Change authentication method to basic http auth instead of using $_GET variables

Also use OC_User::isLoggedIn to check if new authentication is needed for grouplist.php and userlist.php
For validateuser.php, credentials are always needed.

1 files changed, 18 insertions, 15 deletions

diff --git a/core/ajax/userlist.php b/core/ajax/userlist.php
index 16e89c2ee8f..0485f514550 100644
--- a/core/ajax/userlist.php
+++ b/core/ajax/userlist.php
@@ -21,27 +21,30 @@
 *
 */
 
-
-// We send json data
-header( "Content-Type: application/jsonrequest" );
-
 $RUNTIME_NOAPPS = TRUE; //no apps, yet
 require_once('../../lib/base.php');
 
-if(isset($_GET["user"]) && isset($_GET["password"]))
-{
-        if(!OC_User::checkPassword($_GET["user"], $_GET["password"]))
+if(!OC_User::isLoggedIn()){
+        if(!isset($_SERVER['PHP_AUTH_USER'])){
+                header('WWW-Authenticate: Basic realm="ownCloud Server"');
+                header('HTTP/1.0 401 Unauthorized');
+                echo 'Valid credentials must be supplied';
                 exit();
+        } else {
+                if(!OC_User::checkPassword($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"])){
+                        exit();
+                }
+        }
+}
 
-        $users = array();
-
-        foreach( OC_User::getUsers() as $i ){
-        	$users[] = array( "username" => $i, "groups" => join( ", ", OC_Group::getUserGroups( $i ) ));
-	}
-
-	echo json_encode($users);
-
+$users = array();
 
+foreach( OC_User::getUsers() as $i ){
+       	$users[] = array( "username" => $i, "groups" => join( ", ", OC_Group::getUserGroups( $i ) ));
 }
 
+// We send json data
+header( "Content-Type: application/jsonrequest" );
+echo json_encode($users);
+
 ?>