diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2019-01-02 21:43:05 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2019-01-02 21:43:05 +0100 |
| commit | 945cf832ad2c20c10704282d03326d8495d0ca4b (patch) | |
| tree | 00b83a1b046d5cfe498e871743c572b826840203 /app/Models | |
| parent | a6623b7b2fa3f026a0ea30e49b1a221f7a4a8e55 (diff) | |
HTTP authenfication fixes (#2204)
* Security fixes when HTTP user does not exist in FreshRSS
* Accept HTTP header X-WebAuth-User for delegated HTTP Authentication (e.g. Træfik)
* Document delegated HTTP authentication from https://github.com/FreshRSS/FreshRSS/pull/2202
Diffstat (limited to 'app/Models')
| -rw-r--r-- | app/Models/Auth.php | 9 | ||||
| -rw-r--r-- | app/Models/UserDAO.php | 10 |
2 files changed, 10 insertions, 9 deletions
diff --git a/app/Models/Auth.php b/app/Models/Auth.php index 9c3e31952..513a9cb2f 100644 --- a/app/Models/Auth.php +++ b/app/Models/Auth.php @@ -28,13 +28,13 @@ class FreshRSS_Auth { if (self::$login_ok) { self::giveAccess(); - } elseif (self::accessControl()) { - self::giveAccess(); + } elseif (self::accessControl() && self::giveAccess()) { FreshRSS_UserDAO::touch(); } else { // Be sure all accesses are removed! self::removeAccess(); } + return self::$login_ok; } /** @@ -60,7 +60,7 @@ class FreshRSS_Auth { return $current_user != ''; case 'http_auth': $current_user = httpAuthUser(); - $login_ok = $current_user != ''; + $login_ok = $current_user != '' && FreshRSS_UserDAO::exists($current_user); if ($login_ok) { Minz_Session::_param('currentUser', $current_user); } @@ -81,7 +81,7 @@ class FreshRSS_Auth { $user_conf = get_user_configuration($current_user); if ($user_conf == null) { self::$login_ok = false; - return; + return false; } $system_conf = Minz_Configuration::get('system'); @@ -102,6 +102,7 @@ class FreshRSS_Auth { Minz_Session::_param('loginOk', self::$login_ok); Minz_Session::_param('REMOTE_USER', httpAuthUser()); + return self::$login_ok; } /** diff --git a/app/Models/UserDAO.php b/app/Models/UserDAO.php index 5fb46c947..e9d3a7329 100644 --- a/app/Models/UserDAO.php +++ b/app/Models/UserDAO.php @@ -65,7 +65,7 @@ class FreshRSS_UserDAO extends Minz_ModelPdo { require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); if ($db['type'] === 'sqlite') { - return unlink(join_path(DATA_PATH, 'users', $username, 'db.sqlite')); + return unlink(USERS_PATH . '/' . $username . '/db.sqlite'); } else { $userPDO = new Minz_ModelPdo($username); @@ -81,18 +81,18 @@ class FreshRSS_UserDAO extends Minz_ModelPdo { } } - public static function exist($username) { - return is_dir(join_path(DATA_PATH, 'users', $username)); + public static function exists($username) { + return is_dir(USERS_PATH . '/' . $username); } public static function touch($username = '') { if (!FreshRSS_user_Controller::checkUsername($username)) { $username = Minz_Session::param('currentUser', '_'); } - return touch(join_path(DATA_PATH, 'users', $username, 'config.php')); + return touch(USERS_PATH . '/' . $username . '/config.php'); } public static function mtime($username) { - return @filemtime(join_path(DATA_PATH, 'users', $username, 'config.php')); + return @filemtime(USERS_PATH . '/' . $username . '/config.php'); } } |