From 262547ba3d81a870521ad65bca770e9e1b14f229 Mon Sep 17 00:00:00 2001
From: Vincent Petry <pvince81@owncloud.com>
Date: Thu, 24 Mar 2016 16:02:36 +0100
Subject: [PATCH] Return 401 DummyBasicAuth in case of ajax call

---
 apps/dav/appinfo/v1/publicwebdav.php  |  2 +-
 apps/dav/lib/connector/publicauth.php | 19 +++++++++++++++++--
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/apps/dav/appinfo/v1/publicwebdav.php b/apps/dav/appinfo/v1/publicwebdav.php
index b0ee264aac..558a823866 100644
--- a/apps/dav/appinfo/v1/publicwebdav.php
+++ b/apps/dav/appinfo/v1/publicwebdav.php
@@ -32,7 +32,7 @@ OC_App::loadApps($RUNTIME_APPTYPES);
 OC_Util::obEnd();
 
 // Backends
-$authBackend = new OCA\DAV\Connector\PublicAuth(\OC::$server->getConfig());
+$authBackend = new OCA\DAV\Connector\PublicAuth(\OC::$server->getConfig(), \OC::$server->getRequest());
 
 $serverFactory = new OCA\DAV\Connector\Sabre\ServerFactory(
 	\OC::$server->getConfig(),
diff --git a/apps/dav/lib/connector/publicauth.php b/apps/dav/lib/connector/publicauth.php
index f069a214fe..fc9b98c483 100644
--- a/apps/dav/lib/connector/publicauth.php
+++ b/apps/dav/lib/connector/publicauth.php
@@ -26,6 +26,8 @@
 
 namespace OCA\DAV\Connector;
 
+use OCP\IRequest;
+
 class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic {
 
 	/**
@@ -36,10 +38,17 @@ class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic {
 	private $share;
 
 	/**
-	 * @param \OCP\IConfig $config
+	 * @var IRequest
 	 */
-	public function __construct($config) {
+	private $request;
+
+	/**
+	 * @param \OCP\IConfig $config
+	 * @param IRequest $request
+	 */
+	public function __construct($config, $request) {
 		$this->config = $config;
+		$this->request = $request;
 	}
 
 	/**
@@ -92,6 +101,12 @@ class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic {
 					&& \OC::$server->getSession()->get('public_link_authenticated') === $linkItem['id']) {
 					return true;
 				} else {
+					if (in_array('XMLHttpRequest', explode(',', $this->request->getHeader('X-Requested-With')))) {
+						// do not re-authenticate over ajax, use dummy auth name to prevent browser popup
+						header('Status: 401');
+						header('WWW-Authenticate', 'DummyBasic real="ownCloud"');
+						throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls');
+					}
 					return false;
 				}
 			} else if ($linkItem['share_type'] == \OCP\Share::SHARE_TYPE_REMOTE) {