From 30dab8473d542c33f53ef1c3c8aa6152ac4592f0 Mon Sep 17 00:00:00 2001
From: Hans Bakker <hansmbakker@gmail.com>
Date: Wed, 17 Aug 2011 12:47:56 +0200
Subject: [PATCH] Change authentication method to basic http auth instead of
 using $_GET variables Also use OC_User::isLoggedIn to check if new
 authentication is needed for grouplist.php and userlist.php For
 validateuser.php, credentials are always needed.

---
 core/ajax/grouplist.php    | 38 +++++++++++++++++++++---------------
 core/ajax/userlist.php     | 37 +++++++++++++++++++----------------
 core/ajax/validateuser.php | 40 ++++++++++++--------------------------
 3 files changed, 54 insertions(+), 61 deletions(-)

diff --git a/core/ajax/grouplist.php b/core/ajax/grouplist.php
index 9b6c4bfa8a..d0d10f7a84 100644
--- a/core/ajax/grouplist.php
+++ b/core/ajax/grouplist.php
@@ -21,25 +21,31 @@
 *
 */
 
-
-// We send json data
-header( "Content-Type: application/jsonrequest" );
-
 $RUNTIME_NOAPPS = TRUE; //no apps, yet
 require_once('../../lib/base.php');
 
-if(isset($_GET["user"]) && isset($_GET["password"]))
-{
-	if(!OC_User::checkPassword($_GET["user"], $_GET["password"]))
-        	exit();
-
-	$groups = array();
-
-	foreach( OC_Group::getGroups() as $i ){
-        	// Do some more work here soon
-	        $groups[] = array( "groupname" => $i );
+if(!OC_User::isLoggedIn()){
+	if(!isset($_SERVER['PHP_AUTH_USER'])){
+		header('WWW-Authenticate: Basic realm="ownCloud Server"');
+		header('HTTP/1.0 401 Unauthorized');
+		echo 'Valid credentials must be supplied';
+		exit();
+	} else {
+		if(!OC_User::checkPassword($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"])){
+			exit();
+		}
 	}
-
-	echo json_encode($groups);
 }
+
+$groups = array();
+
+foreach( OC_Group::getGroups() as $i ){
+       	// Do some more work here soon
+        $groups[] = array( "groupname" => $i );
+}
+
+// We send json data
+header( "Content-Type: application/jsonrequest" );
+echo json_encode($groups);
+
 ?>
diff --git a/core/ajax/userlist.php b/core/ajax/userlist.php
index 16e89c2ee8..0485f51455 100644
--- a/core/ajax/userlist.php
+++ b/core/ajax/userlist.php
@@ -21,27 +21,30 @@
 *
 */
 
-
-// We send json data
-header( "Content-Type: application/jsonrequest" );
-
 $RUNTIME_NOAPPS = TRUE; //no apps, yet
 require_once('../../lib/base.php');
 
-if(isset($_GET["user"]) && isset($_GET["password"]))
-{
-        if(!OC_User::checkPassword($_GET["user"], $_GET["password"]))
+if(!OC_User::isLoggedIn()){
+        if(!isset($_SERVER['PHP_AUTH_USER'])){
+                header('WWW-Authenticate: Basic realm="ownCloud Server"');
+                header('HTTP/1.0 401 Unauthorized');
+                echo 'Valid credentials must be supplied';
                 exit();
-
-        $users = array();
-
-        foreach( OC_User::getUsers() as $i ){
-        	$users[] = array( "username" => $i, "groups" => join( ", ", OC_Group::getUserGroups( $i ) ));
-	}
-
-	echo json_encode($users);
-
-
+        } else {
+                if(!OC_User::checkPassword($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"])){
+                        exit();
+                }
+        }
 }
 
+$users = array();
+
+foreach( OC_User::getUsers() as $i ){
+       	$users[] = array( "username" => $i, "groups" => join( ", ", OC_Group::getUserGroups( $i ) ));
+}
+
+// We send json data
+header( "Content-Type: application/jsonrequest" );
+echo json_encode($users);
+
 ?>
diff --git a/core/ajax/validateuser.php b/core/ajax/validateuser.php
index 967a5184a2..032948fc33 100644
--- a/core/ajax/validateuser.php
+++ b/core/ajax/validateuser.php
@@ -21,37 +21,21 @@
 *
 */
 
-header("Content-Type: application/jsonrequest");
-
 $RUNTIME_NOAPPS = TRUE; //no apps, yet
-
 require_once('../../lib/base.php');
 
-$not_installed = !OC_Config::getValue('installed', false);
-
-// First step : check if the server is correctly configured for ownCloud :
-$errors = OC_Util::checkServer();
-if(count($errors) > 0) {
-        echo json_encode(array("user_valid" => "false", "comment" => $errors));
-}
-
-// Setup required :
-elseif($not_installed) {
-        echo json_encode(array("user_valid" => "false", "comment" => "not_installed"));
-
-}
-
-// Someone wants to check a user:
-elseif(isset($_GET["user"]) and isset($_GET["password"])) {
-        if(OC_User::checkPassword($_GET["user"], $_GET["password"]))
-		echo json_encode(array("user_valid" => "true", "comment" => ""));
-	else
-		echo json_encode(array("user_valid" => "false", "comment" => ""));
-}
-
-// For all others cases:
-else {
-        echo json_encode(array("user_valid" => "false", "comment" => "unknown"));
+if(!isset($_SERVER['PHP_AUTH_USER'])){
+        header('WWW-Authenticate: Basic realm="ownCloud Server"');
+        header('HTTP/1.0 401 Unauthorized');
+        echo 'Valid credentials must be supplied';
+        exit();
+} else {
+	header("Content-Type: application/jsonrequest");
+        if(OC_User::checkPassword($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"])){
+		echo json_encode(array("username" => $_SERVER["PHP_AUTH_USER"], "user_valid" => "true"));
+	} else {
+	        echo json_encode(array("username" => $_SERVER["PHP_AUTH_USER"], "user_valid" => "false"));
+	}
 }
 
 ?>