diff options
| author | Roeland Jago Douma <rullzer@owncloud.com> | 2016-01-06 20:48:33 +0100 |
|---|---|---|
| committer | Roeland Jago Douma <rullzer@owncloud.com> | 2016-01-07 10:44:26 +0100 |
| commit | 4a38793d111f68d9b00eaff4804293fd10d89a5f (patch) | |
| tree | 85975c85f429d298c4734b1526dc7bfb98db6648 /apps | |
| parent | 336fe868b2ee3a4105b93b71a1e739c9e412237b (diff) | |
| download | nextcloud-server-4a38793d111f68d9b00eaff4804293fd10d89a5f.tar.gz nextcloud-server-4a38793d111f68d9b00eaff4804293fd10d89a5f.zip | |
Allow only cookie auth to webdav
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/dav/lib/connector/sabre/auth.php | 5 | ||||
| -rw-r--r-- | apps/dav/tests/unit/connector/sabre/auth.php | 18 |
2 files changed, 19 insertions, 4 deletions
diff --git a/apps/dav/lib/connector/sabre/auth.php b/apps/dav/lib/connector/sabre/auth.php index 7f4f4a531b1..02b88390bad 100644 --- a/apps/dav/lib/connector/sabre/auth.php +++ b/apps/dav/lib/connector/sabre/auth.php @@ -151,7 +151,10 @@ class Auth extends AbstractBasic { */ private function auth(RequestInterface $request, ResponseInterface $response) { if (\OC_User::handleApacheAuth() || - ($this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED))) + //Fix for broken webdav clients + ($this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED))) || + //Well behaved clients that only send the cookie are allowed + ($this->userSession->isLoggedIn() && $this->session->get(self::DAV_AUTHENTICATED) === $this->userSession->getUser()->getUID() && $request->getHeader('Authorization') === null) ) { $user = $this->userSession->getUser()->getUID(); \OC_Util::setupFS($user); diff --git a/apps/dav/tests/unit/connector/sabre/auth.php b/apps/dav/tests/unit/connector/sabre/auth.php index 217ff5fc3fa..5e1cdfb03d8 100644 --- a/apps/dav/tests/unit/connector/sabre/auth.php +++ b/apps/dav/tests/unit/connector/sabre/auth.php @@ -21,6 +21,7 @@ namespace OCA\DAV\Tests\Unit\Connector\Sabre; +use OCP\IUser; use Test\TestCase; use OCP\ISession; use OCP\IUserSession; @@ -29,6 +30,7 @@ use OCP\IUserSession; * Class Auth * * @package OCA\DAV\Connector\Sabre + * @group DB */ class Auth extends TestCase { /** @var ISession */ @@ -330,21 +332,31 @@ class Auth extends TestCase { $httpResponse = $this->getMockBuilder('\Sabre\HTTP\ResponseInterface') ->disableOriginalConstructor() ->getMock(); + /** @var IUser */ + $user = $this->getMock('OCP\IUser'); + $user->method('getUID')->willReturn('MyTestUser'); $this->userSession ->expects($this->any()) ->method('isLoggedIn') ->will($this->returnValue(true)); + $this->userSession + ->expects($this->any()) + ->method('getUser') + ->willReturn($user); $this->session - ->expects($this->once()) + ->expects($this->atLeastOnce()) ->method('get') ->with('AUTHENTICATED_TO_DAV_BACKEND') ->will($this->returnValue('MyTestUser')); $httpRequest - ->expects($this->once()) + ->expects($this->atLeastOnce()) ->method('getHeader') ->with('Authorization') ->will($this->returnValue(null)); - $this->auth->check($httpRequest, $httpResponse); + $this->assertEquals( + [true, 'principals/users/MyTestUser'], + $this->auth->check($httpRequest, $httpResponse) + ); } public function testAuthenticateValidCredentials() { |