From 94369569f36ed9ca38f479431f364eaba4839bc9 Mon Sep 17 00:00:00 2001
From: "COLA@Redminetest" <carloskar.larsson@gmail.com>
Date: Tue, 8 Nov 2016 22:47:04 +0100
Subject: [PATCH] Only allow anonymous OPTIONS and HEAD if request really is
 anonymous.

---
 lib/redmine_dmsf/webdav/resource_proxy.rb | 26 ++++++++++++-----------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/lib/redmine_dmsf/webdav/resource_proxy.rb b/lib/redmine_dmsf/webdav/resource_proxy.rb
index 0e0c1260..b433b78b 100644
--- a/lib/redmine_dmsf/webdav/resource_proxy.rb
+++ b/lib/redmine_dmsf/webdav/resource_proxy.rb
@@ -45,19 +45,21 @@ module RedmineDmsf
       end
 
       def authenticate(username, password)
-        # Bugfix: Current DAV4Rack (including production) authenticate against ALL requests
-        # Microsoft Web Client will not attempt any authentication (it'd seem) until it's acknowledged
-        # a completed OPTIONS request. Ideally this is a flaw with the controller, however as I'm not
-        # going to fork it to ensure compliance, checking the request method in the authentication
-        # seems the next best step, if the request method is OPTIONS return true, controller will simply
-        # call the options method within, which accesses nothing, just returns headers about dav env.
-        return true if @request.request_method.downcase == 'options' && (path == '/' || path.empty?)
-
-        # Allow anonymous OPTIONS requests from MsOffice
-        return true if @request.request_method.downcase == 'options' && !@request.user_agent.nil? && @request.user_agent.downcase.include?('microsoft office')
-        # Allow anonymous HEAD requests from MsOffice
-        return true if @request.request_method.downcase == 'head' && !@request.user_agent.nil? && request.user_agent.downcase.include?('microsoft office')
+        unless username && password
+          # Bugfix: Current DAV4Rack (including production) authenticate against ALL requests
+          # Microsoft Web Client will not attempt any authentication (it'd seem) until it's acknowledged
+          # a completed OPTIONS request. Ideally this is a flaw with the controller, however as I'm not
+          # going to fork it to ensure compliance, checking the request method in the authentication
+          # seems the next best step, if the request method is OPTIONS return true, controller will simply
+          # call the options method within, which accesses nothing, just returns headers about dav env.
+          return true if @request.request_method.downcase == 'options' && (path == '/' || path.empty?)
 
+          # Allow anonymous OPTIONS requests from MsOffice
+          return true if @request.request_method.downcase == 'options' && !@request.user_agent.nil? && @request.user_agent.downcase.include?('microsoft office')
+          # Allow anonymous HEAD requests from MsOffice
+          return true if @request.request_method.downcase == 'head' && !@request.user_agent.nil? && request.user_agent.downcase.include?('microsoft office')
+        end
+          
         return false unless username && password
         User.current = User.try_to_login(username, password)
         return User.current && !User.current.anonymous?