mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-11-25 01:13:25 +01:00
103 lines
3.3 KiB
PHP
103 lines
3.3 KiB
PHP
<?php
|
|
/**
|
|
* EGroupware - NTLM or other http auth access without login page
|
|
*
|
|
* @link http://www.egroupware.org
|
|
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
|
|
* @package api
|
|
* @subpackage authentication
|
|
* @author Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
|
* @copyright (c) 2008-2016 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
|
* @version $Id$
|
|
*/
|
|
|
|
use EGroupware\Api;
|
|
|
|
/**
|
|
* Check if given domain is either whitelisted, the current one or the EGroupware one
|
|
*
|
|
* Used to NOT redirect to arbitrary urls.
|
|
*
|
|
* @param string $url full url or just path, later is always allowed, as it stays within the domain
|
|
* @return boolean
|
|
*/
|
|
function check_domain($url)
|
|
{
|
|
$whitelisted = array(
|
|
$_SERVER['HTTP_HOST'], // can contain :port
|
|
// add additional domains-names (just full qualified hostnames) here
|
|
|
|
);
|
|
if ($GLOBALS['egw_info']['server']['webserver_url'][0] === 'h')
|
|
{
|
|
$whitelisted[] = parse_url($GLOBALS['egw_info']['server']['webserver_url'], PHP_URL_HOST);
|
|
}
|
|
$parts = parse_url($url);
|
|
$host = $parts['host'].($parts['port'] ? ':'.$parts['port'] : '');
|
|
|
|
return $url[0] == '/' || in_array($host, $whitelisted);
|
|
}
|
|
|
|
/**
|
|
* check if the given user has access
|
|
*
|
|
* Create a session or if the user has no account return authenticate header and 401 Unauthorized
|
|
*
|
|
* @param array &$account
|
|
* @return int session-id
|
|
*/
|
|
function check_access(&$account)
|
|
{
|
|
//error_log("AUTH_TYPE={$_SERVER['AUTH_TYPE']}, REMOTE_USER={$_SERVER['REMOTE_USER']}, HTTP_USER_AGENT={$_SERVER['HTTP_USER_AGENT']}, http_auth_types={$GLOBALS['egw_info']['server']['http_auth_types']}");
|
|
|
|
if (isset($_SERVER['REMOTE_USER']) && $_SERVER['REMOTE_USER'] && isset($_SERVER['AUTH_TYPE']) &&
|
|
isset($GLOBALS['egw_info']['server']['http_auth_types']) && $GLOBALS['egw_info']['server']['http_auth_types'] &&
|
|
in_array(strtoupper($_SERVER['AUTH_TYPE']),explode(',',strtoupper($GLOBALS['egw_info']['server']['http_auth_types']))))
|
|
{
|
|
if (strpos($account=$_SERVER['REMOTE_USER'],'\\') !== false)
|
|
{
|
|
list(,$account) = explode('\\',$account,2);
|
|
}
|
|
$sessionid = $GLOBALS['egw']->session->create($account,null,'ntlm',false,false); // false=no auth check
|
|
//error_log("create('$account',null,'ntlm',false,false)=$sessionid ({$GLOBALS['egw']->session->reason})");
|
|
}
|
|
if (!$sessionid)
|
|
{
|
|
if (isset($_GET['forward']) && check_domain($_GET['forward']))
|
|
{
|
|
header('Location: '.$_GET['forward']);
|
|
}
|
|
else
|
|
{
|
|
header('Location: ../../login.php'.(isset($_REQUEST['phpgw_forward']) ? '?phpgw_forward='.urlencode($_REQUEST['phpgw_forward']) : ''));
|
|
}
|
|
exit;
|
|
}
|
|
return $sessionid;
|
|
}
|
|
|
|
$GLOBALS['egw_info']['flags'] = array(
|
|
'noheader' => True,
|
|
'currentapp' => 'api',
|
|
'autocreate_session_callback' => 'check_access',
|
|
);
|
|
// if you move this file somewhere else, you need to adapt the path to the header!
|
|
include(dirname(__FILE__).'/../../header.inc.php');
|
|
|
|
if (isset($_GET['forward']) && check_domain($_GET['forward']))
|
|
{
|
|
$forward = $_GET['forward'];
|
|
Api\Cache::setSession('login', 'referer', $forward);
|
|
}
|
|
elseif ($_REQUEST['phpgw_forward'])
|
|
{
|
|
$forward = '../..'.(isset($_GET['phpgw_forward']) ? urldecode($_GET['phpgw_forward']) : @$_POST['phpgw_forward']);
|
|
}
|
|
else
|
|
{
|
|
$forward = '../../index.php';
|
|
}
|
|
// commiting the session, before redirecting might fix racecondition in session creation
|
|
$GLOBALS['egw']->session->commit_session();
|
|
header('Location: '.$forward);
|