From 3affb2e8172b4cc673aafe9551c21dad6f606d87 Mon Sep 17 00:00:00 2001
From: redmatrix <git@macgirvin.com>
Date: Wed, 20 Jul 2016 17:55:40 -0700
Subject: sort out some of the authentication mess - with luck this may fix the
 DAV auth issue which I simply could not duplicate or find a reason for.

---
 Zotlabs/Module/Dav.php           | 85 ++--------------------------------------
 Zotlabs/Module/Login.php         |  3 ++
 Zotlabs/Module/Openid.php        |  2 +-
 Zotlabs/Module/Register.php      |  2 +-
 Zotlabs/Module/Removeaccount.php |  3 +-
 Zotlabs/Module/Removeme.php      |  4 +-
 Zotlabs/Storage/BasicAuth.php    | 37 ++++++-----------
 7 files changed, 26 insertions(+), 110 deletions(-)

(limited to 'Zotlabs')

diff --git a/Zotlabs/Module/Dav.php b/Zotlabs/Module/Dav.php
index ba2394388..aaf69844c 100644
--- a/Zotlabs/Module/Dav.php
+++ b/Zotlabs/Module/Dav.php
@@ -48,55 +48,13 @@ class Dav extends \Zotlabs\Web\Controller {
 		if (! is_dir('store'))
 			os_mkdir('store', STORAGE_DEFAULT_PERMISSIONS, false);
 	
-		$which = null;
 		if (argc() > 1)
-			$which = argv(1);
+			profile_load(argv(1),0);
 	
-		$profile = 0;
-	
-		\App::$page['htmlhead'] .= '<link rel="alternate" type="application/atom+xml" href="' . z_root() . '/feed/' . $which . '" />' . "\r\n";
-	
-		if ($which)
-			profile_load( $which, $profile);
-	
-
-
 
 		$auth = new \Zotlabs\Storage\BasicAuth();
-		$auth->setRealm(ucfirst(\Zotlabs\Lib\System::get_platform_name()) . 'WebDAV');
-
-//		$authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function($userName,$password) {
-//			if(account_verify_password($userName,$password))
-//				return true;
-//			return false;
-//		});
+		$auth->setRealm(ucfirst(\Zotlabs\Lib\System::get_platform_name()) . ' ' . 'WebDAV');
 
-//		$ob_hash = get_observer_hash();
-	
-//		if ($ob_hash) {
-//			if (local_channel()) {
-//				$channel = \App::get_channel();
-//				$auth->setCurrentUser($channel['channel_address']);
-//				$auth->channel_id = $channel['channel_id'];
-//				$auth->channel_hash = $channel['channel_hash'];
-//				$auth->channel_account_id = $channel['channel_account_id'];
-//				if($channel['channel_timezone'])
-//					$auth->setTimezone($channel['channel_timezone']);
-//			}
-//			$auth->observer = $ob_hash;
-//		}
-	
-//		if ($_GET['davguest'])
-//			$_SESSION['davguest'] = true;
-	
-//		$_SERVER['QUERY_STRING'] = str_replace(array('?f=', '&f='), array('', ''), $_SERVER['QUERY_STRING']);
-//		$_SERVER['QUERY_STRING'] = strip_zids($_SERVER['QUERY_STRING']);
-//		$_SERVER['QUERY_STRING'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism', '', $_SERVER['QUERY_STRING']);
-//	
-//		$_SERVER['REQUEST_URI'] = str_replace(array('?f=', '&f='), array('', ''), $_SERVER['REQUEST_URI']);
-//		$_SERVER['REQUEST_URI'] = strip_zids($_SERVER['REQUEST_URI']);
-//		$_SERVER['REQUEST_URI'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism', '', $_SERVER['REQUEST_URI']);
-	
 		$rootDirectory = new \Zotlabs\Storage\Directory('/', $auth);
 	
 		// A SabreDAV server-object
@@ -113,48 +71,13 @@ class Dav extends \Zotlabs\Web\Controller {
 	
