aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2014-01-26 14:15:57 -0800
committerfriendica <info@friendica.com>2014-01-26 14:15:57 -0800
commitd296b02b0e522dbbd30ad7926e9f80f3c8c04328 (patch)
tree294c212b656312614ad6fe46863205157e7f85bd
parent0948c3c3ca5aa3621247c7a77a05ac5acd085459 (diff)
downloadvolse-hubzilla-d296b02b0e522dbbd30ad7926e9f80f3c8c04328.tar.gz
volse-hubzilla-d296b02b0e522dbbd30ad7926e9f80f3c8c04328.tar.bz2
volse-hubzilla-d296b02b0e522dbbd30ad7926e9f80f3c8c04328.zip
The final piece of the DAV authentication puzzle. Provide a directory view to an un-auth'd person (without asking for a password) by adding a query parameter 'davguest=1'. This is a bit of a hack, but there was no response on the official forum about how to do this correctly so it will have to do. On the downside, if permission is denied, it won't ask for a password - but we're talking about unauthenticated folks who didn't go through magic auth so chances are even if they authenticate, permission will still be denied.
-rw-r--r--include/conversation.php2
-rw-r--r--mod/cloud.php14
2 files changed, 10 insertions, 6 deletions
diff --git a/include/conversation.php b/include/conversation.php
index cec5993b6..34d661004 100644
--- a/include/conversation.php
+++ b/include/conversation.php
@@ -1481,7 +1481,7 @@ function profile_tabs($a, $is_owner=False, $nickname=Null){
if($p['view_storage']) {
$tabs[] = array(
'label' => t('Files'),
- 'url' => $a->get_baseurl() . '/cloud/' . $nickname,
+ 'url' => $a->get_baseurl() . '/cloud/' . $nickname . ((get_observer_hash()) ? '' : '?f=&davguest=1'),
'sel' => ((argv(0) == 'cloud') ? 'active' : ''),
'title' => t('Files and Storage'),
'id' => 'files-tab',
diff --git a/mod/cloud.php b/mod/cloud.php
index f6ea059ce..18b61f941 100644
--- a/mod/cloud.php
+++ b/mod/cloud.php
@@ -67,12 +67,18 @@ function cloud_init(&$a) {
$auth->observer = $ob_hash;
}
+ if($_GET['davguest'])
+ $_SESSION['davguest'] = true;
+
+
$_SERVER['QUERY_STRING'] = str_replace(array('?f=','&f='),array('',''),$_SERVER['QUERY_STRING']);
$_SERVER['QUERY_STRING'] = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/ism','',$_SERVER['QUERY_STRING']);
+ $_SERVER['QUERY_STRING'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism','',$_SERVER['QUERY_STRING']);
$_SERVER['REQUEST_URI'] = str_replace(array('?f=','&f='),array('',''),$_SERVER['REQUEST_URI']);
$_SERVER['REQUEST_URI'] = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/ism','',$_SERVER['REQUEST_URI']);
+ $_SERVER['REQUEST_URI'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism','',$_SERVER['REQUEST_URI']);
$rootDirectory = new RedDirectory('/',$auth);
$server = new DAV\Server($rootDirectory);
@@ -85,12 +91,10 @@ function cloud_init(&$a) {
// allow this. This way one can create hotlinks to public media files in their cloud and anonymous viewers won't get asked to login.
// If a DIRECTORY is accessed or there are permission issues accessing the file and we aren't previously authenticated via zot,
// prompt for HTTP-auth. This will be the default case for mounting a DAV directory.
-
- // FIXME - we may require one more hack here; to allow an unauthenticated guest to view your file collection (e.g. a DIRECTORY) from
- // the web browser interface without prompting for password, but still requiring one for unauthenticated folks using DAV. We may be
- // able to do this with a special $_GET request var and a cookie.
+ // In order to avoid prompting for passwords for viewing a DIRECTORY, add the URL query parameter 'davguest=1'
$isapublic_file = false;
+ $davguest = ((x($_SESSION,'davguest')) ? true : false);
if((! $auth->observer) && ($_SERVER['REQUEST_METHOD'] === 'GET')) {
try {
@@ -103,7 +107,7 @@ function cloud_init(&$a) {
}
}
- if((! $auth->observer) && (! $isapublic_file)) {
+ if((! $auth->observer) && (! $isapublic_file) && (! $davguest)) {
try {
$auth->Authenticate($server, t('Red Matrix - Guests: Username: {your email address}, Password: +++'));
}