From d02e0eaaf1e2c467ee0b2acb99f85414eac4a813 Mon Sep 17 00:00:00 2001 From: Vincent Petry Date: Thu, 26 Nov 2015 16:14:49 +0100 Subject: [PATCH] Only reject ajax auth if user is really logged out --- apps/dav/lib/connector/sabre/auth.php | 2 +- apps/dav/tests/unit/connector/sabre/auth.php | 30 ++++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/apps/dav/lib/connector/sabre/auth.php b/apps/dav/lib/connector/sabre/auth.php index 655152a2cc1..d57fdb98f9e 100644 --- a/apps/dav/lib/connector/sabre/auth.php +++ b/apps/dav/lib/connector/sabre/auth.php @@ -159,7 +159,7 @@ class Auth extends AbstractBasic { return [true, $this->principalPrefix . $user]; } - if ($request->getHeader('X-Requested-With') === 'XMLHttpRequest') { + if (!$this->userSession->isLoggedIn() && $request->getHeader('X-Requested-With') === 'XMLHttpRequest') { // do not re-authenticate over ajax, use dummy auth name to prevent browser popup $response->addHeader('WWW-Authenticate','DummyBasic realm="' . $this->realm . '"'); $response->setStatus(401); diff --git a/apps/dav/tests/unit/connector/sabre/auth.php b/apps/dav/tests/unit/connector/sabre/auth.php index 595bd441617..8010378f464 100644 --- a/apps/dav/tests/unit/connector/sabre/auth.php +++ b/apps/dav/tests/unit/connector/sabre/auth.php @@ -309,6 +309,10 @@ class Auth extends TestCase { $httpResponse = $this->getMockBuilder('\Sabre\HTTP\ResponseInterface') ->disableOriginalConstructor() ->getMock(); + $this->userSession + ->expects($this->any()) + ->method('isLoggedIn') + ->will($this->returnValue(false)); $httpRequest ->expects($this->once()) ->method('getHeader') @@ -317,6 +321,32 @@ class Auth extends TestCase { $this->auth->check($httpRequest, $httpResponse); } + public function testAuthenticateNoBasicAuthenticateHeadersProvidedWithAjaxButUserIsStillLoggedIn() { + /** @var \Sabre\HTTP\RequestInterface $httpRequest */ + $httpRequest = $this->getMockBuilder('\Sabre\HTTP\RequestInterface') + ->disableOriginalConstructor() + ->getMock(); + /** @var \Sabre\HTTP\ResponseInterface $httpResponse */ + $httpResponse = $this->getMockBuilder('\Sabre\HTTP\ResponseInterface') + ->disableOriginalConstructor() + ->getMock(); + $this->userSession + ->expects($this->any()) + ->method('isLoggedIn') + ->will($this->returnValue(true)); + $this->session + ->expects($this->once()) + ->method('get') + ->with('AUTHENTICATED_TO_DAV_BACKEND') + ->will($this->returnValue('MyTestUser')); + $httpRequest + ->expects($this->once()) + ->method('getHeader') + ->with('Authorization') + ->will($this->returnValue(null)); + $this->auth->check($httpRequest, $httpResponse); + } + public function testAuthenticateValidCredentials() { $server = $this->getMockBuilder('\Sabre\DAV\Server') ->disableOriginalConstructor() -- 2.39.5