 		$server->addPlugin($lockPlugin);
 	
-		// The next section of code allows us to bypass prompting for http-auth if a
-		// FILE is being accessed anonymously and permissions allow this. This way
-		// one can create hotlinks to public media files in their cloud and anonymous
-		// viewers won't get asked to login.
-		// If a DIRECTORY is accessed or there are permission issues accessing the
-		// file and we aren't previously authenticated via zot, prompt for HTTP-auth.
-		// This will be the default case for mounting a DAV directory. 
-		// In order to avoid prompting for passwords for viewing a DIRECTORY, add
-		// the URL query parameter 'davguest=1'.
-	
-//		$isapublic_file = false;
-//		$davguest = ((x($_SESSION, 'davguest')) ? true : false);
-	
-//		if ((! $auth->observer) && ($_SERVER['REQUEST_METHOD'] === 'GET')) {
-//			try { 
-//				$x = RedFileData('/' . \App::$cmd, $auth);
-//				if($x instanceof \Zotlabs\Storage\File)
-//					$isapublic_file = true;
-//			}
-//			catch (Exception $e) {
-//				$isapublic_file = false;
-//			}
-//		}
-	
-//		if ((! $auth->observer) && (! $isapublic_file) && (! $davguest)) {
-//			try {
-//				$auth->Authenticate($server, t('$Projectname channel'));
-//			}
-//			catch (Exception $e) {
-//				logger('mod_cloud: auth exception' . $e->getMessage());
-//				http_status_exit($e->getHTTPCode(), $e->getMessage());
-//			}
-//		}
-	
-	//	require_once('Zotlabs/Storage/Browser.php');
 		// provide a directory view for the cloud in Hubzilla
 		$browser = new \Zotlabs\Storage\Browser($auth);
 		$auth->setBrowserPlugin($browser);
 	
 		// Experimental QuotaPlugin
-	//	require_once('Zotlabs/Storage/QuotaPlugin.php');
-	//	$server->addPlugin(new \Zotlabs\Storage\QuotaPlugin($auth));
+		// require_once('Zotlabs/Storage/QuotaPlugin.php');
+		// $server->addPlugin(new \Zotlabs\Storage\QuotaPlugin($auth));
 	
 		// All we need to do now, is to fire up the server
 		$server->exec();
diff --git a/Zotlabs/Module/Login.php b/Zotlabs/Module/Login.php
index ff75e5268..ae35b922f 100644
--- a/Zotlabs/Module/Login.php
+++ b/Zotlabs/Module/Login.php
@@ -7,6 +7,9 @@ class Login extends \Zotlabs\Web\Controller {
 	function get() {
 		if(local_channel())
 			goaway(z_root());
+		if(remote_channel() && $_SESSION['atoken'])
+			goaway(z_root());
+
 		return login((\App::$config['system']['register_policy'] == REGISTER_CLOSED) ? false : true);
 	}
 	
diff --git a/Zotlabs/Module/Openid.php b/Zotlabs/Module/Openid.php
index 7a6e4a81f..8cbc6d2fd 100644
--- a/Zotlabs/Module/Openid.php
+++ b/Zotlabs/Module/Openid.php
@@ -48,7 +48,7 @@ class Openid extends \Zotlabs\Web\Controller {
 									$_SESSION['uid'] = $r[0]['channel_id'];
 									$_SESSION['account_id'] = $r[0]['channel_account_id'];
 									$_SESSION['authenticated'] = true;
-									authenticate_success($record,true,true,true,true);
+									authenticate_success($record,$r[0],true,true,true,true);
 									goaway(z_root());
 								}
 							}
diff --git a/Zotlabs/Module/Register.php b/Zotlabs/Module/Register.php
index 6afa4a94c..45123b88d 100644
--- a/Zotlabs/Module/Register.php
+++ b/Zotlabs/Module/Register.php
@@ -146,7 +146,7 @@ class Register extends \Zotlabs\Web\Controller {
 			goaway(z_root());
 		}
 	
