-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIX Allow logged in user with permissions to bypass basic auth #119
FIX Allow logged in user with permissions to bypass basic auth #119
Conversation
f9c63fe
to
5224d65
Compare
This PR seems to be based on this assertion from the issue:
I'm not convinced that's necessarily the case. There's an explicit username and password. Surely if you don't know those credentials, it means you're not allowed to access the site (even though there is an account set up for you)? Perhaps there should be a configuration property to toggle between allowing any authenticated user vs only those with the basic auth creds? |
The env variables only adds basic-auth for the dev/check endpoint, not the whole site. This PR is to get things into a state where the existing documentation for authentication is correct.
According to the docs it's supposed to be admin only, and since it's on a |
|
With this PR if I'm not logged in it automatically redirects me to the login screen when I'm not logged in - the basic auth challenge therefore isn't even made so I can't use it to bypass user authentication. |
This fix changes the behaviour described in the documentation:
The documentation should be updated if this is the preferred behaviour. |
5224d65
to
484e719
Compare
Should be fixed now Note you'll also need silverstripe/cwp-core#134 if you're using silverstripe/recipe-kitchen-sink and using a "test" environment type Also you may need to test using a new private window as basic auth has a weird way to cache itself in a browser |
That was a bug - the intention of this PR is to make the behaviour follow what is documented. |
484e719
to
3f81bb1
Compare
d95cb3d
to
532cdf4
Compare
Have updated, now getting user/pw from $request rather than $_SERVER
Have updated to behave the same was as BasicAuth.php does i.e. show some text on failure instead of the dev template |
This one works for my needs, thanks 👍 |
532cdf4
to
b6aa2a2
Compare
Now I'm getting a basic auth prompt when I haven't even set This hints that something about the tests isn't quite right as well most likely. Maybe need to check the response from a |
b6aa2a2
to
fb905f2
Compare
My bad, should be fixed now |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, works as expected locally.
Issue #116