if authenticated via token we have to use the admin connection, but only for the user authenticated as

This commit is contained in:
ralf 2023-08-03 10:22:45 +02:00
parent fb87f5f173
commit da49ce2924
2 changed files with 45 additions and 17 deletions

View File

@ -200,6 +200,11 @@ class Session
*/
public $limits=null;
/**
* @var bool true: authenticated by token, not password, false: authenticated by password
*/
public $token_auth=false;
/**
* Constructor just loads up some defaults from cookies
*
@ -720,6 +725,7 @@ class Session
public function authenticate()
{
$is_valid_token = Auth\Token::authenticate($this->account_lid, $this->passwd, $this->limits);
$this->token_auth = (bool)$is_valid_token;
if (!isset($is_valid_token))
{
return $GLOBALS['egw']->auth->authenticate($this->account_lid, $this->passwd, $this->passwd_type);
@ -994,8 +1000,9 @@ class Session
'session_flags' => $session_flags,
// we need the install-id to differ between several installations sharing one tmp-dir
'session_install_id' => $GLOBALS['egw_info']['server']['install_id'],
// we need to preserve the limits
// we need to preserve the limits and if authenticated via token
'session_limits' => $this->limits,
'session_token_auth' => $this->token_auth,
);
}
@ -1316,8 +1323,9 @@ class Session
}
$session =& $_SESSION[self::EGW_SESSION_VAR];
// we need to restore the limits
// we need to restore the limits and if authenticated via token
$this->limits = $session['session_limits'];
$this->token_auth = $session['session_token_auth'];
if ($session['session_dla'] <= time() - $GLOBALS['egw_info']['server']['sessions_timeout'])
{

View File

@ -53,6 +53,10 @@ class ApiHandler extends Api\CalDAV\Handler
{
$prefix = '/'.Api\Accounts::id2name($user);
if (str_starts_with($path, $prefix)) $path = substr($path, strlen($prefix));
if ($user != $GLOBALS['egw_info']['user']['account_id'])
{
throw new \Exception("/mail is NOT available for users other than the one you authenticated!", 403);
}
}
header('Content-Type: application/json');
@ -192,18 +196,30 @@ class ApiHandler extends Api\CalDAV\Handler
throw new \Exception("Invalid attribute: ".implode(', ', $invalid), 400);
}
$vacation_rule = null;
$sieve = new Api\Mail\Sieve($account->imapServer());
$sieve->setVacation(array_merge([ // some defaults
$vacation = array_merge([ // some defaults
'status' => 'on',
'addresses' => [Api\Accounts::id2name($user, 'account_email')],
'days' => 3,
], $vacation, $update), null, $vacation_rule, true);
echo json_encode([
], $vacation, $update);
// for token-auth we have to use the admin connection
if ($GLOBALS['egw']->session->token_auth)
{
if (!$account->imapServer()->setVacationUser($user, $vacation))
{
throw new \Exception($account->imapServer()->error ?: 'Error updating sieve-script');
}
}
else
{
$sieve = new Api\Mail\Sieve($account->imapServer());
$sieve->setVacation($vacation, null, $vacation_rule, true);
}
echo json_encode(array_filter([
'status' => 200,
'message' => 'Vacation handling updated',
'vacation_rule' => $vacation_rule,
'vacation' => self::returnVacation($account->imapServer()->getVacationUser($user)),
], self::JSON_RESPONSE_OPTIONS);
]), self::JSON_RESPONSE_OPTIONS);
return true;
}
@ -407,6 +423,9 @@ class ApiHandler extends Api\CalDAV\Handler
* @return mixed boolean true on success, false on failure or string with http status (eg. '404 Not Found')
*/
function get(&$options,$id,$user=null)
{
header('Content-Type: application/json');
try
{
$path = rtrim($options['path'], '/');
if (empty($user))
@ -417,10 +436,11 @@ class ApiHandler extends Api\CalDAV\Handler
{
$prefix = '/'.Api\Accounts::id2name($user);
if (str_starts_with($path, $prefix)) $path = substr($path, strlen($prefix));
}
header('Content-Type: application/json');
try
if ($user != $GLOBALS['egw_info']['user']['account_id'])
{
throw new \Exception("/mail is NOT available for users other than the one you authenticated!", 403);
}
}
switch ($path)
{
case '/mail':