-		authenticate_success($result['account'],true,false,true);
+		authenticate_success($result['account'],null,true,false,true);
 		
 		$new_channel = false;
 		$next_page = 'new_channel';
diff --git a/Zotlabs/Module/Removeaccount.php b/Zotlabs/Module/Removeaccount.php
index 39e06bb7f..9fac7838e 100644
--- a/Zotlabs/Module/Removeaccount.php
+++ b/Zotlabs/Module/Removeaccount.php
@@ -25,7 +25,8 @@ class Removeaccount extends \Zotlabs\Web\Controller {
 		$account = \App::get_account();
 		$account_id = get_account_id();
 	
-		if(! account_verify_password($account['account_email'],$_POST['qxz_password']))
+		$x = account_verify_password($account['account_email'],$_POST['qxz_password']);
+		if(! ($x && $x['account']))
 			return;
 	
 		if($account['account_password_changed'] != NULL_DATE) {
diff --git a/Zotlabs/Module/Removeme.php b/Zotlabs/Module/Removeme.php
index e611d8112..bc18fe0f8 100644
--- a/Zotlabs/Module/Removeme.php
+++ b/Zotlabs/Module/Removeme.php
@@ -24,7 +24,9 @@ class Removeme extends \Zotlabs\Web\Controller {
 	
 		$account = \App::get_account();
 	
-		if(! account_verify_password($account['account_email'],$_POST['qxz_password']))
+	
+		$x = account_verify_password($account['account_email'],$_POST['qxz_password']);
+		if(! ($x && $x['account']))
 			return;
 	
 		if($account['account_password_changed'] != NULL_DATE) {
diff --git a/Zotlabs/Storage/BasicAuth.php b/Zotlabs/Storage/BasicAuth.php
index 9c73b47b9..67617b637 100644
--- a/Zotlabs/Storage/BasicAuth.php
+++ b/Zotlabs/Storage/BasicAuth.php
@@ -91,33 +91,20 @@ class BasicAuth extends DAV\Auth\Backend\AbstractBasic {
 
 		require_once('include/auth.php');
 		$record = account_verify_password($username, $password);
-		if ($record && $record['account_default_channel']) {
-			$r = q("SELECT * FROM channel WHERE channel_account_id = %d AND channel_id = %d LIMIT 1",
-				intval($record['account_id']),
-				intval($record['account_default_channel'])
-			);
-			if($r && $this->check_module_access($r[0]['channel_id'])) {
-				return $this->setAuthenticated($r[0]);
+		if($record && $record['account']) {
+			if($record['channel'])
+				$channel = $record['channel'];
+			else {
+				$r = q("SELECT * FROM channel WHERE channel_account_id = %d AND channel_id = %d LIMIT 1",
+					intval($record['account']['account_id']),
+					intval($record['account']['account_default_channel'])
+				);
+				if($r)
+					$channel = $r[0];
 			}
 		}
-		$r = q("SELECT * FROM channel WHERE channel_address = '%s' LIMIT 1",
-			dbesc($username)
-		);
-		if ($r) {
-			$x = q("SELECT account_flags, account_salt, account_password FROM account WHERE account_id = %d LIMIT 1",
-				intval($r[0]['channel_account_id'])
-			);
-			if ($x) {
-				// @fixme this foreach should not be needed?
-				foreach ($x as $record) {
-					if ((($record['account_flags'] == ACCOUNT_OK) || ($record['account_flags'] == ACCOUNT_UNVERIFIED))
-					&& (hash('whirlpool', $record['account_salt'] . $password) === $record['account_password'])) {
-						logger('password verified for ' . $username);
-						if($this->check_module_access($r[0]['channel_id']))
-							return $this->setAuthenticated($r[0]);
-					}
-				}
-			}
+		if($channel && $this->check_module_access($channel['channel_id'])) {
+			return $this->setAuthenticated($channel);
 		}
 
 		if($this->module_disabled)
-- 
cgit v1.2.3