diff options
author | Vincent Petry <pvince81@owncloud.com> | 2016-03-24 16:02:36 +0100 |
---|---|---|
committer | Lukas Reschke <lukas@owncloud.com> | 2016-03-31 19:31:31 +0200 |
commit | 262547ba3d81a870521ad65bca770e9e1b14f229 (patch) | |
tree | 3e40af7415b50ae09e80956ecd296c0202d82785 | |
parent | bfb5748f1f9d0c76ce311a88ea117c0cb3d7a653 (diff) | |
download | nextcloud-server-262547ba3d81a870521ad65bca770e9e1b14f229.tar.gz nextcloud-server-262547ba3d81a870521ad65bca770e9e1b14f229.zip |
Return 401 DummyBasicAuth in case of ajax call
-rw-r--r-- | apps/dav/appinfo/v1/publicwebdav.php | 2 | ||||
-rw-r--r-- | apps/dav/lib/connector/publicauth.php | 17 |
2 files changed, 17 insertions, 2 deletions
diff --git a/apps/dav/appinfo/v1/publicwebdav.php b/apps/dav/appinfo/v1/publicwebdav.php index b0ee264aac3..558a8238666 100644 --- a/apps/dav/appinfo/v1/publicwebdav.php +++ b/apps/dav/appinfo/v1/publicwebdav.php @@ -32,7 +32,7 @@ OC_App::loadApps($RUNTIME_APPTYPES); OC_Util::obEnd(); // Backends -$authBackend = new OCA\DAV\Connector\PublicAuth(\OC::$server->getConfig()); +$authBackend = new OCA\DAV\Connector\PublicAuth(\OC::$server->getConfig(), \OC::$server->getRequest()); $serverFactory = new OCA\DAV\Connector\Sabre\ServerFactory( \OC::$server->getConfig(), diff --git a/apps/dav/lib/connector/publicauth.php b/apps/dav/lib/connector/publicauth.php index f069a214fe8..fc9b98c4834 100644 --- a/apps/dav/lib/connector/publicauth.php +++ b/apps/dav/lib/connector/publicauth.php @@ -26,6 +26,8 @@ namespace OCA\DAV\Connector; +use OCP\IRequest; + class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { /** @@ -36,10 +38,17 @@ class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { private $share; /** + * @var IRequest + */ + private $request; + + /** * @param \OCP\IConfig $config + * @param IRequest $request */ - public function __construct($config) { + public function __construct($config, $request) { $this->config = $config; + $this->request = $request; } /** @@ -92,6 +101,12 @@ class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { && \OC::$server->getSession()->get('public_link_authenticated') === $linkItem['id']) { return true; } else { + if (in_array('XMLHttpRequest', explode(',', $this->request->getHeader('X-Requested-With')))) { + // do not re-authenticate over ajax, use dummy auth name to prevent browser popup + header('Status: 401'); + header('WWW-Authenticate', 'DummyBasic real="ownCloud"'); + throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls'); + } return false; } } else if ($linkItem['share_type'] == \OCP\Share::SHARE_TYPE_REMOTE) { |