Block everything if global private mode enabled and user not logged on.

This commit is contained in:
yohan 2015-09-15 02:35:06 +02:00
parent 02185ad7e4
commit 2b4044a26a
2 changed files with 31 additions and 3 deletions

View File

@ -253,10 +253,13 @@ $adminsAreAdvisedTagsFromOtherAdmins = false;
*
* @var array
*/
$reservedusers = array('all', 'watchlist');
$reservedusers = array('all', 'watchlist');
/**
* If global private mode is enabled (everything will be blocked for unlogged users).
* @var boolean
*/
$privatemode = false;
/***************************************************
* Anti SPAM measures

View File

@ -171,4 +171,29 @@ if (!defined('UNIT_TEST_MODE') || defined('HTTP_UNIT_TEST_MODE')) {
header('Content-Type: ' . $httpContentType . '; charset=utf-8');
}
}
// 7 // Block everything if global private mode enabled and user not logged on
// This is required to prevent breaking the API. Some API PHP source files include httpauth.inc.php
// which already check if the user is logged on and include www-header.php.
// We also allow password.php so users can reset their password and login.php so they can log in.
if (isset($GLOBALS['privatemode'])) {
if ($GLOBALS['privatemode'] && ! $userservice->isLoggedOn()) {
$flag = 1;
$included_files = get_included_files();
foreach ($included_files as $filename) {
if (strpos($filename,'httpauth.inc.php') !== false || strpos($filename,'password.php') !== false || strpos($filename,'login.php') !== false) {
$flag = 0;
break;
}
}
if ($flag) {
$tplVars['error'] = T_('You must log in.');
$tplVars['subtitle'] = T_('Log In');
$tplVars['formaction'] = createURL('login');
$tplVars['querystring'] = filter($_SERVER['QUERY_STRING']);
$templateservice->loadTemplate('login.tpl', $tplVars);
die();
}
}
}
?>