redmine_plugins/redmine_dmsf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Only allow anonymous OPTIONS and HEAD if request really is anonymous.

Browse Source
This commit is contained in:
COLA@Redminetest 2016-11-08 22:47:04 +01:00
parent 311eeb86d6
commit 94369569f3
1 changed files with 14 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
lib/redmine_dmsf/webdav/resource_proxy.rb
View File

@ -45,19 +45,21 @@ module RedmineDmsf
end
def authenticate(username, password)
# Bugfix: Current DAV4Rack (including production) authenticate against ALL requests
# Microsoft Web Client will not attempt any authentication (it'd seem) until it's acknowledged
# a completed OPTIONS request. Ideally this is a flaw with the controller, however as I'm not
# going to fork it to ensure compliance, checking the request method in the authentication
# seems the next best step, if the request method is OPTIONS return true, controller will simply
# call the options method within, which accesses nothing, just returns headers about dav env.
return true if @request.request_method.downcase == 'options' && (path == '/' || path.empty?)
# Allow anonymous OPTIONS requests from MsOffice
return true if @request.request_method.downcase == 'options' && !@request.user_agent.nil? && @request.user_agent.downcase.include?('microsoft office')
# Allow anonymous HEAD requests from MsOffice
return true if @request.request_method.downcase == 'head' && !@request.user_agent.nil? && request.user_agent.downcase.include?('microsoft office')
unless username && password
# Bugfix: Current DAV4Rack (including production) authenticate against ALL requests
# Microsoft Web Client will not attempt any authentication (it'd seem) until it's acknowledged
# a completed OPTIONS request. Ideally this is a flaw with the controller, however as I'm not
# going to fork it to ensure compliance, checking the request method in the authentication
# seems the next best step, if the request method is OPTIONS return true, controller will simply
# call the options method within, which accesses nothing, just returns headers about dav env.
return true if @request.request_method.downcase == 'options' && (path == '/' || path.empty?)
# Allow anonymous OPTIONS requests from MsOffice
return true if @request.request_method.downcase == 'options' && !@request.user_agent.nil? && @request.user_agent.downcase.include?('microsoft office')
# Allow anonymous HEAD requests from MsOffice
return true if @request.request_method.downcase == 'head' && !@request.user_agent.nil? && request.user_agent.downcase.include?('microsoft office')
end
return false unless username && password
User.current = User.try_to_login(username, password)
return User.current && !User.current.anonymous?