[Fusionforge-commits] r11955 - trunk/src/www/docman

Franck VILLAUME nerville at libremir.placard.fr.eu.org
Mon Jan 10 15:11:08 CET 2011


Author: nerville
Date: 2011-01-10 15:11:08 +0100 (Mon, 10 Jan 2011)
New Revision: 11955

Modified:
   trunk/src/www/docman/view.php
Log:
hardening webdav interface check

Modified: trunk/src/www/docman/view.php
===================================================================
--- trunk/src/www/docman/view.php	2011-01-10 13:49:19 UTC (rev 11954)
+++ trunk/src/www/docman/view.php	2011-01-10 14:11:08 UTC (rev 11955)
@@ -33,7 +33,6 @@
 require_once $gfcommon.'docman/DocumentFactory.class.php';
 require_once $gfcommon.'docman/DocumentGroupFactory.class.php';
 require_once $gfcommon.'docman/include/utils.php';
-require_once $gfcommon.'docman/include/webdav.php';
 
 $arr=explode('/', getStringFromServer('REQUEST_URI'));
 $group_id=$arr[3];
@@ -117,17 +116,23 @@
 		session_redirect('/docman/?group_id='.$group_id.'&view=admin&warning_msg='.urlencode($warning_msg));
 	}
 } elseif ($docid === 'webdav') {
-	$_SERVER['SCRIPT_NAME'] = '';
-	/* we need the group id for check authentification. */
-	$_SERVER["AUTH_TYPE"] = $group_id;
-	if (!isset($_SERVER['PHP_AUTH_USER'])) {
-		header('WWW-Authenticate: Basic realm="Webdav Access" (For anonymous access : click enter)');
-		header('HTTP/1.0 401 Unauthorized');
-		echo _('Webdav Access Canceled by user');
-		die();
+	if (forge_get_config('use_webdav') && $g->useWebDav()) {
+		require_once $gfcommon.'docman/include/webdav.php';
+		$_SERVER['SCRIPT_NAME'] = '';
+		/* we need the group id for check authentification. */
+		$_SERVER["AUTH_TYPE"] = $group_id;
+		if (!isset($_SERVER['PHP_AUTH_USER'])) {
+			header('WWW-Authenticate: Basic realm="Webdav Access" (For anonymous access : click enter)');
+			header('HTTP/1.0 401 Unauthorized');
+			echo _('Webdav Access Canceled by user');
+			die();
+		}
+		$server = new HTTP_WebDAV_Server_Docman;
+		$server->ServeRequest();
+	} else {
+		$warning_msg = _('No webdav interface enabled.');
+		session_redirect('/docman/?group_id='.$group_id.'&warning_msg='.urlencode($warning_msg));
 	}
-	$server = new HTTP_WebDAV_Server_Docman;
-	$server->ServeRequest();
 } elseif ($docid === 'zip') {
 	session_require_perm('docman', $group_id, 'read');
 	$dirid = $arr[5];




More information about the Fusionforge-commits mailing list