Verify authentication before initializing apps and routing

The current behaviour of the authenticion logic in base.php prevents REST APIs in ownCloud applications to work.

Because `!self::$CLI` is usually always a true statement the previously above block was entered which returned, thus the authentication logic for this part does not trigger in.

This can be reproduced by installing apps such as the News app and issuing the following command:

`curl -u admin:admin http://localhost/index.php/apps/news/api/v1-2/feeds`

The following parts needs to get throughly tested:

- [ ] OCS
- [ ] remote.php's DAV features
- [ ] Regular login features

This bug affects master and stable7. I'd propose that we merge this for 8.0 since this has the potential to break every component that relies on Basic Auth features. A backport would also be very nice.

Remark to myself: We really need to move out the authentication code for 8.1 out of base.php - I already have a local branch that does that somewhere which I will get in shape for 8.1... - This untested code is a night-mare.

Fixes itself.

diff --git a/lib/base.php b/lib/base.php
index 34fa178ebf7260b5a262ce1086c23d72dda41bf9..f4021b543b28566153ff2cf24003c00670f32388 100644 (file)
--- a/lib/base.php
+++ b/lib/base.php
@@ -736,6 +736,19 @@ class OC {
                        self::checkUpgrade();
                }
 
+               // Load minimum set of apps
+               if (!self::checkUpgrade(false)) {
+                       // For logged-in users: Load everything
+                       if(OC_User::isLoggedIn()) {
+                               OC_App::loadApps();
+                       } else {
+                               // For guests: Load only authentication, filesystem and logging
+                               OC_App::loadApps(array('authentication'));
+                               OC_App::loadApps(array('filesystem', 'logging'));
+                               \OC_User::tryBasicAuthLogin();
+                       }
+               }
+
                if (!self::$CLI and (!isset($_GET["logout"]) or ($_GET["logout"] !== 'true'))) {
                        try {
                                if (!$systemConfig->getValue('maintenance', false) && !\OCP\Util::needUpgrade()) {
@@ -755,19 +768,6 @@ class OC {
                        }
                }
 
-               // Load minimum set of apps
-               if (!self::checkUpgrade(false)) {
-                       // For logged-in users: Load everything
-                       if(OC_User::isLoggedIn()) {
-                               OC_App::loadApps();
-                       } else {
-                               // For guests: Load only authentication, filesystem and logging
-                               OC_App::loadApps(array('authentication'));
-                               OC_App::loadApps(array('filesystem', 'logging'));
-                               \OC_User::tryBasicAuthLogin();
-                       }
-               }
-
                // Handle redirect URL for logged in users
                if (isset($_REQUEST['redirect_url']) && OC_User::isLoggedIn()) {
                        $location = OC_Helper::makeURLAbsolute(urldecode($_REQUEST['redirect_url']));