From f90b3b60cb04b63386c9d16eb8dcb6530df979a0 Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Sun, 26 Jan 2014 02:58:03 -0800
Subject: don't prompt guests for a password if they're accessing an embedded
 public file.

---
 include/security.php |  2 +-
 mod/cloud.php        | 24 ++++++++++++++++++++++--
 version.inc          |  2 +-
 3 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/include/security.php b/include/security.php
index 4a15e52af..5e86cf790 100644
--- a/include/security.php
+++ b/include/security.php
@@ -61,7 +61,7 @@ function change_channel($change_channel) {
 			intval(PAGE_REMOVED)
 		);
 
-	if($r) {
+		if($r) {
 			$hash = $r[0]['channel_hash'];
 			$_SESSION['uid'] = intval($r[0]['channel_id']);
 			get_app()->set_channel($r[0]);
diff --git a/mod/cloud.php b/mod/cloud.php
index de42249fe..f6ea059ce 100644
--- a/mod/cloud.php
+++ b/mod/cloud.php
@@ -74,7 +74,6 @@ function cloud_init(&$a) {
 	$_SERVER['REQUEST_URI'] = str_replace(array('?f=','&f='),array('',''),$_SERVER['REQUEST_URI']);
 	$_SERVER['REQUEST_URI'] = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/ism','',$_SERVER['REQUEST_URI']);
 
-
 	$rootDirectory = new RedDirectory('/',$auth);
 	$server = new DAV\Server($rootDirectory);
 	$lockBackend = new DAV\Locks\Backend\File('store/[data]/locks');
@@ -82,8 +81,29 @@ function cloud_init(&$a) {
 
 	$server->addPlugin($lockPlugin);
 
+	// The next section of code allows us to bypass prompting for http-auth if a FILE is being accessed anonymously and permissions
+	// allow this. This way one can create hotlinks to public media files in their cloud and anonymous viewers won't get asked to login.
+	// If a DIRECTORY is accessed or there are permission issues accessing the file and we aren't previously authenticated via zot, 
+	// prompt for HTTP-auth. This will be the default case for mounting a DAV directory. 
+
+	// FIXME - we may require one more hack here; to allow an unauthenticated guest to view your file collection (e.g. a DIRECTORY) from 
+	// the web browser interface without prompting for password, but still requiring one for unauthenticated folks using DAV. We may be 
+	// able to do this with a special $_GET request var and a cookie.  
+
+	$isapublic_file = false;
+
+	if((! $auth->observer) && ($_SERVER['REQUEST_METHOD'] === 'GET')) {
+		try { 
+			$x = RedFileData('/' . $a->cmd,$auth);
+			if($x instanceof RedFile)
+				$isapublic_file = true;
+		}
+		catch  ( Exception $e ) {
+			$isapublic_file = false;
+		}
+	}
 
-	if(! $auth->observer) {
+	if((! $auth->observer) && (! $isapublic_file)) {
 		try {
 			$auth->Authenticate($server, t('Red Matrix - Guests: Username: {your email address}, Password: +++'));
 		}
diff --git a/version.inc b/version.inc
index f55fb683d..d85ee0ed2 100644
--- a/version.inc
+++ b/version.inc
@@ -1 +1 @@
-2014-01-25.568
+2014-01-26.569
-- 
cgit v1.2.3