From 9140742fd381626d059500089341c8318633a053 Mon Sep 17 00:00:00 2001 From: Sam Minnee Date: Sun, 16 May 2010 23:19:01 +0000 Subject: [PATCH] BUGFIX: Fixed bug in basicauth failover to session member. BUGFIX: Don't use session member for test site protection feature. git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@104962 467b73ca-7a2a-4603-9d3b-597d59a354a9 --- security/BasicAuth.php | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/security/BasicAuth.php b/security/BasicAuth.php index 2dc3e9000..ddde81109 100755 --- a/security/BasicAuth.php +++ b/security/BasicAuth.php @@ -24,23 +24,25 @@ class BasicAuth { * * @param string $realm * @param string|array $permissionCode + * @param boolean $tryUsingSessionLogin If true, then the method with authenticate against the + * session log-in if those credentials are disabled. * @return Member $member */ - static function requireLogin($realm, $permissionCode) { + static function requireLogin($realm, $permissionCode, $tryUsingSessionLogin = true) { if(!Security::database_is_ready() || Director::is_cli()) return true; - $authenticated = false; + $member = null; if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) { $member = MemberAuthenticator::authenticate(array( 'Email' => $_SERVER['PHP_AUTH_USER'], 'Password' => $_SERVER['PHP_AUTH_PW'], ), null); - - if($member || Member::currentUser()) $authenticated = true; } + if(!$member && $tryUsingSessionLogin) $member = Member::currentUser(); + // If we've failed the authentication mechanism, then show the login form - if(!$authenticated) { + if(!$member) { header("WWW-Authenticate: Basic realm=\"$realm\""); header($_SERVER['SERVER_PROTOCOL'] . ' 401 Unauthorized'); @@ -107,7 +109,9 @@ class BasicAuth { */ static function protect_site_if_necessary() { if(self::$entire_site_protected) { - self::requireLogin("SilverStripe test website. Use your CMS login.", "ADMIN"); + // The test-site protection should ignore the session log-in; otherwise it's difficult + // to test the log-in features of your site + self::requireLogin("SilverStripe test website. Use your CMS login.", "ADMIN", false); } }