diff options
| author | Julius Härtl <jus@bitgrid.net> | 2023-02-17 09:42:08 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-17 09:42:08 +0100 |
| commit | 90d2cb09b1a8f4c5a82955641a0afedddb0a590d (patch) | |
| tree | a3e79d2cd396ed723b93be52424c33864e63d650 /lib | |
| parent | d33fbbed1d20496387decde205f7cac9913b3421 (diff) | |
| parent | f655f83c840f30781999cd84d800cb2cc27983bf (diff) | |
| download | nextcloud-server-90d2cb09b1a8f4c5a82955641a0afedddb0a590d.tar.gz nextcloud-server-90d2cb09b1a8f4c5a82955641a0afedddb0a590d.zip | |
Merge pull request #36396 from nextcloud/fix/cors
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/AppFramework/Middleware/Security/CORSMiddleware.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php index 2476f4ec9b3..30ba8d8d6e4 100644 --- a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php @@ -83,7 +83,7 @@ class CORSMiddleware extends Middleware { public function beforeController($controller, $methodName) { // ensure that @CORS annotated API routes are not used in conjunction // with session authentication since this enables CSRF attack vectors - if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) { + if ($this->reflector->hasAnnotation('CORS') && (!$this->reflector->hasAnnotation('PublicPage') || $this->session->isLoggedIn())) { $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null; $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null; |