Fix Protect DAV when $dolibarr_main_authentication is forceuser

Compatibility with twoauth
Dolibarr · Aug 20, 2019 · 65d1170 · 65d1170
1 parent 54234e0
commit 65d1170
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 4 deletions.
diff --git a/htdocs/api/class/api_login.class.php b/htdocs/api/class/api_login.class.php
@@ -57,12 +57,15 @@ public function __construct()
 	 */
     public function index($login, $password, $entity = '', $reset = 0)
     {
-
 	    global $conf, $dolibarr_main_authentication, $dolibarr_auto_user;
 
-		// Authentication mode
+	    // TODO Remove the API login. The token must be generated from backoffice only.
+
+	    // Authentication mode
 		if (empty($dolibarr_main_authentication))
 			$dolibarr_main_authentication = 'http,dolibarr';
+		$dolibarr_main_authentication = preg_replace('/twoauth/', 'dolibarr', $dolibarr_main_authentication);
+
 		// Authentication mode: forceuser
 		if ($dolibarr_main_authentication == 'forceuser')
 		{
@@ -73,6 +76,7 @@ public function index($login, $password, $entity = '', $reset = 0)
 				throw new RestException(403, "Your instance is set to use the automatic login '".$dolibarr_auto_user."' that is not the requested login. API usage is forbidden in this mode.");
 			}
 		}
+
 		// Set authmode
 		$authmode = explode(',', $dolibarr_main_authentication);
 

diff --git a/htdocs/dav/fileserver.php b/htdocs/dav/fileserver.php
@@ -69,7 +69,7 @@
 $authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function ($username, $password) {
 	global $user;
 	global $conf;
-	global $dolibarr_main_authentication;
+	global $dolibarr_main_authentication, $dolibarr_auto_user;
 
 	if (empty($user->login))
 	{
@@ -91,6 +91,17 @@
 	if (empty($dolibarr_main_authentication)) $dolibarr_main_authentication='dolibarr';
 	$dolibarr_main_authentication = preg_replace('/twoauth/', 'dolibarr', $dolibarr_main_authentication);
 
+	// Authentication mode: forceuser
+	if ($dolibarr_main_authentication == 'forceuser')
+	{
+		if (empty($dolibarr_auto_user)) $dolibarr_auto_user='auto';
+		if ($dolibarr_auto_user != $username)
+		{
+			dol_syslog("Warning: your instance is set to use the automatic forced login '".$dolibarr_auto_user."' that is not the requested login. DAV usage is forbidden in this mode.");
+			return false;
+		}
+	}
+
 	$authmode = explode(',', $dolibarr_main_authentication);
 	$entity = (GETPOST('entity', 'int') ? GETPOST('entity', 'int') : (!empty($conf->entity) ? $conf->entity : 1));
 

diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang
@@ -1932,4 +1932,5 @@ DeleteEmailCollector=Delete email collector
 ConfirmDeleteEmailCollector=Are you sure you want to delete this email collector?
 RecipientEmailsWillBeReplacedWithThisValue=Recipient emails will be always replaced with this value
 AtLeastOneDefaultBankAccountMandatory=At least 1 default bank account must be defined
-RestrictApiToIps=Allow available APIs to some host IP only (wildcard not allowed, use space between values). Empty means every hosts can use the available APIs.
+RestrictApiToIps=Allow available APIs to some host IP only (wildcard not allowed, use space between values). Empty means every hosts can use the available APIs.
+BaseOnSabeDavVersion=Based on the library SabreDAV version