From e2750c03fc5569f33395f33637d278bfea2dbcd1 Mon Sep 17 00:00:00 2001
From: Damian Mooyman <damian@silverstripe.com>
Date: Fri, 29 Sep 2017 16:56:56 +1300
Subject: [PATCH] BUG Restore SS_USE_BASIC_AUTH env var Fixes #7268

---
 src/Security/BasicAuth.php | 47 ++++++++++++++++++++++++++++----------
 1 file changed, 35 insertions(+), 12 deletions(-)

diff --git a/src/Security/BasicAuth.php b/src/Security/BasicAuth.php
index 604142e08..6b737deb3 100644
--- a/src/Security/BasicAuth.php
+++ b/src/Security/BasicAuth.php
@@ -8,9 +8,8 @@ use SilverStripe\Control\HTTPRequest;
 use SilverStripe\Control\HTTPResponse;
 use SilverStripe\Control\HTTPResponse_Exception;
 use SilverStripe\Core\Config\Configurable;
-use SilverStripe\Dev\Debug;
-use SilverStripe\Security\MemberAuthenticator\MemberAuthenticator;
 use SilverStripe\ORM\Connect\DatabaseException;
+use SilverStripe\Security\MemberAuthenticator\MemberAuthenticator;
 
 /**
  * Provides an interface to HTTP basic authentication.
@@ -25,6 +24,16 @@ class BasicAuth
 {
     use Configurable;
 
+    /**
+     * Env var to set to enable basic auth
+     */
+    const USE_BASIC_AUTH = 'SS_USE_BASIC_AUTH';
+
+    /**
+     * Default permission code
+     */
+    const AUTH_PERMISSION = 'ADMIN';
+
     /**
      * @config
      * @var Boolean Flag set by {@link self::protect_entire_site()}
@@ -179,10 +188,10 @@ class BasicAuth
      * regular log-in form. This can be useful for test sites, where you want to hide the site
      * away from prying eyes, but still be able to test the regular log-in features of the site.
      *
-     * If you are including conf/ConfigureFromEnv.php in your _config.php file, you can also enable
-     * this feature by adding this line to your .env:
+     * You can also enable this feature by adding this line to your .env. Set this to a permission
+     * code you wish to require.
      *
-     * SS_USE_BASIC_AUTH=1
+     * SS_USE_BASIC_AUTH=ADMIN
      *
      * @param boolean $protect Set this to false to disable protection.
      * @param string $code {@link Permission} code that is required from the user.
@@ -190,7 +199,7 @@ class BasicAuth
      *  of the permission codes a user has.
      * @param string $message
      */
-    public static function protect_entire_site($protect = true, $code = 'ADMIN', $message = null)
+    public static function protect_entire_site($protect = true, $code = self::AUTH_PERMISSION, $message = null)
     {
         static::config()
             ->set('entire_site_protected', $protect)
@@ -211,13 +220,27 @@ class BasicAuth
     {
         $config = static::config();
         $request = Controller::curr()->getRequest();
+
+        // Check if site is protected
         if ($config->get('entire_site_protected')) {
-            static::requireLogin(
-                $request,
-                $config->get('entire_site_protected_message'),
-                $config->get('entire_site_protected_code'),
-                false
-            );
+            $permissionCode = $config->get('entire_site_protected_code');
+        } elseif (getenv(self::USE_BASIC_AUTH)) {
+            // Convert legacy 1 / true to ADMIN permissions
+            $permissionCode = getenv(self::USE_BASIC_AUTH);
+            if (!is_string($permissionCode) || is_numeric($permissionCode)) {
+                $permissionCode = self::AUTH_PERMISSION;
+            }
+        } else {
+            // Not enabled
+            return;
         }
+
+        // Require login
+        static::requireLogin(
+            $request,
+            $config->get('entire_site_protected_message'),
+            $permissionCode,
+            false
+        );
     }
 }