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/api/class/api_login.class.php
View File

@@ -57,12 +57,15 @@ class Login
*/ */
public function index($login, $password, $entity = '', $reset = 0) public function index($login, $password, $entity = '', $reset = 0)
{ {
global $conf, $dolibarr_main_authentication, $dolibarr_auto_user; global $conf, $dolibarr_main_authentication, $dolibarr_auto_user;
// Authentication mode // TODO Remove the API login. The token must be generated from backoffice only.
// Authentication mode
if (empty($dolibarr_main_authentication)) if (empty($dolibarr_main_authentication))
$dolibarr_main_authentication = 'http,dolibarr'; $dolibarr_main_authentication = 'http,dolibarr';
$dolibarr_main_authentication = preg_replace('/twoauth/', 'dolibarr', $dolibarr_main_authentication);
// Authentication mode: forceuser // Authentication mode: forceuser
if ($dolibarr_main_authentication == 'forceuser') if ($dolibarr_main_authentication == 'forceuser')
{ {
@@ -73,6 +76,7 @@ class Login
throw new RestException(403, "Your instance is set to use the automatic login '".$dolibarr_auto_user."' that is not the requested login. API usage is forbidden in this mode."); throw new RestException(403, "Your instance is set to use the automatic login '".$dolibarr_auto_user."' that is not the requested login. API usage is forbidden in this mode.");
} }
} }
// Set authmode // Set authmode
$authmode = explode(',', $dolibarr_main_authentication); $authmode = explode(',', $dolibarr_main_authentication);

13
htdocs/dav/fileserver.php
View File

@@ -69,7 +69,7 @@ $tmpDir = $conf->dav->multidir_output[$entity]; // We need root dir, not a d
$authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function ($username, $password) { $authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function ($username, $password) {
global $user; global $user;
global $conf; global $conf;
global $dolibarr_main_authentication; global $dolibarr_main_authentication, $dolibarr_auto_user;
if (empty($user->login)) if (empty($user->login))
{ {
@@ -91,6 +91,17 @@ $authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function ($username, $p
if (empty($dolibarr_main_authentication)) $dolibarr_main_authentication='dolibarr'; if (empty($dolibarr_main_authentication)) $dolibarr_main_authentication='dolibarr';
$dolibarr_main_authentication = preg_replace('/twoauth/', 'dolibarr', $dolibarr_main_authentication); $dolibarr_main_authentication = preg_replace('/twoauth/', 'dolibarr', $dolibarr_main_authentication);
// Authentication mode: forceuser
if ($dolibarr_main_authentication == 'forceuser')
{
if (empty($dolibarr_auto_user)) $dolibarr_auto_user='auto';
if ($dolibarr_auto_user != $username)
{
dol_syslog("Warning: your instance is set to use the automatic forced login '".$dolibarr_auto_user."' that is not the requested login. DAV usage is forbidden in this mode.");
return false;
}
}
$authmode = explode(',', $dolibarr_main_authentication); $authmode = explode(',', $dolibarr_main_authentication);
$entity = (GETPOST('entity', 'int') ? GETPOST('entity', 'int') : (!empty($conf->entity) ? $conf->entity : 1)); $entity = (GETPOST('entity', 'int') ? GETPOST('entity', 'int') : (!empty($conf->entity) ? $conf->entity : 1));

1
htdocs/langs/en_US/admin.lang
View File

@@ -1933,3 +1933,4 @@ ConfirmDeleteEmailCollector=Are you sure you want to delete this email collector
RecipientEmailsWillBeReplacedWithThisValue=Recipient emails will be always replaced with this value RecipientEmailsWillBeReplacedWithThisValue=Recipient emails will be always replaced with this value
AtLeastOneDefaultBankAccountMandatory=At least 1 default bank account must be defined AtLeastOneDefaultBankAccountMandatory=At least 1 default bank account must be defined
RestrictApiToIps=Allow available APIs to some host IP only (wildcard not allowed, use space between values). Empty means every hosts can use the available APIs. RestrictApiToIps=Allow available APIs to some host IP only (wildcard not allowed, use space between values). Empty means every hosts can use the available APIs.
BaseOnSabeDavVersion=Based on the library SabreDAV version