From 7abec0a5d67cdc219282336c9098753fa062e604 Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Fri, 26 Mar 2021 18:58:45 +0100 Subject: [PATCH] fix not used APi rights for mounted eTemplates in anonymous sessions --- webdav.php | 59 +++++++++++++++++++++++++++--------------------------- 1 file changed, 30 insertions(+), 29 deletions(-) diff --git a/webdav.php b/webdav.php index 1fc89b79ac..d7a2ad3eaf 100644 --- a/webdav.php +++ b/webdav.php @@ -16,14 +16,13 @@ * @package api * @subpackage vfs * @author Ralf Becker - * @copyright (c) 2006-16 by Ralf Becker - * @version $Id$ + * @copyright (c) 2006-21 by Ralf Becker */ use EGroupware\Api; use EGroupware\Api\Vfs; -$starttime = microtime(true); +//$starttime = microtime(true); /** * check if the given user has access @@ -46,7 +45,33 @@ $GLOBALS['egw_info'] = array( 'flags' => array( 'disable_Template_class' => True, 'noheader' => True, - 'currentapp' => preg_match('|/webdav.php/apps/([A-Za-z0-9_-]+)/|', $_SERVER['REQUEST_URI'], $matches) ? $matches[1] : 'filemanager', + 'currentapp' => (static function($uri) + { + if (preg_match('#/webdav.php/(etemplates|apps/([A-Za-z0-9_-]+)|home/'. + preg_quote($GLOBALS['egw_info']['user']['account_lid'], '#').'/.tmp)/#', $uri, $matches)) + { + if (!empty($matches[2])) + { + $app = $matches[2]; + } + // allow access to mounted eTemplates and temp file upload + else + { + return 'api'; + } + } + else + { + $app = 'filemanager'; + } + if (empty($GLOBALS['egw_info']['user']['apps'][$app]) && + (!empty($GLOBALS['egw_info']['user']['apps'][$a='filemanager']) || + !empty($GLOBALS['egw_info']['user']['apps'][$a='sitemgr-link']))) + { + $app = $a; + } + return $app; + })($_SERVER['REQUEST_URI']), 'autocreate_session_callback' => 'check_access', 'no_exception_handler' => 'basic_auth', // we use a basic auth exception handler (sends exception message as basic auth realm) 'auth_realm' => 'EGroupware WebDAV server', // cant use Vfs\WebDAV::REALM as autoloading and include path not yet setup! @@ -54,31 +79,7 @@ $GLOBALS['egw_info'] = array( ); // if you move this file somewhere else, you need to adapt the path to the header! -try -{ - include(dirname(__FILE__).'/header.inc.php'); -} -catch (Api\Exception\NoPermission\App $e) -{ - if (isset($GLOBALS['egw_info']['user']['apps']['filemanager'])) - { - $GLOBALS['egw_info']['currentapp'] = 'filemanager'; - } - elseif (isset($GLOBALS['egw_info']['user']['apps']['sitemgr-link'])) - { - $GLOBALS['egw_info']['currentapp'] = 'sitemgr-link'; - } - // allow access to mounted eTemplates, if there are no filemanager or sitemgr-link app rights - // and still allow for temp file upload. - elseif (preg_match("/\/webdav\.php\/etemplates\/|\/webdav.php\/home\/".$GLOBALS['egw_info']['user']['account_lid']."\/.tmp\//", $_SERVER['REQUEST_URI'])) - { - $GLOBALS['egw_info']['currentapp'] = 'api'; - } - else - { - throw $e; - } -} +require_once __DIR__.'/header.inc.php'; //$headertime = microtime(true); // webdav is stateless: we dont need to keep the session open, it only blocks other calls to same basic-auth session