diff options
author | friendica <info@friendica.com> | 2014-01-26 14:15:57 -0800 |
---|---|---|
committer | friendica <info@friendica.com> | 2014-01-26 14:15:57 -0800 |
commit | d296b02b0e522dbbd30ad7926e9f80f3c8c04328 (patch) | |
tree | 294c212b656312614ad6fe46863205157e7f85bd | |
parent | 0948c3c3ca5aa3621247c7a77a05ac5acd085459 (diff) | |
download | volse-hubzilla-d296b02b0e522dbbd30ad7926e9f80f3c8c04328.tar.gz volse-hubzilla-d296b02b0e522dbbd30ad7926e9f80f3c8c04328.tar.bz2 volse-hubzilla-d296b02b0e522dbbd30ad7926e9f80f3c8c04328.zip |
The final piece of the DAV authentication puzzle. Provide a directory view to an un-auth'd person (without asking for a password) by adding a query parameter 'davguest=1'. This is a bit of a hack, but there was no response on the official forum about how to do this correctly so it will have to do. On the downside, if permission is denied, it won't ask for a password - but we're talking about unauthenticated folks who didn't go through magic auth so chances are even if they authenticate, permission will still be denied.
-rw-r--r-- | include/conversation.php | 2 | ||||
-rw-r--r-- | mod/cloud.php | 14 |
2 files changed, 10 insertions, 6 deletions
diff --git a/include/conversation.php b/include/conversation.php index cec5993b6..34d661004 100644 --- a/include/conversation.php +++ b/include/conversation.php @@ -1481,7 +1481,7 @@ function profile_tabs($a, $is_owner=False, $nickname=Null){ if($p['view_storage']) { $tabs[] = array( 'label' => t('Files'), - 'url' => $a->get_baseurl() . '/cloud/' . $nickname, + 'url' => $a->get_baseurl() . '/cloud/' . $nickname . ((get_observer_hash()) ? '' : '?f=&davguest=1'), 'sel' => ((argv(0) == 'cloud') ? 'active' : ''), 'title' => t('Files and Storage'), 'id' => 'files-tab', diff --git a/mod/cloud.php b/mod/cloud.php index f6ea059ce..18b61f941 100644 --- a/mod/cloud.php +++ b/mod/cloud.php @@ -67,12 +67,18 @@ function cloud_init(&$a) { $auth->observer = $ob_hash; } + if($_GET['davguest']) + $_SESSION['davguest'] = true; + + $_SERVER['QUERY_STRING'] = str_replace(array('?f=','&f='),array('',''),$_SERVER['QUERY_STRING']); $_SERVER['QUERY_STRING'] = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/ism','',$_SERVER['QUERY_STRING']); + $_SERVER['QUERY_STRING'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism','',$_SERVER['QUERY_STRING']); $_SERVER['REQUEST_URI'] = str_replace(array('?f=','&f='),array('',''),$_SERVER['REQUEST_URI']); $_SERVER['REQUEST_URI'] = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/ism','',$_SERVER['REQUEST_URI']); + $_SERVER['REQUEST_URI'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism','',$_SERVER['REQUEST_URI']); $rootDirectory = new RedDirectory('/',$auth); $server = new DAV\Server($rootDirectory); @@ -85,12 +91,10 @@ function cloud_init(&$a) { // allow this. This way one can create hotlinks to public media files in their cloud and anonymous viewers won't get asked to login. // If a DIRECTORY is accessed or there are permission issues accessing the file and we aren't previously authenticated via zot, // prompt for HTTP-auth. This will be the default case for mounting a DAV directory. - - // FIXME - we may require one more hack here; to allow an unauthenticated guest to view your file collection (e.g. a DIRECTORY) from - // the web browser interface without prompting for password, but still requiring one for unauthenticated folks using DAV. We may be - // able to do this with a special $_GET request var and a cookie. + // In order to avoid prompting for passwords for viewing a DIRECTORY, add the URL query parameter 'davguest=1' $isapublic_file = false; + $davguest = ((x($_SESSION,'davguest')) ? true : false); if((! $auth->observer) && ($_SERVER['REQUEST_METHOD'] === 'GET')) { try { @@ -103,7 +107,7 @@ function cloud_init(&$a) { } } - if((! $auth->observer) && (! $isapublic_file)) { + if((! $auth->observer) && (! $isapublic_file) && (! $davguest)) { try { $auth->Authenticate($server, t('Red Matrix - Guests: Username: {your email address}, Password: +++')); } |