Do not authenticate over ajax

This makes sure that whenever a Webdav call is done through Ajax, if the
session has expired, it will not send back a challenge but a simple 401
response. Without this fix, the default code would send back a challenge
and trigger the browser's basic auth dialog.

1 files changed, 7 insertions, 0 deletions

diff --git a/apps/dav/lib/connector/sabre/auth.php b/apps/dav/lib/connector/sabre/auth.php
index f9a39799046..27f6704ba2c 100644
--- a/apps/dav/lib/connector/sabre/auth.php
+++ b/apps/dav/lib/connector/sabre/auth.php
@@ -164,6 +164,13 @@ class Auth extends AbstractBasic {
 			return true;
 		}
 
+		if ($server->httpRequest->getHeader('X-Requested-With') === 'XMLHttpRequest') {
+			// do not re-authenticate over ajax, use dummy auth name to prevent browser popup
+			$server->httpResponse->addHeader('WWW-Authenticate','DummyBasic realm="' . $realm . '"');
+			$server->httpResponse->setStatus(401);
+			throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls');
+		}
+
 		return parent::authenticate($server, $realm);
 	}
 }