Merge pull request #7414 from open-sausages/pulls/4.0/basic-auth-var

BUG Restore SS_USE_BASIC_AUTH env var
2024-10-22 14:05:37 +02:00 · 2017-10-02 15:11:19 +13:00 · 2017-10-02 15:11:19 +13:00 · b219e40ff7
commit b219e40ff7
parent fe98555d0a e2750c03fc
1 changed files with 35 additions and 12 deletions
--- a/src/Security/BasicAuth.php
+++ b/src/Security/BasicAuth.php
@ -8,9 +8,8 @@ use SilverStripe\Control\HTTPRequest;
 use SilverStripe\Control\HTTPResponse;
 use SilverStripe\Control\HTTPResponse_Exception;
 use SilverStripe\Core\Config\Configurable;
-use SilverStripe\Dev\Debug;
-use SilverStripe\Security\MemberAuthenticator\MemberAuthenticator;
 use SilverStripe\ORM\Connect\DatabaseException;
+use SilverStripe\Security\MemberAuthenticator\MemberAuthenticator;

 /**
 * Provides an interface to HTTP basic authentication.
@ -25,6 +24,16 @@ class BasicAuth
 {
    use Configurable;

+    /**
+     * Env var to set to enable basic auth
+     */
+    const USE_BASIC_AUTH = 'SS_USE_BASIC_AUTH';
+
+    /**
+     * Default permission code
+     */
+    const AUTH_PERMISSION = 'ADMIN';
+
    /**
     * @config
     * @var Boolean Flag set by {@link self::protect_entire_site()}
@ -179,10 +188,10 @@ class BasicAuth
     * regular log-in form. This can be useful for test sites, where you want to hide the site
     * away from prying eyes, but still be able to test the regular log-in features of the site.
     *
-     * If you are including conf/ConfigureFromEnv.php in your _config.php file, you can also enable
-     * this feature by adding this line to your .env:
+     * You can also enable this feature by adding this line to your .env. Set this to a permission
+     * code you wish to require.
     *
-     * SS_USE_BASIC_AUTH=1
+     * SS_USE_BASIC_AUTH=ADMIN
     *
     * @param boolean $protect Set this to false to disable protection.
     * @param string $code {@link Permission} code that is required from the user.
@ -190,7 +199,7 @@ class BasicAuth
     *  of the permission codes a user has.
     * @param string $message
     */
-    public static function protect_entire_site($protect = true, $code = 'ADMIN', $message = null)
+    public static function protect_entire_site($protect = true, $code = self::AUTH_PERMISSION, $message = null)
    {
        static::config()
            ->set('entire_site_protected', $protect)
@ -211,13 +220,27 @@ class BasicAuth
    {
        $config = static::config();
        $request = Controller::curr()->getRequest();
+
+        // Check if site is protected
        if ($config->get('entire_site_protected')) {
-            static::requireLogin(
-                $request,
-                $config->get('entire_site_protected_message'),
-                $config->get('entire_site_protected_code'),
-                false
-            );
+            $permissionCode = $config->get('entire_site_protected_code');
+        } elseif (getenv(self::USE_BASIC_AUTH)) {
+            // Convert legacy 1 / true to ADMIN permissions
+            $permissionCode = getenv(self::USE_BASIC_AUTH);
+            if (!is_string($permissionCode) || is_numeric($permissionCode)) {
+                $permissionCode = self::AUTH_PERMISSION;
+            }
+        } else {
+            // Not enabled
+            return;
        }
+
+        // Require login
+        static::requireLogin(
+            $request,
+            $config->get('entire_site_protected_message'),
+            $permissionCode,
+            false
+        );
    }
 }