From f34c8ef4ecc6f10eedf7ab5813b9242934b38ab8 Mon Sep 17 00:00:00 2001
From: "COLA@Redminetest" <carloskar.larsson@gmail.com>
Date: Tue, 8 Nov 2016 14:45:57 +0100
Subject: [PATCH] Anonymous OPTIONS and HEAD requests are only allowed from
 Microsoft Office clients.

---
 lib/redmine_dmsf/webdav/resource_proxy.rb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/redmine_dmsf/webdav/resource_proxy.rb b/lib/redmine_dmsf/webdav/resource_proxy.rb
index 06999d0d..864d57f6 100644
--- a/lib/redmine_dmsf/webdav/resource_proxy.rb
+++ b/lib/redmine_dmsf/webdav/resource_proxy.rb
@@ -51,12 +51,12 @@ module RedmineDmsf
         # going to fork it to ensure compliance, checking the request method in the authentication
         # seems the next best step, if the request method is OPTIONS return true, controller will simply
         # call the options method within, which accesses nothing, just returns headers about dav env.
-        #return true if @request.request_method.downcase == 'options' && (path == '/' || path.empty?)
+        return true if @request.request_method.downcase == 'options' && (path == '/' || path.empty?)
 
-        # Allow anonymous OPTIONS requests.
-        return true if @request.request_method.downcase == 'options'
-        # Allow anonymous HEAD requests.
-        return true if @request.request_method.downcase == 'head'
+        # Allow anonymous OPTIONS requests from MsOffice
+        return true if @request.request_method.downcase == 'options' && @request.user_agent.downcase.include?('microsoft office')
+        # Allow anonymous HEAD requests from MsOffice
+        return true if @request.request_method.downcase == 'head' && request.user_agent.downcase.include?('microsoft office')
 
         return false unless username && password
         User.current = User.try_to_login(username, password)