Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Turning on Basic Auth credentials prevents authorised users from accessing /dev/check #116

Closed
2 tasks done
sig-peggy opened this issue Jan 14, 2025 · 1 comment
Closed
2 tasks done
Assignees

Comments

@sig-peggy
Copy link

sig-peggy commented Jan 14, 2025

Module version(s) affected

3.0.2

Description

The order of logic used in EnvironmentChecker::init() means that if the BasicAuth environment variables are set then that is the only authentication that is checked when accessing /dev/check and therefore admin users who should have access to the page can't view it unless they also know the Basic Auth username/password.

Expected behaviour: Logged in users with sufficient permissions should be able to see the /dev/check page without triggering Basic Auth regardless whether the Basic Auth option is turned on or not.

How to reproduce

  1. install the module
  2. Add the 'ENVCHECK_BASICAUTH_USERNAME' and 'ENVCHECK_BASICAUTH_PASSWORD' environment variables as per documentation
  3. (At this point in time) Add work arounds for other open issues with Basic Auth - Issues when using HTTP BASIC Auth on EnvironmentChecker.php #73 and Using basic auth credentials to access /dev/check still triggers the site login #92
  4. Log in as an admin user via the normal /Security/login system
  5. Go to /dev/check - this will trigger the Basic Auth authentication which only works with the environment variable username/password and not with actual user information.

Possible Solution

Change the order in which the permission checks are happening. Instead of current order

if (EnvironmentVariables) {
    check BasicAuth 
} elseif (!canAccess) {
    throw error
}

check first that the current user does not have access to the page with e.g.

if (!canAccess) {
    if (EnvironmentVariables) {
        check BasicAuth 
   } else { 
        throw Error 
    }
}

Additional Context

No response

Validations

  • Check that there isn't already an issue that reports the same bug
  • Double check that your reproduction steps work in a fresh installation of silverstripe/installer (with any code examples you've provided)

PRs

@GuySartorelli
Copy link
Member

PRs merged. Will be included in the April minor release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants