MirrorMirror
/
lufi
mirror of https://framagit.org/fiat-tux/hat-softwares/lufi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Ajout de verification sur auth_headers dans le controlleur Files 

auth_headers n etait pas verifie sur l upload, le download et d autres methodes.
Cela pourrait permettre des les appeler meme sans etre authentifie.

L appel initiel a Files/files n est pas verifie pour auth_headers car la redirection vers login n est pas utile.
En effet, c est un composant externe qui configure le header d authentification, il ne faut pas renvoyer vers une page de login interne.
This commit is contained in:
mildis 2022-04-03 10:31:54 +02:00
parent 537764508d
commit cf85571f05
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/Lufi/Controller/Files.pm
View File

@ -27,7 +27,7 @@ sub upload {
my $invitation;
my $token = $c->session->{guest_token};
$invitation = Lufi::DB::Invitation->new(app => $c->app)->from_token($token) if $token;
if ((!defined($c->config('ldap')) && !defined($c->config('htpasswd'))) || $c->is_user_authenticated || $invitation) {
if ((!defined($c->config('ldap')) && !defined($c->config('htpasswd')) && !defined($c->config('auth_headers'))) || $c->is_user_authenticated || $invitation) {
$c->inactivity_timeout(30000000);
$c->app->log->debug('Client connected');
@ -161,7 +161,7 @@ sub upload {
my $creator = $c->ip;
# Authenticated user logging
if ((defined($c->config('ldap')) || defined($c->config('htpasswd'))) && !$invitation) {
if ((defined($c->config('ldap')) || defined($c->config('htpasswd')) || defined($c->config('auth_headers'))) && !$invitation) {
$creator = sprintf('User: %s, IP: %s', $c->current_user->{username}, $creator);
}
# Guest user logging
@ -401,7 +401,7 @@ sub get_counter {
my $short = $c->param('short');
my $token = $c->param('token');
if ((!defined($c->config('ldap')) && !defined($c->config('htpasswd'))) || $c->is_user_authenticated) {
if ((!defined($c->config('ldap')) && !defined($c->config('htpasswd')) && !defined($c->config('auth_headers'))) || $c->is_user_authenticated) {
my $ldfile = Lufi::DB::File->new(app => $c->app)->from_short($short);
if (defined $ldfile) {
@ -451,7 +451,7 @@ sub delete {
my $short = $c->param('short');
my $token = $c->param('token');
if ((!defined($c->config('ldap')) && !defined($c->config('htpasswd'))) || $c->is_user_authenticated) {
if ((!defined($c->config('ldap')) && !defined($c->config('htpasswd')) && !defined($c->config('auth_headers'))) || $c->is_user_authenticated) {
my $ldfile = Lufi::DB::File->new(app => $c->app)->from_short($short);
$ldfile = undef unless (defined($ldfile) && $ldfile->mod_token eq $token);