Commit Graph

14 Commits

Author SHA1 Message Date
Lukas Reschke 476579b9c6 Fix WebDAV auth for session authentication only
\Sabre\DAV\Auth\Backend\AbstractBasic::authenticate was only calling \OC_Connector_Sabre_Auth::validateUserPass when the response of \Sabre\HTTP\BasicAuth::getUserPass was not null.

However, there is a case where the value can be null and the user could be authenticated anyways: The authentication via ownCloud web-interface and then accessing WebDAV resources. This was not possible anymore with this patch because it never reached the code path in this scenario.

This patchs allows authenticating with a session without isDavAuthenticated value stored (this is for ugly WebDAV clients that send the cookie in any case) and thus the functionality should work again.

To test this go to the admin settings and test if the WebDAV check works fine. Furthermore all the usual stuff (WebDAV / Shibboleth / etc...) needs testing as well.
2015-01-20 10:03:14 +01:00
Lukas Reschke 730460c9fa Close session properly 2015-01-19 16:25:44 +01:00
Lukas Reschke dfbc405a45 Prioritise Basic Auth header over Cookie
There are a lot of clients that support multiple WebDAV accounts in the same application. However, they resent all the cookies they received from one of the accounts also to the other one. In the case of ownCloud this means that we will always show the user from the session and not the user that is specified in the basic authentication header.

This patch adds a workaround the following way:

1. If the user authenticates via the Sabre Auth Connector add a hint to the session that this was authorized via Basic Auth (this is to prevent logout CSRF)
2. If the request contains this hint and the username specified in the basic auth header differs from the one in the session relogin the user using basic auth

Fixes https://github.com/owncloud/core/issues/11400 and https://github.com/owncloud/core/issues/13245 and probably some other issues as well.

This requires proper testing also considering LDAP / Shibboleth and whatever instances.
2015-01-17 13:29:07 +01:00
Jörn Friedrich Dreyer f551917a3c kill OC::$session
maintain deprecated \OC::$session when getting or setting the session via the server container or UserSession

restore order os OC::$session and OC::$CLI

remove unneded initialization of dummy session

write back session when $useCustomSession is true

log warning when deprecated app is used
2014-08-29 10:22:21 +02:00
Thomas Müller 76e04027bc Upgrade SabreDAV to 1.8.10
Updating SabreDAV namespaces
2014-06-04 12:22:23 +02:00
Robin McCorkell 87b548ed91 Fix all PHPDoc types and variable names, in /lib 2014-05-13 19:08:14 +01:00
Thomas Müller f0603a971d close the session for all DAV calls right after authentication - no need to write to the session afterwards 2014-03-10 14:40:36 +01:00
Niklas Sombert 4c179850ab Revert "Added support for extra backends (see pull request #5043)"
This reverts commit 2d75914f2a, reversing
changes made to 760fa9ea30.
2014-01-01 13:43:23 +01:00
Niklas Sombert 2d75914f2a Added support for extra backends (see pull request #5043)
Somebody had forgotten "OC_User::setupBackends();"...
2014-01-01 11:53:27 +01:00
Thomas Müller 5318df3b3c there shall be tabs 2013-10-14 14:51:25 +02:00
Thomas Müller fb3829e8b8 file system is now initialized with apache authentication as well 2013-10-14 14:46:43 +02:00
Thomas Müller 4cecede13d code cleanup - remove special case for webdav in handleApacheAuth() 2013-10-02 00:55:35 +02:00
Thomas Müller 7e9e23f210 Merge branch 'master' into apache-auth-master 2013-10-02 00:21:11 +02:00
Thomas Müller 9c9dc276b7 move the private namespace OC into lib/private - OCP will stay in lib/public
Conflicts:
	lib/private/vcategories.php
2013-09-30 16:36:59 +02:00